← Back to IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

V-255801

CAT II (Medium)

The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).

Rule ID

SV-255801r960969_rule

STIG

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000764

Discussion

To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature. To ensure support to the enterprise, the authentication must utilize an enterprise solution. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdsRRk for a detailed description of these options.

Check Content

To access the MQ Appliance CLI, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

DIS AUTHINFO(USE.LDAP)

Verify that "AUTHINFO(USE.LDAP)" is displayed under authentication information details. 

If "IBM MQ Appliance object USE.LDAP not found" is displayed, this is a finding.

Fix Text

Specify LDAP as the authentication method for each queue manager.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [queue manager name]

DEFINE AUTHINFO(USE.LDAP) 
AUTHTYPE(CRLLDAP) 
CONNAME('[host name1(port)],[host name1(port)]') 

ALTER QMGR CONNAUTH('USE.LDAP')
REFRESH SECURITY TYPE(CONNAUTH)

Enter "end" to exit runmqsc mode.