zOS WebsphereMQ for ACF2 STIG Version Comparison

There are 13 differences between versions v6 r2 (July 24, 2020) (the "left" version) and v6 r4 (Nov. 23, 2022) (the "right" version).

Check ZWMQ0011 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

WebSphere MQ channel security must be implemented in accordance with security requirements.

Check Content

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information information for Websphere WebSphere MQ and MQSeries queue manager. - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. Automated MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) If the communication lines are controlled by a VPN and are not available in the clear at any point outside the enclave, than this is acceptable and can override the requirement to use SSL. If this is true, this is not a finding. If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding. ___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.) ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 ___ Repeat the above step for each queue manager ssid identified.

Discussion

WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. data. Satisfies: SRG-OS-000505, SRG-OS-000555

Fix

The system programmer and the IAO will review Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Reviewing Review the channel’s channel's SSLCIPH setting. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value is shown. ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.