WebSphere MQ channel security must be implemented in accordance with security requirements.

An XCCDF Rule

Description

WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555

ID: SV-225623r958408_rule
Version: ZWMQ0011
Severity: High
References: CCI-000068 CCI-002421 CCI-002423 CCI-002450
Updated: 6 days ago

Remediation Templates

The system programmer and the ISSO will review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Reviewing the channel's SSLCIPH setting.

Display the channel properties and look for the "SSL Cipher Specification" value.

Ensure that a FIPS 140-2 compliant value is shown.
ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

Note that both ends of the channel must specify the same cipher specification. 

Repeat these steps for each queue manager ssid identified.

WebSphere MQ channel security must be implemented in accordance with security requirements.

Description

Remediation Templates

A Manual Procedure