MF Directory Server Security

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Use this page to define the security settings to be used with Directory Server:

Add

Click this to add a security manager from the pool of available definitions.

Authenticated client sessions

There are two main methods that a remote user can use to connect to the Directory Server:

  • Using Enterprise Server Administration, which runs in a Web browser. This method is intended for the administrative functions. These clients are known as Web browser clients.
  • Using the underlying MLDAP API, usually via some higher level application interface or product, to carry out some short-lived operation such as to search for the address of a service or to modify the properties of an object. These clients are known as program clients.

If Directory Server is running in Restricted mode, Web browser clients have to authenticate themselves to the Directory Server, carry out any operations, and then log off. Program clients always run in Restricted mode. During the time period between the authentication and removal the client is entered into the authenticated client list maintained internally by the Directory Server process. To stop the list from accidentally growing too large (not all users or applications log off correctly after they have been authenticated) and also to maintain security, the Directory Server removes both Web browser and program client sessions after a configurable timeout period.

Certificate
Custom server certificate path.
Certificate passphrase

Optional custom server certificate passphrase.

Note: You can use the Micro Focus Vault Facility to store a secret for the certificate and keyfile pass phrases. This takes the following form:
mfsecret:configuration-name:secret-path

or:

mfsecret::secret-path

or:

mfsecret:secret-path
Change

Click this to add a security manager from the pool of available definitions. This button is only present if you are using the MFDS Internal Security Manager. As MFDS Internal Security cannot be used alongside other security managers, when you add the new manager MFDS Internal Security will be removed.

Cipher suites
Specifies the priority of cipher suites to be used.

The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:

!
Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+
Add. Add the cipher suite to the end of the collection.
-
Delete. Delete the cipher suite from the existing collection.

By default, the following cipher suite list is used:

kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP

To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
Client program timeout

Specify the maximum interval in seconds since the last activity of a program client before it is automatically unbound.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period.

The default value is 6000 seconds (100 minutes).

Description

The description column indicates the description for a security manager.

DH minimum group size
Specifies the size in bits of the modulus length of the Diffie-Hellman group.
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
Key Exchange Cipher Groups
Specifies the Elliptic Curve Cryptograph (ECC) curve collection to be used. By default, the collection used is:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
Enabled

This column indicates whether or not the security manager is enabled. If it is not enabled, it will be ignored by Directory Server and those enterprise servers that reference it.

Keyfile

Custom keyfile path.

Keyfile passphrase

Custom keyfile passphrase.

Module

This column indicates the module used by a security manager to access an external security manager or to implement the security rules.

Name

This column indicates the name that used to identify a security manager.

Priority

Indicates the position of the security manager in the sequence in which the security managers are queried.

Remove

Click this to remove the currently selected definition from this list.

Note: The definition is only removed from this list, not from the available pool of definitions.
Restrict administration access

Check this to cause all administrative access to the Directory Server to be authenticated and authorized by the entries on the Security Manager Priority List.

Secure Port

Unless a specific secure port is specified, the SSL connection will use a dynamically assigned port each time the MF Directory Server process is restarted. A fixed known port might be useful if configuring firewall settings.

Security Manager List

This is the list of security managers taken from the available pool that MF Directory Server can use to perform security queries.

Note: Security managers are queried in the order that they appear in the list. If the Verify against all Security Managers checkbox is not checked, the first manager in the list that responds with a definite answer will determine the result of a security query. See Verify against all Security Managers for more information.

Use the up and down arrows to reposition the selected entry.

Select

Use this to select a security manager for removal or for moving to a different position in the list.

TLS honor server cipher list
By default, the TLS honor server cipher list is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Note: If the TLS protocols and Cipher suites list are not specified then it uses the default. See Configuring a TLS Protocols List and Configuring a Cipher Suites List for more information.
TLS protocols
Specifies the list of TLS protocols to be used in order of precedence listed.
Valid protocols are SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, and TLS1.4, where TLS1.4 is a placeholder to enable support for future versions. By default, only the TLS protocols are enabled. Each specified protocol is preceded by one of the following operators:
!
Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
+
Add. Add the protocol to the existing collection.
-
Delete. Delete the protocol from the existing collection.
Note: You can use the special option ALL to specify all of the supported protocols. Use -ALL to empty the default options list followed by the new options you require.

You must use @SECLEVEL=0 for TLS 1.1 and earlier. See Security Levels for more information.

For example, to only use TLS1.1 and TLS1.2, type the following:

-ALL+TLS1.1+TLS1.2

Use all groups
Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.

Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.

Use custom server ID certificate
If TLS is enabled, check this option and specify the paths for root certificates, server certificate, key file, and passphrase. In addition, the MF_ROOT_CERT environment variable will need to be set to the root-certificates file path.
Update when external Security Manager properties change
Check this to update the configuration to reflect changes made to any external Security Manager used.
Use default ES Security Manager List

Check this if you want to use your default ES security manager list for Directory Server, rather than the Security Manager List below. To define the default ES Security settings, click Security on the menu on the left hand side, and then click Security > Default ES Security.

Use encrypted connections
Select this if you want to start Enterprise Server Administration so that it requires authorized browser connections to use SSL. If the state is changed from the current active selection then the MF Directory Server process will need to be re-started to use the new setting. If encrypted connections are selected, administrative access must also be set to restricted.
Web browser timeout
Specify the maximum interval in seconds since the last activity of a Web browser client, for example, a browser refresh, before it is automatically logged off.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period. We recommend you use this value sparingly and always reset to a finite period as soon as possible. This is because if the Directory Server is running with an infinite Web client timeout, there is more likelihood that an unauthorized user might gain access to the system using an unattended machine; also the Directory Server will tend to become overloaded with clients who have not logged off.

The default value is 300 seconds (5 minutes).

Security Facility Configuration

The Security Facility Configuration parameters are available on this screen only when MFDS is configured to use an ESF (that is, set up to use a Security Manager other than "MFDS Internal Security"). Otherwise no ESF security configuration options, including the caching options, will be seen on this MFDS Security tab screen:

Allow unknown resources
Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.

You might use this in circumstances where you only want to restrict access to some resources.

Allow unknown users
Check this if you want to allow unknown users to log in.
Cache limit
Enter the maximum size in kilobytes that Enterprise Server's security facility can use for caching the results of security queries.
Cache TTL
Enter the maximum time in seconds that an entry in the cache can be used to satisfy requests before the details must be required from the security manager.
Configuration information
Specify any additional configuration settings that the Enterprise Server security facility requires.
Create audit events
Check this to enable the enterprise server to generate security audit events. These events can be captured and logged by the Audit Facility.
Verify against all Security Managers
Set this if you want each security query to be checked by all entries on the Security Manager Priority List.

If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken.

If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.

If a security manager does not have a rule for the resource or user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown resources or Allow unknown users.

See Configuring a Cipher Suites List and Security Levels for more information.

For additional information on cipher suite configuration please refer to the OpenSSL documentation, click here.