VSAM ESM Module Custom Configuration Information

The VSAM ESM Module supports some additional configuration that can be set by editing the Config field. Text in this area is organized into sections which begin with a "tag" in square brackets, followed by lines in the form of name=value pairs. The following are the various configuration sections, and corresponding options that can be set in each section:

[Operation] section

signon attempts=integer
Set the maximum number of consecutive failed sign in (Verify) attempts before a user account is automatically disabled. If integer is set to a value greater than 0, then after that many attempts to sign in a user using an incorrect passwords, the account is disabled. Successfully signing a user in with the correct password will reset the count. The default value is 0, which disables this feature.

[Password] section

expiration=integer
Set the default password expiration interval, in days. If a user changes their password and their account is configured with a password expiration date (the user-password-expire-date attribute), and that date is in the past or less than the specified days in the future, then it is changed to this many days in the future. The default value is 90 days.
history=integer
Stores an integer number of previous password hashes for each user. When users try to change their passwords, if the new password matches one of the stored hashes, then the request is rejected. The default value is 0, that is, no password history is stored.
minimum length=integer
Requires that new passwords be at least an integer number of characters long.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum of 8 characters.
maximum length=integer
Requires that new passwords be no more than integer number of characters long.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum of 8 characters.
required=alphabetic|mixed-case|numeric|punctuation,...
Requires a new passwords to include at least one character from each of the listed classes. The supported classes are alphabetic, mixed-case, numeric, and punctuation. Class names should be separated with whitespace and/or commas.

For example:

[Passwords]
required=alphabetic, numeric

this results in the password change failing if the new password does not include at least one letter and one digit.

complexity=1-5
Requires a new passwords to include at least one character from number + 1 character classes. Uppercase and lowercase are counted separately, for example, complexity=1 would be satisfied by a mixed-case password, or a password with lowercase letters and digits, or digits and punctuation characters, and so on. Characters that are not (ASCII) letters, digits, or punctuation are counted as another character class, so there are five classes in total, uppercase, lowercase, digit, punctuation, and other.

The various password restriction options can be used in combination, for example:

[Passwords]
minimum length=6
required=mixed-case
complexity=2

this would enforce passwords that had a minimum of 6 characters, with both uppercase and lowercase letters and at least one non-letter character.

[Trace] section

Config=yes|no
Traces configuration settings. Setting this to yes generates a message for each valid configuration setting specified in the Config field of your External Security Manager Configuration dialog box. This can be used for auditing and debug purposes.

The default value is no.

Groups=string
Logs various messages regarding the processing of user groups. If this is set to a string beginning with "y" or to "1", the ESM Module makes a log entry when it determines that a user belongs to a group during Verify, or when it finds a group ACE that applies to a request during Auth. This is particularly useful when debugging problems with All-Groups mode.
Modify=fail|all|y|yes
Enables the logging of some modify operations which are normally not logged. If this is set to fail, the ESM Module makes a log entry if one of these "silent modify" operations fails. If it is set to all, y, or yes, it logs all of these modify operations, including ones that succeed. Affected operations include setting the last-login-time user attribute, and possibly others.
Update=y|yes|changes|all
Logs update requests, which are ESF control requests, made using ESCWA or the esfupdate command-line utility, that notify ESF and the ESM Modules of changes to security configuration or data. If this is set to y or yes, update requests are logged. If it is set to changes, additional messages are logged when an update request causes the module to change internal state, such as the MSS attributes (operator class, and so on) of a user or a user's group membership. If it is set to all, additional messages are logged when an update request does not cause changes.
Vsam=yes
Logs file-handler status codes for VSAM I/O operations on the ESM file directory. If this is set to yes, the status codes from the file handler are logged.

[VSAM timeout] section

retry count=integer
Set the maximum number of retries to open a file in the VSAM ESM file directory. The time between each retry attempt is specified by wait length.

The maximum value is a signed 32-bit integer and the default retry count when retry count and max wait are not specified is 30.

wait length=integer
Set the time in milliseconds to wait between retries when opening a file in the VSAM ESM file directory.

The maximum value is a signed 32-bit integer and the default value when not specified is 1000, which is one second.

max wait=integer
Set the maximum time to wait to open a file in the VSAM ESM file directory.

The maximum value is a signed 32-bit integer and the default value when not specified is 0, which disables the maximum wait.