To Recreate the Default Enterprise Server Security Configuration

This procedure requires an interactive session on the system where you require to re-enable the default Enterprise Server security configuration, set up with the Enterprise Server environment. On UNIX or Linux, you need to be running under the Enterprise Server system user account you specified during product installation, so that file ownership and permissions will be correct. If you have security enabled for ESCWA or MFDS, you will need credentials for administrative access to those systems:
  1. Run the command mfsecconv reset. This command performs the following actions:
    • The security data for the VSAM ESM Module in the default location is initialized using es_default_security.yaml, which is supplied with the product. Any existing VSAM ESM Module security data in the default location is overwritten.
    • A new password is generated for the default administrator user account, SYSAD. A verifier (secure hash) for the password is written to the user record in the VSAM ESM Module security data, and the username and password are written to the default Micro Focus Vault Facility under microfocus/temp/admin. See Getting Started with Default Enterprise Server Security for more information about credentials in the vault.
    • A new password is generated for the limited-access user account, readonly. A verifier for it is written to the VSAM ESM Module user record, and the username and password are written to the vault under microfocus/common/readonly.

    mfsecconv reset takes various options. Run mfsecconv reset -help or consult the reference information for mfsecconv in the product Help for more information.

    Note: If you are already using the VSAM ESM Module with the default security data location for ESCWA or MFDS security, running this command will invalidate your existing administrator access. You will have to get the new password for SYSAD from the vault before continuing.
  2. Run the command mfsecretsadmin read microfocus/temp/admin and record the password for the SYSAD user that is displayed. You will have the password you need for administrative access to Enterprise Server as you re-enable security.
  3. Connect a browser to ESCWA, typically using http://localhost:10086.
  4. Select Security in the ESCWA menu bar. The ESCWA security page is displayed.
  5. Select Security Managers in the navigation panel. If a manager named OoB using the vsam_esm module is listed, skip the next step and proceed to step 7. ("OoB" stands for "Out-of-Box", an earlier name for the Default ES Security feature.)
  6. Click + Add to create a new Security Manager. Set the Name to OoB (or another name of your choice) and the Module to vsam_esm. The other fields may be left with their default values. Click Save to save the security manager. Your new security manager is displayed in the list of managers.
  7. Select ESCWA Configuration in the navigation pane. The ESCWA security configuration is displayed.
  8. If any security managers are listed at the bottom of the configuration, use the icon next to each one to remove it.
  9. Click + Add and select the OoB security manager (or the one you created in step 6, if you gave it a different name). Click Select to save your choice. The Default Enterprise Security security manager is added to ESCWA's security configuration.
  10. Click the checkbox for the Use All Groups option. This option is enabled in the default security configuration to make it easier to use and operate in the way most users expect. Ensure the check boxes for Allow unknown resources and Allow unknown users are not checked.
  11. Click Apply to save the changes to the ESCWA security configuration. You will be prompted to sign in. Use the username SYSAD and the password you retrieved in step 2. ESCWA is now secured using the default security configuration.
  12. Click Native in the ESCWA menu bar. Under Directory Servers in the navigation pane, select your local MFDS instance. This is usually the only directory server listed; if not, it will probably be named local or something similar. The enterprise server region and server list for the directory server is displayed.
  13. Click Security > Security Managers from the directory server menu bar (below the ESCWA top menu bar). If a security manager named VSAM ESM is displayed, skip the next step and proceed with step 15. The list of security managers defined in the directory server is displayed.
  14. Click + Add to create a new security manager. Set the Name to VSAM ESM (or another name of your choice) and the Module to vsam_esm. The other fields may be left with their default values. Click Save to save the security manager. Your new security manager is displayed in the list.
  15. Click Security > Default ES Configuration from the directory server menu bar. The default ES security configuration for the directory server is displayed.
  16. If any security managers are listed at the bottom of the configuration, use the icon next to each one to remove it.
  17. Click + Add and select the VSAM ESM security manager (or the one you created in step 14, if you gave it a different name). Click Select to save your choice. The security manager is added to the Default ES security configuration.
  18. Check Use All Groups.
  19. Click Apply to save the changes to the Default ES security configuration. Enterprise server instances will now use the default security configuration, once they have been restarted.
  20. Click Security > Directory Server Configuration from the directory server menu bar. The directory server security configuration is displayed.
  21. Check Use ES Default Security Managers and click Apply. If you are prompted to sign into the directory server using credentials for the old security configuration, use the username SYSAD and the password SYSAD
  22. Check Restrict Directory Server Access and click Apply. You will be prompted to sign into the directory server using credentials for the new security configuration. Use SYSAD and the password from step 2. The directory server is now secured using the default security configuration.
Enterprise server instances will only start using the new security settings when they are restarted. You will need to use the administrator credentials (SYSAD user and the password you noted in step 2) for actions such as starting and stopping regions. You can use ESCWA to add more users, change passwords, and perform other security administration tasks.
Parent topic: Default Enterprise Server Security Configuration
Related concepts
Samples and Tutorials
Related reference
Default Enterprise Server Security Configuration