Each security configuration for MFDS, ES Default Security, or a particular
enterprise server instance support additional configuration that can be set by modifying the text in the
Configuration Information field. Text in this field is organized into sections which begin with a tag label in square brackets, followed by lines containing
name-value pairs.
You can add these settings in the
Configuration Information field for the security configuration, and not a Security Manager. Security Managers also have a custom configuration setting,
with parameters defined by the External Security Manager module they use. See the documentation for the specific ESM module
for more information.
The following are the configuration sections, and the options that can be set in each section:
[Admin] section
- allow-list=yes | no
- If this is set to
yes, then Admin LIST requests, for example, list users, groups, and resource access rules are allowed for all users, with no
additional access check.
[Audit] section
- category 3 events=yes | no
- Setting this option disables audit category 6 events for SAF Auth and XAuth calls, and enables category 3 events for Verify,
Auth, and XAuth calls. This option is provided for backwards compatibility.
The default value is
no.
- password change success = yes | no
- Setting this option enables an extra audit event for every successful password change.
Note: Password change rejections and related errors are always audited. See Audit event 6 2 in
Audit Event Codes for more information.
The default value is
no.
- selective=yes | no
- This setting enables the optional selective-auditing feature. It has no effect if auditing is not enabled.
When selective auditing is enabled, auditing for normal ESF requests is suppressed unless the AUDIT flag is set in the request,
or an ESM Module determines that the particular request should be audited. The flag can be set by the caller. Currently, only
the
MLDAP ESM Module performs selective auditing. If a user, group, or resource access rule object contains the optional LDAP Boolean attribute
microfocus-MFDS-Audit, and the value of the attribute is TRUE, then requests pertaining to that object will be audited. For
example, if a user is defined in LDAP with microfocus-MFDS-Audit set to TRUE, and selective auditing is enabled, then any
request pertaining to that user - a Verify request signing the user on or an Auth request for resource access on that user's
behalf - will be audited.
The default value is
no.
[Cache] section
- flush on change=yes | no
- Set to
yes to tell the cache to discard any cached Verify result if it receives another request for the same user with a different result.
See
Using Flush on Change for more information. This is only useful when Verify caching is enabled.
- ignore=list of request fields
- When the ESF cache checks to see whether the request it is currently processing matches a cached request, it will ignore the
fields listed in this configuration entry when comparing them. That means the cached result will be used even if the current
request and the cached request differ in one of more of the listed fields. This is useful if the fields in question do not
change security decisions in your environment.
The list can be zero or more field names, separated with whitespace and/or commas.
Currently the fields that can be included are:
- subsystem
- The
Enterprise Server subsystem, such as CICS or IMS.
- subsys
- An alias for "subsystem".
- facility
- The facility, which is usually a terminal name or other input source.
- transaction
- The transaction name, for subsystems where this is relevant.
- trans
- An alias for "transaction".
Currently no ESM Modules make use of any of these fields when making security determinations, so it is safe to ignore any
or all of them.
The default values are
subsystem, facility. Transaction is not ignored by default because it is one of the most likely to be encountered in custom ESM Modules.
- report interval=seconds
- You can configure how often reporting happens by setting the
report interval option. Its value is an integer, representing the approximate time between reports in seconds. Setting this to
0 disables reporting.
- requests=list of request types
- This setting specifies what type of ESF requests can be cached. It is set to a list of tokens, separated by commas or spaces.
See
Requests for a full list of possible tokens.
- tracing=integer
- Controls trace messages from the ESF cache. If this is set to 0, tracing is disabled. Positive values enable progressively
verbose trace information; currently values 1-5 are supported.
The default value is 0.
See the chapter
ESF Caching for more information.
[Operation] section
- failover retry interval=seconds | never
- This option changes the behavior of redundant mode. It is ignored if redundant mode is not enabled. See the redundant setting
below for more information. By default, when redundant mode is enabled, failing Security Managers are retried on every request
when they would normally be invoked. This might cause performance issues if a failed manager takes a long time to respond.
If this option is set to a positive number, a failed Security Manager only retries when at least that many seconds have elapsed
since it failed.
If this option is set to 0 or
never, a failed Security Manager is disabled until ESF is reinitialized or the process is restarted.
- federate=yes | no | compatible
- Control the federation of group information among Security Managers. See
Security Federation for more information. This only has an effect if more than one Security Manager is configured.
The default value is
compatible for product versions through to 8.0, and
yes for 9.0 and later.
Micro Focus recommends setting it to
yes if multiple Security Managers are used.
- password case=upper | lower | preserve
- Fold passwords to upper or lower case when processing Verify requests, or leave them as supplied. The default value is
preserve.
- protect sensitive data=yes | no
- If enabled, sensitive data such as passwords are obfuscated in memory to help prevent its disclosure.
The default value is
yes. This should only be disabled if an issue is suspected with sensitive data protection.
- redundant=yes | no
- If this option is set to
yes, you can configure multiple equivalent Security Managers and let processing continue as long as at least one Security Manager
is available. By default, if any Security Manager returns an error during initialization or security request processing, the
request fails. If redundant mode is enabled, initialization and request processing only need one successful Security Manager.
The default value is
no.
- trim whitespace=yes | no
- If enabled, leading and trailing whitespace in any of the character-string fields of an ESF request will be removed. This
is useful if requests are likely to contain extraneous whitespace.
The default value is
yes. This should only be disabled if an issue is suspected with whitespace trimming.
- update interval=seconds
- If this is set to a positive number, ESF waits at least that many seconds between checks for administrative update notifications.
Update notifications are used to tell ESF that security information has changed and it should discard cached data and update
information it has stored about users and groups. This check might affect performance under heavy loads, in which case setting
an update interval can improve performance, at the cost of ESF taking more time to recognize that security information has
been changed.
- user exit=module-name
- Configure a user exit module. See
ESF User Exit for more information.
- userid case=upper | lower | preserve
- Fold (force) userids, also known as usernames, to upper or lower case when processing Verify requests, or leave them as supplied.
The default value is
preserve (do not alter userids).
- username case=upper | lower | preserve
- A synonym for userid case. If both are set, the userid case setting takes precedence.
- verify throttle threshold=integer | none
- Set this to specify at what point verify throttling is activated, or to disable verify throttling. If the value is a positive
integer, it represents the maximum number of Verify requests that will be accepted within one second before the process starts
throttling (imposing a delay) on them. This makes it more difficult to guess valid credentials by brute force.
Note: In an
enterprise server instance Verify requests are typically processed by SEPs, so the effective threshold is actually this value times the number of regular
SEPs available.
If the value is negative or zero, or the word none, then throttling is disabled.
The default value is 100.
[Passtoken] section
- allow=none | generate | signon | both | yes
- Specifying
none disables pastokens,
generate enables passtoken generation but not their use,
signon enables passtoken use for signon but not generation,
both enables both generation and signon, and
yes which is a synonym for both.
See
Passtoken Options for ESF Manager for more information.
[Trace] section
- name mapping=yes | no
- If enabled, trace messages are logged during name-mapping operations.
The default value is
no.
[Verify] section
- map short names=yes | no
- If enabled, when a request to Verify (authenticate) a user is submitted with a username that is no more than 8 characters
long, ESF will first attempt to map this to a "long name" (ESM username). If that is successful, the long name will be used
in place of the name provided in the request. This option is useful when name mapping is enabled, because some
Enterprise Server facilities do not permit entering long names, and have to use
Enterprise Server mainframe-style 8-character userids ("short names") instead. These include the CICS CESN and CESL transactions and the USER
parameter on the JCL job card.
The default value is
no.
Micro Focus recommends you enable this feature if you use name mapping.