RFA security

An RFA listener provides remote access to files on the host system, so it is important to ensure it is properly secured. Access is controlled by various security mechanisms.

There are multiple levels of security that can be applied to restrict what paths the RFA connector is allowed to serve files to/from.

Operating system file permissions

Operating system file permissions apply to all operations performed by an RFA listener. The listener runs under the user account used to start the enterprise server instance or standalone server. For RFA running in an enterprise server instance that is started by ESCWA, this will be the user account of the MFDS service (Windows) or the enterprise server user account (UNIX).

Note: Micro Focus does not recommend relying on operating system permissions to restrict RFA access, though they can serve as an additional defense against misuse.

Allowed paths (required)

To allow an RFA listener to serve files you must configure at least one allowed path. By default there are no paths defined as either allowed or denied, and undefined paths are implicitly denied, so by default no access is given to any file.

Allowed and denied paths are specified in the configuration text area for each RFA listener. Each entry in the [Allowed paths] and [Denied paths] section defines a file-system path, optionally including wildcards, that will allow or deny access to that location.

Optionally, you can also map an allowed path to a different file system path. For instance, if a request was made to download a file /a/directory/file.txt and the RFA listener was configured with the allowed path /a/directory=/a/different/directory then the file accessed would actually be /a/different/directory/file.txt.

User authentication (requires ESF security)

A client using RFA must begin with a logon request before requesting any file operations. If the enterprise server instance or standalone MFCS server that the RFA listener belongs to has security enabled, then ESF will be used to authenticate the credentials (username and password) supplied in the logon request.

PHYSFILE resource class (required if ESF security is enabled)

If the enterprise server instance or standalone MFCS server that the RFA listener belongs to has security enabled, then RFA will also make an ESF authorization request for the specified file system path, under the PHYSFILE resource class. You should ensure that you have the required PHYSFILE resource rules configured to allow access to those file system paths that you wish to give RFA access to.

Note: You will also need to configure suitable allowed paths as these are checked first before PHYSFILE rules. Micro Focus recommends configuring suitably restrictive allowed and denied paths to cover your use case.

For RFA, the PHYSFILE resource class works differently than it does for JES. See Resource Classes for JES Security for more information. The differences are:

Path canonicalization
On Windows, when interpreting both rule names and candidate file paths for PHYSFILE rules, backslash characters (\) are converted to forward slashes (/).
Wildcard interpretation
Under RFA, the * (single asterisk) wildcard matches zero or more of any characters except the / (slash) path separator character. The ** (double asterisk) wildcard character matches zero or more characters, including the slash.
Access permissions
Under RFA, one or more of various permissions can be granted by a PHYSFILE rule. These are interpreted as separate permissions rather than a single access level. The permissions currently supported are none, read, update, and all. The rule can list multiple permissions separated by commas (for example, read, update) or use none or all to grant (or deny, for a deny-type rule) no or all permissions. Read permission is required to download a file, and update permission is required to upload a new or altered file.

Access type (optional)

An RFA listener can be configured to only provide a certain level of access (read, update, or alter) regardless of file system permissions and PHYSFILE rules. For example:

[Security]
access=read

in the configuration will prevent RFA from modifying, creating, or deleting any files.

Feature restriction (optional)

The RFA conversation type provides a number of features: direct file access, access to cataloged datasets, and so forth. An RFA listener can be configured to only permit certain features, as an additional security measure. For example:

[Security]
allow catalog access=no

disables support for all catalog operations and access to cataloged datasets. The physical file containing the dataset data might still be accessible directly, if a suitable allowed path is configured.

TLS

Like other enterprise server listeners, RFA supports TLS (SSL). Micro Focus recommends configuring TLS for RFA listeners, to help ensure data confidentiality and integrity.

See RFA conversation type for more information on configuring an RFA listener.