Configuring MFDAS for UNIX

To configure MFDAS to operate in a UNIX environment you must specify the server and interactions in the mfa_config.json configuration file. A template configuration file is supplied with the product and can be located at $COBDIR/etc/config/mfa/mfa_config.json (UNIX) or %ProgramData%\Micro Focus\Enterprise Developer\mfa\mfa_config.json (Windows).

Required configuration is as follows:

{
  "connection_config":
  {
    "host" : "MYMFAHOST",
    "port" : "2020",
    "timeout_seconds" : "60",
    "retry_count" : "2",
    "max_retry_time" : "120",
  }
}

Optional configuration enables you to specify more advanced options which can be added to the "connection_config" section.

To specify TLS client verification:

client_cert
Specifies the absolute path to the certificate file (.pem). If multiple certificates are used, separate the paths with a semicolon ';'.
client_key
Specifies the absolute path to the keyfile (.pem).
client_password
The password for the keyfile specify it here. If multiple keyfiles are used, separate the passwords with four colons '::::'.
ca_path
The location, on disk, of the server root certificate.
client_cert_type
The following certificate file types are supported DER, CER, PKCS #7, PKCS #8, PKCS #12, and PEM.
client_key_type
The following key file types are supported PKCS #8, PKCS #12, and PEM.
verify_host=ENABLE|DISABLE
When enabled, libcurl will verify that the certificate provided by the server has a Common Name (CN) field or a Subject Alternate Name (SAN) field which matches the hostname in the URL that the mfsecretshashicorp vault provider is connecting to.

The default value is ENABLE.

verify_peer=ENABLE|DISABLE
When enabled, the mfsecretshashicorp vault provider will verify the authenticity of the server's certificate against the Certification Authority's (CA) certificates supplied to the ca_path configuration option.

The default value is ENABLE.

cert_revoke_check=ENABLE|DISABLE
Specifies whether libcurl verifies the status of the server certificate using the "Certificate Status Request" TLS extension, that is OCSP stapling.

The default value is DISABLE.

Note: If this option is enabled but the server does not support the TLS extension the verification will fail.
cipher_list
Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:
!
Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+
Add. Add the cipher suite to the end of the collection.
-
Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
tls13_cipher_suites
The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ssl_two_stage_connect=ENABLE|DISABLE
Specifies whether libcurl should enable the use of false start during the TLS handshake. False start is a mode where a TLS client will start sending application data before verifying the server's Finished message, this saves a round trip when performing a full handshake.

The default value is DISABLE.

tls_protocol
Specified the TLS protocol version to use which can be one of the following options:
  • TLSv1
  • SSLv2
  • SSlv3
  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
  • MAX_DEFAULT
  • MAX_TLSv1_0
  • MAX_TLSv1_1
  • MAX_TLSv1_2
  • MAX_TLSv1_3
connection_debugging=true|false
Set to true to turn on verbose transport layer debugging.
Warning: Setting this to true will print out HTTP headers and bodies which could contain sensitive data, such as passwords.
Note: You should not be set this to true unless asked to do so by the Micro Focus support team.
mainframe_time_delta=time
This specifies the difference between mainframe time and your local machine time in milliseconds (ms).
tls_enable=ENABLE |DISABLE
Specifies whether libcurl targets an https endpoint (ENABLE) or http. If ca_path is set then tls_enable is treated as ENABLE.

The default value is DISABLE.