Rule ID
SV-255799r961044_rule
Version
V1R2
CCIs
The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Messaging servers must provide the capability to utilize and meet requirements of the DoD Enterprise PKI infrastructure for application authentication. Note: Two or more alternative LDAP hosts may be listed, in the CONNAME parameter, separated by commas. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdiBGu for a detailed description of these options.
To access the MQ Appliance CLI, for each queue manager, enter: mqcli To identify the queue managers, enter: dspmq For each queue manager identified, run the command: runmqsc [queue name] DIS AUTHINFO(*) AUTHTYPE(CRLLDAP) CONNAME Verify that an "AUTHINFO" definition of "AUTHTYPE(CRLLDAP)" is displayed and that the CONNAME in parenthesis is the host name or IPv4 dotted decimal address of an organizationally approved LDAP server. If the "AUTHINFO" definition is not equal to "AUTHTYPE(CRLLDAP)", this is a finding.
Specify LDAP as the authentication method for each queue manager.
To access the MQ Appliance CLI, enter:
mqcli
runmqsc [queue manager name]
DEFINE AUTHINFO('[Object name e.g., USE.CRLLDAP]')
AUTHTYPE(CRLLDAP)
CONNAME('[LDAPhost1(port)]') REPLACE
Type "end" to exit runmqsc mode.