STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

V-255781

CAT II (Medium)

The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.

Rule ID

SV-255781r961521_rule

STIG

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002007

Discussion

When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentication information is out of date, the validity of the authentication information may be questionable.

Check Content

Display the SSL Server Profile associated with the WebGUI using the (CLI).

Log on as an admin to the MQ appliance using SSH terminal access.

Enter:
co
show web-mgmt

To note the name of the ssl-server, enter:
crypto
ssl-server <ssl-server name>
show

Verify the following are displayed:
caching on
cache-timeout 3600

If the ssl-server configuration does not exist, or if caching is "off", or if the cache-timeout setting does not equal “3600” seconds (60 minutes),  this is a finding.

Fix Text

Display the SSL Server Profile associated with the WebGUI (CLI).
Enter:
co
show web-mgmt

[Note the name of the ssl-server]

Define the cache parameters of the SSL Server using the CLI.
Enter:
co
crypto
ssl-server <ssl-server name>
caching on
cache-timeout <3600>
exit
exit
write mem
y