STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

V-255763

CAT II (Medium)

WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.

Rule ID

SV-255763r1000073_rule

STIG

IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001954

Discussion

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.

Check Content

Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured. 

Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: 
co 
show web-mgmt 

[Note the name of the ssl-server] 

Display the parameters of the ssl-server (CLI). Enter: 
co 
crypto 
ssl-server <ssl-server name> 
show 

[Note the name of the valcred] 

Display the certificates in the ValCred (CLI). Enter: 
co 
crypto 
valcred <name of valcred> 
show 

Verify all listed client certificates are authorized to access the MQ Appliance. 

Spot-check access to the appliance: 

Attempt to access the appliance from a browser enabled with an authorized certificate. 

Attempt to access the appliance from a browser not enabled with an authorized client certificate. 

If unauthorized access succeeds, this is a finding.

Fix Text

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication. 

Assign the WebGUI to one management port (CLI). Enter: 
co 
web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> 
write mem 
y 

Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): 
- Log on to the WebGUI as a privileged user. 
- Click on the Administration (gear) icon. 
- Under Main, click on File Management. 
- Click cert directory.
- Click Actions. 
- Upload files. 
- Browse to select MQ Appl privkey. 
- Add. 
- Browse to select MQ Appl cert. 
- Add. 
- Browse to select client cert. 
- Add. 
- [Repeat Browse and Add for all desired client certs.] 
- Upload. 
- Continue 

Create cert aliases (CLI). Enter: 
co 
crypto 
certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> 
certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> 
[Repeat certificate command for any additional client certs.] 
exit 
write mem 
y 

Create MQAppl private key alias (CLI). Enter: 
co 
crypto 
key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> 
exit 
write mem 
y 

Create MQAppl ID Credential (CLI). Enter: 
co 
crypto 
idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> 
exit 
write mem 
y 

Create a client Validation Credential (CLI). Enter: 
co 
crypto 
valcred <Client ValCred name> 
certificate <Client CryptoCert alias> 
[Add additional client certificates as required] 
exit 
exit 
write mem 
y 

Create SSL Server Profile (CLI). Enter: 
co 
crypto 
ssl-server <SSL Svr Profile name> 
admin-state enabled 
idcred <MQAppl IDCred name> 
protocols TLSv1d2 
valcred <Client ValCred name> 
request-client-auth on 
require-client-auth on 
send-client-auth-ca-list on 
exit 
exit 
write mem 
y 

Associate SSL Server Profile with WebGUI (CLI). Enter: 
co 
web-mgmt 
ssl-config-type server 
ssl-server <SSL Svr Profile name> 
exit 
write mem 
y