None Computing title zOS WebSphere MQ for RACF Security Technical Implementation Guide version 7 releaseinfo Release: 3 Vuln_Num V-224551 Rule_ID SV-224551r1145040_rule Severity high Rule_Title WebSphere MQ channel security must be implemented in accordance with security requirements. Vuln_Discuss WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555 Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid). Note: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information for WebSphere MQ queue manager. - If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers. Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011). If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding. Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.) ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Repeat the above step for each queue manager ssid identified. Fix_Text Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Reviewing the channel's SSLCIPH setting. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value is shown. ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified. Not_Reviewed Vuln_Num V-224552 Rule_ID SV-224552r1145043_rule Severity medium Rule_Title WebSphere MQ channel security is not implemented in accordance with security requirements. Vuln_Discuss WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid). Note: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following Information for each WebSphere MQ queue manager. - If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Review the ssid report(s) and perform the following steps. If the following guidance for each queue manager ssid is true, this is not a finding. Find the DISPLAY QMGR DEADQ, SSLKEYR, SCYCASE command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified. Fix_Text Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified, i.e., SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified. To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels: Review the information available on setting up SSL, Keyrings, and Digital Certificates in the RACF Security Administrator's Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory). For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil. Not_Reviewed Vuln_Num V-224553 Rule_ID SV-224553r1145045_rule Severity medium Rule_Title Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF). Vuln_Discuss IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM WebSphere MQ will set the channel user ID to the default. Check_Content Validate that the list of all Production WebSphere MQ Remotes exists and contains approved Certified Name Filters and associated USERIDS. If the filter(s) is (are) defined, accurate and has been approved by Vulnerability ICER0030 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. If there is no Certificate Name Filter for WebSphere MQ Remotes this is a Finding. Note: Improper use of CNF filters for MQ Series will result in the following Message ID. CSQX632I found in the following example: CSQX632I csect-name SSL certificate has no associated user ID, remote channel channel-name - channel initiator user ID used Fix_Text The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the ISSM. The ISSO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the required resources and Commands for each USERID in the ACP. See IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ. Generic access shall not be granted such as resource permission at the SSID. MQ resource level. Not_Reviewed Vuln_Num V-224554 Rule_ID SV-224554r1145047_rule Severity medium Rule_Title User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements. Vuln_Discuss Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time. This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data. This exposure could compromise the availability, integrity, and confidentiality of some system services and application data. Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0020) Review the ssid report(s) and perform the following steps: Find the DISPLAY SECURITY command to locate the start of the security parameter settings. Review the CSQH015I and CSQH016I messages to determine the Timeout and Interval parameter settings respectively. Repeat these steps for each queue manager ssid. The standard values are: TIMEOUT(15) INTERVAL(5) If the Timeout and Interval values conform to the standard values, this is not a finding. Fix_Text Review the WebSphere MQ System Setup Guide and the information on the ALTER SECURITY command in the WebSphere MQ Script (MQSC) Command Reference. Ensure the values for the TIMEOUT and INTERVAL parameters are specified in accordance with security requirements. Not_Reviewed Vuln_Num V-224555 Rule_ID SV-224555r1145050_rule Severity medium Rule_Title WebSphere MQ started tasks are not defined in accordance with the proper security requirements. Vuln_Discuss Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data. Check_Content Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels. ssidMSTR is the name of a queue manager STC. ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC. Review WebSphere MQ started tasks and ensure the following items are in effect, this is not a finding. ssidMSTR and ssidCHIN started tasks are associated with a unique userid. ssidMSTR and ssidCHIN started tasks userids are defined with the attribute of PROTECTED. ssidMSTR and ssidCHIN started tasks are defined to the STARTED resource class. Repeat these steps for each queue manager ssid. Fix_Text Each queue manager started task procedure xxxxMSTR and distributed queuing started task procedure xxxxCHIN will have a matching profile defined to the STARTED resource class. Create a corresponding userid for each started task. The STC userids will be defined as PROTECTED userids. Queue manager and channel initiator started tasks will not be defined with the TRUSTED attribute. The following sample contains commands to properly define the required Started Procs: Note that this example uses "qmq1" as the value for ssid. AU qmq1mstr NAME('STC, MQSERIES') NOPASS DFLTGRP(STC) OWNER(STC) DATA('MQSERIES QUEUE MANAGER PROC') AU qmq1chin NAME('STC, MQSERIES') NOPASSDFLTGRP(STC) OWNER(STC) DATA('MQSERIES DISTRIBUTED QUEUING CHANNEL INIT PROC') RDEF STARTED qmq1mstr.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1mstr USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) RDEF STARTED qmq1chin.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1chin USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) SETR RACL(STARTED) REFRESH Not_Reviewed Vuln_Num V-224556 Rule_ID SV-224556r1145053_rule Severity medium Rule_Title WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted. Vuln_Discuss MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT) Verify ACP data sets rules for WebSphere MQ system data sets (e.g., SYS2.MQM.) restrict access as follows. If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). If the following guidance is true, this is not a finding. The ACP data set rules for the data sets restricts READ access to data sets referenced by the following DDnames is restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All access to these data sets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library The ACP data set rules for the data sets restricts WRITE and/or greater access to the above data sets is restricted to WebSphere MQ administrators and systems programming personnel. The ACP data set rules for the data sets restricts WRITE and/or greater access to data sets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All WRITE and/or greater access to these data sets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page data sets BSDSx ssidMSTR Bootstrap data sets CSQOUTx ssidMSTR SYSOUT data sets CSQSNAP ssidMSTR DUMP data set (See note) ssidMSTR Log data sets Note: To determine the log data set names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain data set names. The ACP data set rules for the data sets restricts ALTER access to archive data sets is restricted to WebSphere MQ STCs, WebSphere MQ administrator, and systems programming personnel. All ALTER access to these data sets is logged. Note: To determine the archive data sets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 data set high level qualifiers. Except for the specific data set requirements just mentioned, WRITE and/or greater access to all other WebSphere MQ system data sets is restricted to the WebSphere MQ administrator and systems programming personnel. Fix_Text The systems programmer will have the ISSO ensure that all WRITE and/or greater access to WebSphere MQ product and system data sets is restricted to WebSphere MQ administrators, systems programmers, and WebSphere MQ started tasks. The installation requires that the following data sets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 READ access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets. WRITE and/or greater access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all WRITE and/or greater access to these data sets. ALTER access to all archive data sets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all ALTER access to these data sets. Not_Reviewed Vuln_Num V-224557 Rule_ID SV-224557r1145056_rule Severity medium Rule_Title WebSphere MQ resource classes must be properly activated for security checking by the ESM. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to ensure the classes have been made ACTIVE under RACF will prevent RACF from enforcing security rules. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZWMQ0049) Verify the following WebSphere MQ resource classes are active, this is not a finding. GMQADMIN GMQNLIST GMQPROC GMQQUEUE MQADMIN MQCMDS MQCONN MQNLIST MQPROC MQQUEUE If SCYCASE is set to MIXED, ensure the following WebSphere MQ resource classes are active, this is not a finding. GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC Note: If MQADMIN or MXADMIN resource classes are not active, no security checking is performed. Fix_Text Ensure that all WebSphere MQ resources are active and properly defined. Ensure the following WebSphere MQ resource classes are active: GMQADMIN GMQNLIST GMQPROC GMQQUEUE MQADMIN MQCMDS MQCONN MQNLIST MQPROC MQQUEUE When SCYCASE is set to mixed, CLASMAP Definitions must include the following entries: GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC Note: If MQADMIN or MXADMIN resource classes are not active, no security checking is performed. The following sample contains commands to activate the required classes: SETR CLASSACT(MQADMIN MQCMDS MQCONN) SETR CLASSACT(MQNLIST MQPROC MQQUEUE) SETR CLASSACT(MXADMIN MXNLIST MXPROC MXQUEUE) Not_Reviewed Vuln_Num V-224558 Rule_ID SV-224558r1145059_rule Severity high Rule_Title WebSphere MQ switch profiles must be properly defined to the appropriate ADMIN class. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0051) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Review the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s). If all of the following switches specify ON, this is not a finding. SUBSYSTEM CONNECTION COMMAND CONTEXT ALTERNATE USER PROCESS NAMELIST QUEUE TOPIC COMMAND RESOURCES If SUBSYSTEM specifies OFF, this is a finding with a severity of Category I. If any of the other above switches specify OFF (other than the exception mentioned below), this is a finding and downgrade the severity to a Category II. If COMMAND RESOURCE Security switch specifies OFF, this is not a finding. Note: At the discretion of the ISSO, COMMAND RESOURCE Security switch may specify OFF by defining ssid.NO.CMD.RESC.CHECKS in the MQADMIN (or MXADMIN if SCYCASE is set to MIXED) resource class. Fix_Text Ensure all switch profiles are special WebSphere MQ profiles that are used to turn on/off security checking for a type of resource. Due to the security exposure this creates, no profiles with the first two qualifiers of ssid.NO will be defined to the MQADMIN or MXADMIN class, with one exception. Due to the fact that (1) all sensitive WebSphere MQ commands are restricted to queue managers, channel initiators, and designated systems personnel, and (2) no command resource checking is performed on DISPLAY commands, at the discretion of the ISSO, a ssid.NO.CMD.RESC.CHECKS switch profile may be defined to the MQADMIN or MXADMIN class. Identify if any switch profiles exist using the sample search command: SR CLASS(MQADMIN) NOMASK FILTER(*.NO.**) Use the "RDEL MQADMIN <SwitchProfileName>" to remove the profile and follow up with a "SETR RACL(MQADMIN) REF". An additional refresh to an active WebSphere MQ queue manager may be required. A sample is shown below using the value QMD1 as the queue manager name. From the Console: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224559 Rule_ID SV-224559r1145062_rule Severity medium Rule_Title WebSphere MQ connection class resource definitions must be protected in accordance with security. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQCONN) Review the following connection resources for each queue manager defined to the connection resource class: Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN. If the following guidance is true, this is not a finding. Resource profiles are defined with a UACC(NONE). Access authorization to these connections restricts access to the appropriate users as indicated above. All access FAILUREs are logged. Fix_Text Review the following connection resources defined to the MQCONN resource class: Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN resource class, ensure the following items are in effect: Note: If a resource profile is not defined for a particular security check, and a user issues a request that would involve making that check, WebSphere MQ denies access. Resource profiles are defined with a UACC(NONE). Access authorization to these connections restricts access to the appropriate users as indicated above. All access FAILUREs are logged. A set of sample commands is provided below to implement the minimum profiles necessary for proper security. Note that the IMS and/or CICS profiles can be omitted if those products do not run on the target system. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQCONN ** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('MQCONN DENY-BY-DEFAULT PROFILE') RDEF MQCONN <ssid>.BATCH UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READAUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.BATCH CL(MQCONN) ID(<applicableTSO&batchUsers>) RDEF MQCONN <ssid>.CICS UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.CICS CL(MQCONN) ID(<CICSRegionUserids>) RDEF MQCONN <ssid>.IMS UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.IMS CL(MQCONN) ID(<IMSRegionUserids>) RDEF MQCONN <ssid>.CHIN UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.CHIN CL(MQCONN) ID(<WebsphereMQCHINUsrids>) SETR RACL(MQCONN) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager Named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224560 Rule_ID SV-224560r1145065_rule Severity medium Rule_Title WebSphere MQ dead letter and alias dead letter queues are not properly defined. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Review the ssid report(s) and perform the following steps: Find the DISPLAY QMGR DEADQ command to locate the start of the dead-letter queue information. Review the DEADQ parameter to obtain the name of the real dead-letter queue. From the top of the report, find the QUEUE(dead-letter.queue.name) entry to locate the start of the real dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to the specified security requirements. If the following values are set for the dead-letter.queue.name, this is not a finding. The standard values are: GET(ENABLED) PUT(ENABLED) Note: dead-letter.queue.name is the value of the DEADQ parameter determined above. From the top of the report, find the QUEUE(dead-letter.queue.name.PUT) entry to locate the start of the alias dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to those specified in the security requirements. If the following values are set for the dead-letter.queue.name.PUT, this is not a finding. The standard values are: GET(DISABLED) PUT(ENABLED) Note: Dead-letter.queue.name is the value of the DEADQ parameter determined above. Note: The TARGQ parameter value for the alias queue will be the real dead letter queue name. Note: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue must be coded to restrict unauthorized users and systems from reading the messages on the file. Fix_Text The systems programmer responsible for supporting WebSphere MQ will ensure that the dead-letter queue and its alias are properly defined. The following scenario describes how to securely define a dead-letter queue: Define the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED). Give update authority for the dead-letter queue to CKTI (the WebSphere MQ-supplied CICS task initiator), channel initiators, and any automated application used for dead-letter queue maintenance. Define an alias queue that resolves to the real dead-letter queue, but give the alias queue the attributes PUT(ENABLED) and GET(DISABLED). To put a message on the dead-letter queue, an application uses the alias queue. The application does the following: Retrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN, and then issues an MQINQ to get the dead-letter queue name. Build the name of the alias queue by appending the characters ".PUT" to this name, in this case, ssid.DEAD.QUEUE.PUT. Open the alias queue, ssid.DEAD.QUEUE.PUT. Put the message on the real dead-letter queue by issuing an MQPUT against the alias queue. Give the userid associated with the application update authority to the alias, but no access to the real dead-letter queue. Note: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file. Undeliverable messages can be routed to a dead-letter queue. Two levels of access should be established for these queues. The first level allows applications, as well as some WebSphere MQ objects, to put messages to this queue. The second level restricts the ability to get messages from this queue and protects sensitive data. This will be accomplished by defining an alias queue that resolves to the real dead-letter queue, but defines the alias queue with the attributes PUT(ENABLED) and GET(DISABLED). The ability to get messages from the dead-letter queue will be restricted to message channel agents (MCAs), CKTI (WebSphere MQ-supplied CICS task initiator), channel initiators utility, and any automated application used for dead-letter queue maintenance. Not_Reviewed Vuln_Num V-224561 Rule_ID SV-224561r1145295_rule Severity medium Rule_Title WebSphere MQ MQQUEUE (Queue) resource profiles defined to the appropriate class must be protected in accordance with security requirements. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid). Note: ssid is the queue manager name (a.k.a., subsystem identifier). Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQQUEUE). - SENSITVE.RPT(MXQUEUE). For all queues identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid), these queues will be prefixed by ssid to identify the resources to be protected. Verify these queue resources are defined to the MQQUEUE and GMQQUEUE resource classes (or MXQUEUE and GMXQUEUE resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Resource profiles are defined with a UACC(NONE). For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. For system queues (i.e., ssid.SYSTEM.queuename), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. For the following system queues, verify that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, auditors, and users that require access to review message queues: ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* For system queues (i.e., ssid.SYSTEM.CSQUTIL.*), verify that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, and auditors. For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. For the alias dead-letter queue (to determine queue name, refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Fix_Text For all queue resources defined to the MQQUEUE, GMQQUEUE, MXQUEUE, or GMXQUEUE resource classes, ensure the following items are in effect: For all queues identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid), these queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to the MQQUEUE or GMQQUEUE resource classes. If the following guidance is true, this is not a finding. Resource profiles are defined with a UACC(NONE). For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ administrators, non-DECC datacenter users, can have up to ALTER access to the user Message Queues. For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. For the following system queues, ensure that UPDATE access is restricted to auditors and users that require access to review message queues. ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* ssid.SYSTEM.CSQUTIL.* For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. For the alias dead-letter queue (to determine queue name, refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Example: RDEF MQQUEUE <ssid>.SYSTEM.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.SYSTEM.** CL(MQQUEUE) ID(<RestrictedUsersAsSpecifiecAbove>) RDEF MQQUEUE <ssid>.<qname>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<qname> CL(MQQUEUE) ID(<AsSpecifiedAbove>) RDEF MQQUEUE <ssid>.<RealDeadLetterQue>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<RealDeadLetterQue> CL(MQQUEUE) ID(<AsSpecifiedAbove>) RDEF MQQUEUE <ssid>.<AliasDeadLetterQue>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<AliasDeadLetterQue> CL(MQQUEUE) ID(<AsSpecifiedAbove>) SETR RACL(MQQUEUE) REF Not_Reviewed Vuln_Num V-224562 Rule_ID SV-224562r1145297_rule Severity medium Rule_Title WebSphere MQ Process resource profiles defined in the appropriate Class must be protected in accordance with security requirements. Vuln_Discuss WebSphere MQ Process resources allow for the control of processes. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQPROC). - SENSITVE.RPT(MXPROC). For all process resources (i.e., ssid.processname) defined to the MQPROC and GMQPROC resource classes (or MXPROC and GMXPROC resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Fix_Text Process security validates userids authorized to issue WebSphere MQ inquiries on process definitions. A process definition object defines an application that is started in response to a trigger event on a queue manager. Process security will be active, and all profiles ssid.processname will be defined to the appropriate class. Restrict READ access to those userids requiring access to make process inquiries. For all process resources (i.e., ssid.processname) defined to the MQPROC, GMQPROC, MXPROC, and GMXPROC resource classes, ensure the following items are in effect: Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to make process inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQPROC ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQPROC DENY-BY-DEFAULT PROFILE') RDEF MQPROC <ssid>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED FOR ZWMQ0055') PE <ssid>.** CL(MQPROC) ID(<ApplicableUsers>) SETR RACL(MQPROC) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) The following is a sample of the commands required to allow a group (GRP1) to inquire on processes beginning with the letter V on queue manager (QM1): RDEFINE MQPROC QM1.V* UACC(NONE) AUDIT(ALL(READ)) PERMIT QM1.V* CLASS(MQPROC) ID(GRP1) ACCESS(READ) Not_Reviewed Vuln_Num V-224563 Rule_ID SV-224563r1145074_rule Severity medium Rule_Title WebSphere MQ Namelist resource profiles defined in the appropriate class must be protected in accordance with security requirements. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQNLIST). - SENSITVE.RPT(MXNLIST). For all namelist resources (i.e., ssid.namelist) defined to the MQNLIST and GMQNLIST resource class (or MXNLIST and GMXNLIST resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Fix_Text A namelist is a WebSphere MQ object that contains a list of queue names. Namelist security validates userids authorized to inquire on namelists. Namelist security will be active, and all profiles ssid.namelist will be defined to the MQNLIST, GMQNLIST, MXNLIST, or GMXNLIST classes with UACC(NONE) specified. Restrict READ access to those userids requiring access to make namelist inquiries. For all namelist resources (i.e., ssid.namelist) defined to the MQNLIST, GMQNLIST, MXNLIST, or GMXNLIST resource classes, ensure the following items are in effect: Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to make namelist inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQNLIST ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCONN DENY-BY-DEFAULT PROFILE') RDEF MQNLIST <ssid>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED FOR ZWMQ0056') PE <ssid>.** CL(MQNLIST) ID(<applicable>) SETR RACL(MQNLIST) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224564 Rule_ID SV-224564r1145077_rule Severity medium Rule_Title WebSphere MQ Alternate User resources defined to appropriate ADMIN resource class must be protected in accordance with security requirements. Vuln_Discuss WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQADMIN). - SENSITVE.RPT(MXADMIN). For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternateuserid) defined to the MQADMIN and GMQADMIN resource classes (or MXADMIN and GMXADMIN resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Fix_Text Alternate userid security allows access to be requested under another userid. Alternate userid security will be active, and all profiles ssid.ALTERNATE.USER.alternateuserid will be defined to the MQADMIN or MXADMIN class with UACC(NONE) specified. Restrict UPDATE access to those userids requiring access to alternate userids. For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternateuserid) defined to the MQADMIN or MXADMIN resource class, ensure the following items are in effect: Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQADMIN ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT PROFILE') RDEF MQADMIN <ssid>.ALTERNATE.USER.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT for ALT USER PROFILE') The following is a sample of the commands required to allow payroll server (PAYSRV1) to specify alternate userids starting with the characters PS on queue manager (QM1): RDEFINE MQADMIN QMD1.ALTERNATE.USER.PS* UACC(NONE) AUDIT(ALL) PERMIT QMD1.ALTERNATE.USER.PS* CLASS(MQADMIN) ID(PAYSRV1) ACCESS(UPDATE) SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224565 Rule_ID SV-224565r1145080_rule Severity medium Rule_Title WebSphere MQ context resources defined to the appropriate ADMIN resource class must be protected in accordance with security requirements. Vuln_Discuss Context security validates whether a userid has authority to pass or set identity and/or origin data for a message. Context security will be active to avoid security exposure. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQADMIN). - SENSITVE.RPT(MXADMIN). For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN and GMQADMIN resource classes (or MXADMIN and GMXADMIN resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Fix_Text Context security validates whether a userid has authority to pass or set identity and/or origin data for a message. Context security will be active, and all profiles ssid.CONTEXT will be defined to the appropriate ADMIN class with UACC(NONE) specified, where ssid is the queue manager name. READ access is required when the PASS option is specified for an MQOPEN or MQPUT1. Update or control access is required when the SET or OUTPUT option is specified. For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN or MXADMIN resource class, ensure the following items are in effect: Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQADMIN ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT PROFILE') RDEF MQADMIN <ssid>.CONTEXT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN PROFILE REQUIRED FOR CONTEXT SECURITY') The following is a sample of the commands required to allow a systems programming group (SYS1) to offload and reload messages for queue manager (QMD1): PERMIT QMD1.CONTEXT CLASS(MQADMIN) ID(SYS1) ACCESS(CONTROL) The following refresh is required for RACListed classes: SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224566 Rule_ID SV-224566r1145299_rule Severity medium Rule_Title WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements. Vuln_Discuss WebSphere MQ resources allow for the control of commands. Failure to properly protect WebSphere MQ Command resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Check_Content Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQCMDS). For all command resources (i.e., ssid.command) defined to the MQCMDS and GMQCMDS resource classes. If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to the appropriate personnel as designated in the WebSphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. All command access is logged as designated in the WebScphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. Fix_Text Command security validates userids authorized to issue MQSeries/WebSphere MQ commands. Command security will be active For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). Resource profiles are defined with a UACC(NONE). Access authorization restricts access to the appropriate personnel as designated in the table titled "Websphere MQ Command Security Controls" in the zOS STIG Addendum. All command access is logged as designated in the table titled "Websphere MQ Command Security Controls" in the zOS STIG Addendum. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQCMDS ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS DENY-BY-DEFAULT PROFILE') RDEF MQCMDSN <ssid>.<CmdName>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS Required See ZWMQ0059') PE <ssid>.<CmdNAme>.** CL(MQCMDS) ID(<authorizeduser>) ACC(C) SETR RACL(MQCMDS) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed Vuln_Num V-224567 Rule_ID SV-224567r1145086_rule Severity medium Rule_Title WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements. Vuln_Discuss RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL is a powerful option that can cause the bypassing of all security checks. RESLEVEL security will not be implemented. Check_Content Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQADMIN). - SENSITVE.RPT(MXADMIN). Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZWMQ0060). Review the MQADMIN and GMQADMIN resource classes (or MXADMIN and GMXADMIN resource classes, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager with a UACC(NONE). Access authorization to these RESLEVEL resources restricts all access. No users or groups must be specified in the access list. Fix_Text RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL security will not be implemented due to the following exposures and limitations: RESLEVEL is a powerful option that can cause the bypassing of all security checks. Security audit records are not created when the RESLEVEL profile is utilized. If the WARNING option is specified on a RESLEVEL profile, no warning messages are produced. To protect against any profile in the MQADMIN or MXADMIN class, such as ssid.**, resolving to a RESLEVEL profile, a ssid.RESLEVEL profile will be defined for each queue manager with UACC(NONE) specified and no users or groups specified in the access list. Ensure the following items are in effect: Note: ssid is the queue manager name (a.k.a., subsystem identifier). A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to the MQADMIN or MXADMIN resource class with a UACC(NONE). Access authorization to these RESLEVEL resources restricts all access. No users or groups must be specified in the access list. A set of sample commands is provided below to implement the profile necessary for proper security. RDEF MQADMIN <ssid>.RESLEVEL UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN PROFILE REQUIRED BY ZWMQ0060') SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active queue managers. This is done from the CONSOLE: The example is for a queue manager named QMD1: >QMD1 REFRESH SECURITY(*) Not_Reviewed