In the event the authentication server is unavailable, the MQ Appliance must provide one local account created for emergency administration use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-74943 | MQMH-ND-000490 | SV-89617r1_rule | Medium |
| Description |
|---|
| Authentication for administrative (privileged level) access to the MQ Appliance is required at all times. An account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary. The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the Information System Security Officer (ISSO). The emergency administration account logon credentials must be stored in a sealed envelope and kept in a safe. MQ provides the Fallback user account to provide access to the MQ appliance in the event the centralized authentication server is not available.v |
| STIG | Date |
|---|---|
| IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide | 2017-06-06 |
Details
| Check Text ( C-74801r1_chk ) |
|---|
| Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Verify the Authentication Method is set to LDAP. Verify at least one Fallback user is configured. If MQ authentication is not set to LDAP and if the Fallback user is not created, this is a finding. |
| Fix Text (F-81559r1_fix) |
|---|
| Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure one Fallback user. Configure the LDAP connection as required. |