WebSphere MQ channel security is not implemented in accordance with security requirements.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224552	SRG-OS-000403	ZWMQ0012	SV-224552r1145043_rule	2025-09-27	7

Description
WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.

Description

WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.

ℹ️ Check
Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid). Note: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following Information for each WebSphere MQ queue manager. - If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Review the ssid report(s) and perform the following steps. If the following guidance for each queue manager ssid is true, this is not a finding. Find the DISPLAY QMGR DEADQ, SSLKEYR, SCYCASE command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified.

ℹ️ Check

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid). Note: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following Information for each WebSphere MQ queue manager. - If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Review the ssid report(s) and perform the following steps. If the following guidance for each queue manager ssid is true, this is not a finding. Find the DISPLAY QMGR DEADQ, SSLKEYR, SCYCASE command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified.

✔️ Fix
Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified, i.e., SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified. To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels: Review the information available on setting up SSL, Keyrings, and Digital Certificates in the RACF Security Administrator's Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory). For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil.

✔️ Fix

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) Note: ssid is the queue manager name (a.k.a., subsystem identifier). Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified, i.e., SSLKEYR(sslkeyring-id). Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) Note: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL('Certificate Label Name')) Note: The Certificate Label Name is case sensitive. Review the Issuer's Name field in the resulting output for information on any of the following: OU=PKI.OU=DoD.O=U.S. Government.C=US OU=ECA.O=U.S. Government.C=US Repeat these steps for each queue manager ssid identified. To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels: Review the information available on setting up SSL, Keyrings, and Digital Certificates in the RACF Security Administrator's Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory). For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil.