STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

V-255813

CAT II (Medium)

The MQ Appliance messaging server must provide a clustering capability.

Rule ID

SV-255813r961122_rule

STIG

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001190

Discussion

This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple messaging servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy. Satisfies: SRG-APP-000225-AS-000154, SRG-APP-000225-AS-000166

Check Content

Review system categorization to determine if redundancy is a requirement. If the system categorization does not specify redundancy requirements, this requirement is NA.

On each member of the HA pair:
Establish an SSH command line session as an admin user.

To access the MQ Appliance CLI, enter:
mqcli

To run the dspmq command, enter:
dspmq -s -o ha 

One of the appliances should be running as primary, the other as secondary.

If HA is not configured and the primary and secondary running, this is a finding.

Fix Text

To configure HA:
1. Use three Ethernet cables to directly connect two appliances together using ports eth1, eth2, and eth3.
2. Configure the three connected MQ Appliance ports (on both appliances) as follows:

Interface Purpose IP address/CIDR
eth1 HA group primary interface x.x.x.x/24
eth2 HA group alternative interface x.x.x.x/24
eth3 HA Replication interface x.x.x.x/24

On the second appliance, enter the following command from the MQ Appliance CLI:
prepareha -s [SecretText] -a [eth 1 IPAddress of first appliance] [-t timeout]

On the first appliance, enter the following command:
crthagrp -s [SecretText] -a [eth 1 IPAddress of second appliance]
crtmqm [HA QM name] –p [port] –sx

Note: The queue manager’s data (queues, queue messages, etc.) is replicated from the appliance in the primary HA role (first appliance) to the appliance in the secondary HA role (second appliance).