zOS WebsphereMQ for ACF2 Security Technical Implementation Guide

  • Version/Release: V6R4
  • Published: 2022-10-07
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
c
WebSphere MQ channel security must be implemented in accordance with security requirements.
AC-17 - High - CCI-000068 - V-224354 - SV-224354r868242_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
ZWMQ0011
Vuln IDs
  • V-224354
  • V-6958
Rule IDs
  • SV-224354r868242_rule
  • SV-7259
WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555
Checks: C-26031r868240_chk

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following information for WebSphere MQ and MQSeries queue manager. - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding. ___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.) ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 ___ Repeat the above step for each queue manager ssid identified.

Fix: F-26019r868241_fix

Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Review the channel's SSLCIPH setting. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value is shown. ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.

b
WebSphere MQ channel security is not implemented in accordance with security requirements.
SC-23 - Medium - CCI-002470 - V-224355 - SV-224355r868245_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
ZWMQ0012
Vuln IDs
  • V-224355
  • V-6980
Rule IDs
  • SV-224355r868245_rule
  • SV-7283
WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.
Checks: C-26032r868243_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following information for WebSphere MQ queue manager: - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. 2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id) 3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: LIST ssidCHIN PROFILE(CERTDATA, KEYRING) The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US 4) Repeat these steps for each queue manager ssid identified. c) If the all of the items in (b) above are true, there is no finding. d) If any of the items in (b) above are untrue, this is a finding.

Fix: F-26020r868244_fix

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. 2) Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id) 3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtain from the above action: LIST ssidCHIN PROFILE(CERTDATA, KEYRING) The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US NOTE: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information of any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US 4) Repeat these steps for each queue manager ssid identified. To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels: 1. Review the information available on setting up SSL, Keyrings, and Digital Certificates in the CA-ACF2 Security for z/OS Administrators Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory). 2. For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to [email protected].

b
Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).
SC-10 - Medium - CCI-001133 - V-224356 - SV-224356r868247_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
ZWMQ0014
Vuln IDs
  • V-224356
  • V-31561
Rule IDs
  • SV-224356r868247_rule
  • SV-41848
IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM WebSphere MQ will set the channel user ID to the default.
Checks: C-26033r868246_chk

Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS. If the filter(s) is (are) defined, accurate and has been approved by Vulnerability ICER0030 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. If there is no Certificate Name Filter for WebSphere MQ Remotes this is a Finding. Note: Improper use of CNF filters for MQ Series will result in the following Message ID. CSQX632I found in the following example: CSQX632I csect-name SSL certificate has no associated user ID, remote channel channel-name - channel initiator user ID used

Fix: F-26021r520968_fix

The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the ISSM. The ISSO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the required resources and Commands for each USERID in the ACP. See IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ. Generic access shall not be granted such as resource permission at the SSID. MQ resource level.

b
User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
SC-10 - Medium - CCI-001133 - V-224357 - SV-224357r520972_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
ZWMQ0020
Vuln IDs
  • V-224357
  • V-3903
Rule IDs
  • SV-224357r520972_rule
  • SV-3903
Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time. This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data. This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.
Checks: C-26034r520970_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0020) b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY SECURITY command to locate the start of the security parameter settings. 2) Review the CSQH015I and CSQH016I messages to determine the Timeout and Interval parameter settings respectively. 3) Repeat these steps for each queue manager ssid. The standard values are: TIMEOUT(15) INTERVAL(5) c) If the Timeout and Interval values conform to the standard values, there is NO FINDING. d) If the Timeout and/or Interval values do not conform to the standard values, this is a FINDING.

Fix: F-26022r520971_fix

Review the WebSphere MQ System Setup Guide and the information on the ALTER SECURITY command in the WebSphere MQ Script (MQSC) Command Reference. Ensure the values for the TIMEOUT and INTERVAL parameters are specified in accordance with security requirements.

b
WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
IA-2 - Medium - CCI-000764 - V-224358 - SV-224358r520975_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZWMQ0030
Vuln IDs
  • V-224358
  • V-3904
Rule IDs
  • SV-224358r520975_rule
  • SV-3904
Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data.
Checks: C-26035r520973_chk

a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(LOGONIDS) - ACF2CMDS.RPT(ATTSTC) Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels. b) Review WebSphere MQ started tasks and ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ssidMSTR is the name of a queue manager STC. ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC. 1) Each ssidMSTR and ssidCHIN started task is associated with a unique logonid. 2) Each ssidMSTR and ssidCHIN STC logonid has the attributes of STC, MUSASS, and NOSMC. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-26023r520974_fix

The IAO will ensure that all MQSeries/WebSphere MQ started tasks are properly defined. Review MQSeries/WebSphere MQ started tasks and ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ssidMSTR is the name of a queue manager STC. ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC. 1) Each MQSeries/WebSphere MQ started task is associated with a unique logonid. 2) Each MQSeries/WebSphere MQ STC logonid has the attributes of STC, MUSASS, and NOSMC. Example: SET LID INSERT ssid.MSTR NAME(MQseries, STC) STC MUSASS NO-SMC INSERT ssid.CHIN NAME(MQseries, STC) STC MUSASS NO-SMC

b
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
CM-5 - Medium - CCI-001499 - V-224359 - SV-224359r870220_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZWMQ0040
Vuln IDs
  • V-224359
  • V-3905
Rule IDs
  • SV-224359r870220_rule
  • SV-3905
MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26036r868248_chk

a) Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT) b) Ensure ACP data sets rules for MQSeries/WebSphere MQ system data sets (e.g., SYS2.MQM.) restrict access as follows: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ___ READ access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and system programming personnel. All access to these data sets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library NOTE: WRITE/UPDATE and/or ALLOCATE/ALTER access to these data sets is restricted to MQSeries/WebSphere MQ administrators and systems programming personnel. ___ WRITE/UPDATE and/or ALLOCATE/ALTER access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and systems programming personnel. All WRITE and ALLOCATE access to these data sets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page data sets BSDSx ssidMSTR Bootstrap data sets CSQOUTx ssidMSTR SYSOUT data sets CSQSNAP ssidMSTR DUMP data set (See note) ssidMSTR Log data sets NOTE: To determine the log data set names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain DSNs. ___ ALLOCATE/ALTER access to archive data sets is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrator, and system programming personnel. All ALLOCATE/ALTER access to these data sets is logged. NOTE: To determine the archive data sets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 DSN HLQs. ___ Except for the specific data set requirements just mentioned, WRITE/UPDATE and/or ALLOCATE/ALTER access to all other MQSeries/WebSphere MQ system data sets is restricted to the MQSeries/WebSphere MQ administrator and system programming personnel. c) If all the items in (b) are true, there is no finding. d) If any item in (b) is untrue, this is a finding.

Fix: F-26024r870219_fix

The systems programmer will have the ISSO ensure that all update and alter access to MQSeries/WebSphere MQ product and system data sets are restricted to WebSphere MQ administrators, systems programmers, and MQSeries/WebSphere MQ started tasks. The installation requires that the following data sets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 (2) Read access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets. (3) Write and allocate access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all write and allocate access to these data sets. (5) Allocate access to all archive data sets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all allocate access to these data sets.

b
WebSphere MQ resource classes are not properly activated.
AC-3 - Medium - CCI-000213 - V-224360 - SV-224360r855236_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0049
Vuln IDs
  • V-224360
  • V-6959
Rule IDs
  • SV-224360r855236_rule
  • SV-7260
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26037r520979_chk

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Ensure the System Authorization Facility Definition (SAFDEF) include an entry for WebSphere MQ as follows: INSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP Ensure the Internal CLASMAP Definitions include the following entries: INSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62) INSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22) INSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10) INSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53) INSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53) INSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53) For V7.0.0 and above: INSERT CLASMAP.MXADMIN RESOURCE(MXADMIN) RSRCTYPE(MXA) ENTITYLN(62) INSERT CLASMAP.MXNLIST RESOURCE(MXNLIST) RSRCTYPE(MXN) ENTITYLN(53) INSERT CLASMAP.MXPROC RESOURCE(MXPROC) RSRCTYPE(MXP) ENTITYLN(53) INSERT CLASMAP.MXQUEUE RESOURCE(MXQUEUE) RSRCTYPE(MXQ) ENTITYLN(53) INSERT CLASMAP.MXTOPIC RESOURCE(MXTOPIC) RSRCTYPE(MXT) ENTITYLN(246)

Fix: F-26025r520980_fix

The IAO will ensure that all WebSphere MQ resources are active and properly defined. Ensure the System Authorization Facility Definition (SAFDEF) include an entry for WebSphere MQ as follows: INSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE) RACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP Ensure the Internal CLASMAP Definitions include the following entries: INSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62) INSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53) INSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53) INSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22) INSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10) INSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53) For V7.0.0 and above: INSERT CLASMAP.MXADMIN RESOURCE(MXADMIN) RSRCTYPE(MXA) ENTITYLN(62) INSERT CLASMAP.MXNLIST RESOURCE(MXNLIST) RSRCTYPE(MXN) ENTITYLN(53) INSERT CLASMAP.MXPROC RESOURCE(MXPROC) RSRCTYPE(MXP) ENTITYLN(53) INSERT CLASMAP.MXQUEUE RESOURCE(MXQUEUE) RSRCTYPE(MXQ) ENTITYLN(53) INSERT CLASMAP.MXTOPIC RESOURCE(MXTOPIC) RSRCTYPE(MXT) ENTITYLN(246)

c
Websphere MQ switch profiles must be properly defined to the MQADMIN class.
AC-3 - High - CCI-000213 - V-224361 - SV-224361r520984_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ZWMQ0051
Vuln IDs
  • V-224361
  • V-6960
Rule IDs
  • SV-224361r520984_rule
  • SV-7261
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26038r520982_chk

a) Refer to the following report produced by the OS/390 & z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the OS/390 & z/OS Data Collection: - PDI(ZWMQ0051) b) Review the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s). If the all of the following switches specify ON, there is NO FINDING. SUBSYSTEM CONNECTION COMMAND CONTEXT ALTERNATE USER PROCESS NAMELIST QUEUE COMMAND RESOURCES c) If SUBSYSTEM specifies OFF, this is a FINDING with a severity of Category I. d) If any of the other above switches specify OFF (other than the exception mentioned below), this is a FINDING downgrade the severity to a Category II. e) If COMMAND RESOURCE Security switch specify OFF, there is NO FINDING. NOTE: At the discretion of the IAO, COMMAND RESOURCE Security switch may specify OFF, by defining ssid.NO.CMD.RESC.CHECKS in the TYPE(MQA).

Fix: F-26026r520983_fix

The IAO will ensure that all Switch Profiles do not have the resource ssid.NO defined to the MQADMIN resource class with the exception of ssid.NO.CMD.RESC.CHECKS. ssid is the queue manager name (a.k.a., subsystem identifier). Ensure that all of the following switches specify ON. SUBSYSTEM CONNECTION COMMAND CONTEXT ALTERNATE USER PROCESS NAMELIST QUEUE COMMAND RESOURCES Example: $KEY(ssid) TYPE(MQA) ALTERNATE.USER.- UID(*) PREVENT CONTEXT.- UID(*) PREVENT RESLEVEL UID(*) PREVENT - UID(*) PREVENT NOTE: At the discretion of the IAO, COMMAND RESOURCE Security switch may specify OFF, by defining ssid.NO.CMD.RESC.CHECKS in the TYPE(MQA). Example: $KEY(ssid) TYPE(MQA) NO.CMD.RESC.CHECKS UID(*) PREVENT

b
WebSphere MQ MQCONN Class resources must be protected in accordance with security.
AC-3 - Medium - CCI-000213 - V-224362 - SV-224362r868253_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0052
Vuln IDs
  • V-224362
  • V-6962
Rule IDs
  • SV-224362r868253_rule
  • SV-7263
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26039r868251_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQCONN) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) Review the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class): Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) For all connection resources defined to TYPE(MQK), ensure the following items are in effect: 1) Access authorization to these connections restricts access to the appropriate users as indicated in (b). 2) All access FAILUREs are logged. d) If both of the items in (c) are true, there is no finding. e) If either item in (c) is untrue, this is a finding.

Fix: F-26027r868252_fix

Ensure all connections to MQSeries/WebSphere MQ resources are restricted using connection security. Ensure the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class): Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to TYPE(MQK), ensure the following items are in effect: Access authorization to these connections restricts access to the appropriate users as indicated above. All access FAILURE is logged. Example: $KEY(ssid) TYPE(MQK) BATCH UID(STCssid) SERVICE(READ) BATCH UID(syspaudt) SERVICE(READ) BATCH UID(*) PREVENT CHIN UID(STCssidCHIN) SERVICE(READ) CHIN UID(*) PREVENT CICS UID(*) PREVENT IMS UID(*) PREVENT

b
WebSphere MQ dead letter and alias dead letter queues are not properly defined.
IA-2 - Medium - CCI-000764 - V-224363 - SV-224363r868256_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZWMQ0053
Vuln IDs
  • V-224363
  • V-6964
Rule IDs
  • SV-224363r868256_rule
  • SV-7267
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26040r868254_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY QMGR DEADQ command to locate the start of the dead-letter queue information. Review the DEADQ parameter to obtain the name of the real dead-letter queue. 2) From the top of the report, find the QUEUE(dead-letter.queue.name) entry to locate the start of the real dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to the specified security requirements. The standard values are: GET(ENABLED) PUT(ENABLED) NOTE: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1. 3) From the top of the report, find the QUEUE(dead-letter.queue.name.PUT) entry to locate the start of the alias dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to those specified in the security requirements. The standard values are: GET(DISABLED) PUT(ENABLED) NOTE 1: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1. NOTE 2: The TARGQ parameter value for the alias queue will be the real dead letter queue name. NOTE 3: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue must be coded to restrict unauthorized users and systems from reading the messages on the file. c) If all of the items in (b) are true, there is no finding. d) If any item in (b) is untrue, this is a finding.

Fix: F-26028r868255_fix

The systems programmer responsible for supporting MQSeries/WebSphere MQ will ensure that the dead-letter queue and its alias are properly defined. The following scenario describes how to securely define a dead-letter queue: (1) Define the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED). (2) Give update authority for the dead-letter queue to CKTI (the MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators, and any automated application used for dead-letter queue maintenance. (3) Define an alias queue that resolves to the real dead-letter queue, but give the alias queue the attributes PUT(ENABLED) and GET(DISABLED). (4) To put a message on the dead-letter queue, an application uses the alias queue. The application does the following: (a) Retrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN, and then issues an MQINQ to get the dead-letter queue name. (b) Build the name of the alias queue by appending the characters ".PUT" to this name, in this case, ssid.DEAD.QUEUE.PUT. (c) Open the alias queue, ssid.DEAD.QUEUE.PUT. (d) Put the message on the real dead-letter queue by issuing an MQPUT against the alias queue. (5) Give the userid associated with the application update authority to the alias, but no access to the real dead-letter queue. NOTE: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file. Undeliverable messages can be routed to a dead-letter queue. Two levels of access should be established for these queues. The first level allows applications, as well as some MQSeries/WebSphere MQ objects, to put messages to this queue. The second level restricts the ability to get messages from this queue and protects sensitive data. This will be accomplished by defining an alias queue that resolves to the real dead-letter queue, but defines the alias queue with the attributes PUT(ENABLED) and GET(DISABLED). The ability to get messages from the dead-letter queue will be restricted to message channel agents (MCAs), CKTI (MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators utility, and any automated application used for dead-letter queue maintenance.

b
WebSphere MQ queue resource defined to the MQQUEUE resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224364 - SV-224364r868259_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0054
Vuln IDs
  • V-224364
  • V-6965
Rule IDs
  • SV-224364r868259_rule
  • SV-7268
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26041r868257_chk

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(MQQUEUE) - ACF2CMDS.RPT(RESOURCE) - Alternate report For all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid). These queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to TYPE(MQQ) (i.e., MQQUEUE resource class) if the following guidance is true, this is not a finding. 1) For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users; can have up to ALTER access to the user Message Queues. 2) For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. 3) For the following system queues ensure that UPDATE access is restricted to Auditors and Users that require access to review message queues. ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* ssid.SYSTEM.CSQUTIL.* 4) For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. 5) For the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.

Fix: F-26029r868258_fix

The ISSO will ensure that all WebSphere MQ queues are restricted using queue level security. Ensure all queue resources defined to TYPE(MQQ) (i.e., MQQUEUE resource class), are in effect: For all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid). These queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to TYPE(MQQ) (i.e., MQQUEUE resource class) if the following guidance is true, this is not a finding. 1) For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users; can have up to ALTER access to the user Message Queues. 2) For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. 3) For the following system queues ensure that UPDATE access is restricted to Auditors and Users that require access to review message queues. ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* ssid.SYSTEM.CSQUTIL.* 4) For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. 5) For the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Example: $KEY(ssid) TYPE(MQQ) DEAD.QUEUE UID(STCssidCHIN) SERVICE(READ,UPDATE) LOG DEAD.QUEUE UID(MQAdministrators) SERVICE(READ,UPDATE) LOG DEAD.QUEUE UID(*) PREVENT - UID(*) PREVENT

b
WebSphere MQ Process resources are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224365 - SV-224365r868262_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0055
Vuln IDs
  • V-224365
  • V-6966
Rule IDs
  • SV-224365r868262_rule
  • SV-7269
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26042r868260_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQPROC) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) For all process resources (i.e., ssid.processname) defined to TYPE(MQP) (i.e., MQPROC resource class), ensure access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If (b) is true, there is no finding. d) If (b) is untrue, this is a finding.

Fix: F-26030r868261_fix

The ISSO will ensure that process security is active, and that all profiles defined to the MQPROC class and that process inquiries are restricted to read access. For all process resources (i.e., ssid.processname) defined to TYPE(MQP) (i.e., MQPROC resource class), ensure access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Example: $KEY(ssid) TYPE(MQP) CHL_TRIG_PROCESS UID(MQAdministrators) SERVICE(READ) LOG CHL_TRIG_PROCESS UID(*) PREVENT SYSTEM.DEFAULT.PROCESS UID(MQAdministrators) SERVICE(READ) LOG SYSTEM.DEFAULT.PROCESS UID(*) PREVENT

b
WebSphere MQ Namelist resources are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224366 - SV-224366r868265_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0056
Vuln IDs
  • V-224366
  • V-6967
Rule IDs
  • SV-224366r868265_rule
  • SV-7270
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26043r868263_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQNLIST) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) For all namelist resources (i.e., ssid.namelist) defined to TYPE(MQN) (i.e., MQNLIST resource class), ensure access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If (b) is true, there is no finding. d) If (b) is untrue, this is a finding.

Fix: F-26031r868264_fix

The ISSO will ensure that all MQSeries/WebSphere MQ namelist resources are restricted to authorized users. For all namelist resources (i.e., ssid.namelist) defined to TYPE(MQN) (i.e., MQNLIST resource class), ensure access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Example: $KEY(QZN1) TYPE(MQN) SYSTEM.DEFAULT.NAMELIST UID(MQAdministrators) SERVICE(READ) LOG SYSTEM.DEFAULT.NAMELIST UID(*) PREVENT

b
WebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224367 - SV-224367r868268_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0057
Vuln IDs
  • V-224367
  • V-6969
Rule IDs
  • SV-224367r868268_rule
  • SV-7272
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26044r868266_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQADMIN) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) (i.e., MQADMIN resource class), ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If (b) is true, there is no finding. d) If (b) is untrue, this is a finding.

Fix: F-26032r868267_fix

The ISSO will ensure that use of alternate userids is restricted to authorized personnel. For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) (i.e., MQADMIN resource class), ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Example: $KEY(ssid) TYPE(MQA) ALTERNATE.USER.- UID(CICS support) SERVICE(READ,UPDATE) LOG ALTERNATE.USER.- UID(*) PREVENT

b
WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224368 - SV-224368r868271_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0058
Vuln IDs
  • V-224368
  • V-6971
Rule IDs
  • SV-224368r868271_rule
  • SV-7274
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26045r868269_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQADMIN) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) For all context resources (i.e., ssid.CONTEXT) defined to TYPE(MQA) (i.e., MQADMIN resource class, ensure access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If (b) is true, there is no finding. d) If (b) is untrue, this is a finding.

Fix: F-26033r868270_fix

The ISSO will ensure that use of context resources are restricted to authorized personnel. For all context resources (i.e., ssid.CONTEXT) defined to TYPE(MQA) (i.e., MQADMIN resource class, ensure access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Example: $KEY(ssid) TYPE(MQA) CONTEXT.- UID (CICS SUPPORT) LOG CONTEXT.- UID(*) PREVENT

b
WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224369 - SV-224369r868274_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0059
Vuln IDs
  • V-224369
  • V-6973
Rule IDs
  • SV-224369r868274_rule
  • SV-7276
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26046r868272_chk

a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(MQCMDS) - ACF2CMDS.RPT(RESOURCE) - Alternate report b) For all command resources (i.e., ssid.command) defined to TYPE(MQC) (i.e., MQCMDS resource class, ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Access authorization restricts access to the appropriate personnel as designated in the WebSphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. 2) All command access is logged as designated in the WebSphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. c) If both of the items in (b) are true, there is no finding. d) If either item in (b) is untrue, this is a finding.

Fix: F-26034r868273_fix

The ISSO will ensure that all MQSeries/WebSphere MQ commands are restricted to authorized personnel. For all command resources (i.e., ssid.command) defined to TYPE(MQC) (i.e., MQCMDS resource class, ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Access authorization restricts access to the appropriate personnel as designated in the table entitled WebSphere MQ COMMAND SECURITY CONTROLS,in the zOS STIG Addendum. 2) All command access is logged as designated in the table entitled WebSphere MQ COMMAND SECURITY CONTROLS, in the zOS STIG Addendum. Example: $KEY(ssid) TYPE(MQC) ALTER.- UID(syspaudt) SERVICE(READ,ADD,UPDATE) LOG ALTER.- UID(*) PREVENT SET R(MQC) COMPILE 'ACF2.MVA.MQC(ssid)' STORE F ACF2,REBUILD(MQC)

b
WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
CM-7 - Medium - CCI-001762 - V-224370 - SV-224370r868277_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
ZWMQ0060
Vuln IDs
  • V-224370
  • V-6975
Rule IDs
  • SV-224370r868277_rule
  • SV-7278
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Checks: C-26047r868275_chk

a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(MQADMIN) - ACF2CMDS.RPT(RESOURCE) - Alternate report Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZWMQ0060) b) Ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to TYPE(MQA) (i.e., MQADMIN resource class) with a default access of PREVENT. 2) Access authorization to these RESLEVEL resources restricts all access. No users are permitted access to ssid.RESLEVEL resources. c) If both of the items in (b) are true, there is no finding. d) If either item in (b) is untrue, this is a finding.

Fix: F-26035r868276_fix

The ISSO will ensure that a ssid.RESLEVEL profile is only defined for each queue manager. Ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to TYPE(MQA) (i.e., MQADMIN resource class) with a default access of PREVENT. 2) Access authorization to these RESLEVEL resources restricts all access. No users are permitted access to ssid.RESLEVEL resources. Example: $KEY(ssid) TYPE(MQA) RESLEVEL UID(*) PREVENT