Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.

An XCCDF Rule

Description

<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the messaging server utilizes LDAP, the LDAP traffic must be encrypted. Note: Multiple alternative LDAP hosts may be listed in the CONNAME parameter, separated by commas. Review IBM product documentation for the LDAP fields required when setting up a communication link with the LDAP server. See https://ibm.biz/BdiBGu and https://ibm.biz/BdixXz for a detailed description of these options.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-89573r1_rule
Severity: Medium
References: CCI-000197
Updated: about 1 year ago

Specify LDAP as the authentication method for each queue manager.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [queue manager name]
DEFINE AUTHINFO('[Object name e.g., USE.LDAP]') 
AUTHTYPE(IDPWLDAP) 
CONNAME('[ldap1(port),ldap2(port),ldap3(port)]') 
SECCOMM(YES) [Ensures encryption is used]
SHORTUSR('[short user name]') 
CHCKCLNT(REQUIRED) 
BASEDNU('base user DN') 
REPLACE

ALTER QMGR CONNAUTH('[AUTHINFO object name]')
REFRESH SECURITY TYPE(CONNAUTH)

Type "end" to exit runmqsc mode.

Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.

Description

Remediation - Manual Procedure