STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to zOS WebSphere MQ for ACF2 Security Technical Implementation Guide

V-224354

CAT I (High)

WebSphere MQ channel security must be implemented in accordance with security requirements.

Rule ID

SV-224354r1144153_rule

STIG

zOS WebSphere MQ for ACF2 Security Technical Implementation Guide

Version

V7R2

CCIs

CCI-000068CCI-002421CCI-002423CCI-002450

Discussion

WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555

Check Content

Refer to the following report produced by the z/OS Data Collection:

- MQSRPT(ssid).

Note: ssid is the queue manager name (a.k.a., subsystem identifier).

Collect the following Information for WebSphere MQ queue manager.

- If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers.

Automated Analysis requires Additional Analysis.
Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZWMQ0011)

If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding.

Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.)

ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

Repeat the above step for each queue manager ssid identified.

Fix Text

Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Review the channel's SSLCIPH setting.

Display the channel properties and look for the "SSL Cipher Specification" value.

Ensure that a FIPS 140-2 compliant value is shown.

ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

Note that both ends of the channel must specify the same cipher specification. 

Repeat these steps for each queue manager ssid identified.