Home

 

Common Criteria

 

Common Criteria is a scheme for independent assessment, analysis, and testing of IT products to a set of security requirements. The Common Criteria Scheme provides consumers with an impartial security assurance of a product to predefined levels. These levels range from EAL0 to EAL7, each assurance level places increased demands on the developer for evidence of testing, and provides increased assurance within the product.

WebSphere MQ V6.0.1.1 has been evaluated to Common Criteria EAL4. This provides assurance that the product has been methodically designed, tested, and reviewed.

Under the Common Criteria Recognition Arrangement (CCRA), countries agree to recognize Common Criteria certificates that have been produced by any certificate authorizing participant, in accordance with the terms laid out in the CCRA. Currently, the CCRA is comprised of 22 member nations: Australia, Austria, Canada, the Czech Republic, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, the Netherlands, New Zealand, Norway, the Republic of Singapore, Spain, Sweden, Turkey, the United Kingdom, and the United States. New members are expected to join in the near future.

We can find further information on the Common Criteria scheme at the following Web site: http://www.csrc.nist.gov/cc

 

Environmental Considerations

In order that WebSphere MQ operates in accordance with its Common Criteria certificate, the environmental requirements defined in this section need to be met.

• There must be one or more competent individuals that are assigned to manage WebSphere MQ and the security of the information that it contains. Such personnel are assumed not to be careless, wilfully negligent, or hostile.

• The operating system must be configured in accordance with the manufacturer's installation guides and where applicable, in its evaluated configuration. It must be securely configured such that the operating system protects WebSphere MQ from any unauthorized users or processes.

• SSL must be configured to run in FIPS mode.

• It is the responsibility of the system administrator to ensure that any connections over the Internet are secured by the appropriate protocol (for example, HTTPS or SFTP) and that any external URLs are trusted sites.

• The operating system environment must be configured to allow local login for a single user only.

• Remote logins to the operating system must be disabled. This includes Telnet, rlogin, SSH, and any similar remote login services.

• The system administrator must set the system time to the appropriate date and time of the server

• The operating system supported is AIX V5.2.

WebSphere MQ relies on the operating system to provide user and group IDs and time and date information. In addition, we need an application to read the event logs so that the audit records produced by WebSphere MQ can be read.

The evaluation of WebSphere MQ does not include the following aspects:

• The operating system

• Remote administration

• WebSphere MQ Explorer

• Windows Default Configuration application

• Third-party or user-written authorization services not supplied with the WebSphere MQ product.

 

Configuring WebSphere MQ for Common Criteria

When you use WebSphere MQ in Common Criteria mode, comply with the following guidance:

• Use certificates that pass the PKIX validation specified in RFC 3280.

• Always use the GSKCapiCmd command line tool to manage certificates and keys. Do not use iKeyman or IKEYCMD.

• The WebSphere MQ key database file is protected by a password. To allow unattended access to the key database file WebSphere MQ provides a stash file to store the password. This stash file must be protected by an ACL or permission bits while it resides on the system and by encrypting the stash file when it is backed up.

• Ensure key database files are protected by a randomly-chosen strong password. At a minimum ensure the password adheres to the following rules:

  • The password must be a minimum length of 14 characters.

  • The password must contain a minimum of one lower case character, one upper case character, and one digit or special character.

  • Each character can only occur a maximum of three times in a password.

  • A maximum of two consecutive characters in the password can be identical.

• Use key database files that have been created using strong encryption. That is, specify the parameters strong and FIPS when you use GSKCapiCmd command line tool to create key database files.

• When you change the password for a key database file using the GSKCapiCmd tool, specify the parameters strong and FIPS.

• When you convert an existing key database file in the old format to the newer secure mode using the GSKCapiCmd tool, specify the parameters strong and FIPS.

• When you create a certificate request, a self-signed certificate, or sign a certificate using the GSKCapiCmd tool, specify the sha1 option for the sigalg parameter.

• If you use the GSKCapiCmd tool to export a certificate, do not use the target parameter to automatically create a target key database file. You must have already created a target key database file in FIPS mode.

• Do not configure WebSphere MQ to exploit hardware key database file or hardware cipher acceleration. That is, not use the crypto, tokenlabel, secondaryDB or secondaryDBpw parameters in the GSKCapiCmd tool.

• Do not use a value of 512 for the size parameter when using the GSKCapiCmd tool. The value of the size parameter must be a minimum of 1024.

• Only allow certificates with Basic Constraint extension present to participate in a certification validation chain. When validating a certificate chain WebSphere MQ can operate such that certificates with no Basic Constraint extension present are allowed to participate in a certificate validation chain as a non end-entity. In order to operate WebSphere MQ in Common Criteria mode certificates with no Basic Constraint extension present must not be configured in this way. Instead certificates missing the Basic Constraint extension must be configured as end-entities.

• When tracing is switched on for problem determination, be aware that WebSphere MQ is not in Common Criteria mode.

• If you have applications that use WebSphere MQ and that also have other trusted and untrusted applications on the same system, run applications to use the maximum operating system protection and minimize the risk to privileged applications from unprivileged user IDs.

  An application running under a privileged user, like root, might have access to process environments containing TSF data. To prevent untrusted applications harming your system, avoid this privileged mode of operation.

• If you use certificate revocation lists (CRLs) for certificate validation, the WebSphere MQ administrator is responsible for providing current and correct CRLs. The WebSphere MQ administrator must ensure that the CRL provided to WebSphere MQ includes all revoked certificates from any Certification Authorities (CAs) recognized by WebSphere MQ.

  CRLs can be retrieved using an LDAP server in the WebSphere MQ Common Criteria environment. This requires an LDAP server provided or accessed by the WebSphere MQ administrator. In Common Criteria mode, the administrator must only configure one LDAP CRL server to WebSphere MQ.

  WebSphere MQ establishes a TCP/IP connection to the LDAP server and retrieves the CRL. Finally, this CRL is used for certificate validation. If no CRL can be obtained (for example due to LDAP failure), the certificate to be validated is considered invalid.

  Ensure the connection between WebSphere MQ and the LDAP server is an internal communication link within a trusted network, because this connection is made over an unprotected TCP/IP connection.

 

Configuration Requirements

In order that auditing of authority events is implemented, execute the following MQSC command:

ALTER QMGR AUTHOREV (ENABLED)

If AUTHOREV is disabled, auditing will no longer be performed and WebSphere MQ will not operate in accordance with the evaluated configuration. To confirm whether auditing of the authority events is enabled, execute the following MQSC command:

DISPLAY QMGR

 

Obtaining the latest information

Always refer to the IBM Web site for the latest WebSphere MQ support information and for the latest versions of the WebSphere MQ documentation.

We can find information about the support available for WebSphere MQ here: http://www.ibm.com/software/integration/mqfamily/support/

You can view the latest version of the WebSphere MQ Information Center here: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp and we can also download a zip file of the WebSphere MQ Information Center for Windows or Linux here: ftp://ftp.software.ibm.com/software/integration/wmq/docs/V6.0/

The WebSphere MQ books are also available in PDF format. The V6.0 PDFs are here: http://www.ibm.com/software/integration/wmq/library/library6x.html

 

Parent topic:

System Administration Guide

fa22770_

 

Home