The
VSAM ESM Module supports some additional configuration that can be set by editing the
Config field. Text in this area is organized into sections which begin with a "tag" in square brackets, followed by lines in the
form of
name=value pairs. The following are the various configuration sections, and corresponding options that can be set in each section:
[Operation] section
- signon attempts=integer
- Set the maximum number of consecutive failed sign in (Verify) attempts before a user account is automatically disabled. If
integer is set to a value greater than 0, then after that many attempts to sign in a user using an incorrect passwords, the account
is disabled. Successfully signing a user in with the correct password will reset the count. The default value is 0, which
disables this feature.
[Password] section
- expiration=integer
- Set the default password expiration interval, in days. If a user changes their password and their account is configured with
a password expiration date (the user-password-expire-date attribute), and that date is in the past or less than the specified
days in the future, then it is changed to this many days in the future. The default value is 90 days.
- history=integer
- Stores an
integer number of previous password hashes for each user. When users try to change their passwords, if the new password matches one
of the stored hashes, then the request is rejected. The default value is 0, that is, no password history is stored.
- minimum length=integer
- Requires that new passwords be at least an
integer number of characters long.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum
of 8 characters.
- maximum length=integer
- Requires that new passwords be no more than
integer number of characters long.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum
of 8 characters.
- required=alphabetic|mixed-case|numeric|punctuation,...
- Requires a new passwords to include at least one character from each of the listed classes. The supported classes are alphabetic,
mixed-case, numeric, and punctuation. Class names should be separated with whitespace and/or commas.
For example:
[Passwords]
required=alphabetic, numeric
this results in the password change failing if the new password does not include at least one letter and one digit.
- complexity=1-5
- Requires a new passwords to include at least one character from number + 1 character classes. Uppercase and lowercase are
counted separately, for example, complexity=1 would be satisfied by a mixed-case password, or a password with lowercase letters
and digits, or digits and punctuation characters, and so on. Characters that are not (ASCII) letters, digits, or punctuation
are counted as another character class, so there are five classes in total, uppercase, lowercase, digit, punctuation, and
other.
The various password restriction options can be used in combination, for example:
[Passwords]
minimum length=6
required=mixed-case
complexity=2
this would enforce passwords that had a minimum of 6 characters, with both uppercase and lowercase letters and at least one
non-letter character.
[Trace] section
- Config=yes|no
- Traces configuration settings. Setting this to
yes generates a message for each valid configuration setting specified in the
Config field of your
External Security Manager Configuration dialog box. This can be used for auditing and debug purposes.
The default value is
no.
- Groups=string
- Logs various messages regarding the processing of user groups. If this is set to a string beginning with "y" or to "1", the
ESM Module makes a log entry when it determines that a user belongs to a group during Verify, or when it finds a group ACE
that applies to a request during Auth. This is particularly useful when debugging problems with All-Groups mode.
- Modify=fail|all|y|yes
- Enables the logging of some modify operations which are normally not logged. If this is set to
fail, the ESM Module makes a log entry if one of these "silent modify" operations fails. If it is set to
all,
y, or
yes, it logs all of these modify operations, including ones that succeed. Affected operations include setting the last-login-time
user attribute, and possibly others.
- Update=y|yes|changes|all
- Logs update requests, which are ESF control requests, made using
ESCWA or the esfupdate command-line utility, that notify ESF and the ESM Modules of changes to security configuration or data.
If this is set to
y or
yes, update requests are logged. If it is set to
changes, additional messages are logged when an update request causes the module to change internal state, such as the MSS attributes
(operator class, and so on) of a user or a user's group membership. If it is set to
all, additional messages are logged when an update request does not cause changes.
- Vsam=yes
- Logs file-handler status codes for VSAM I/O operations on the
ESM file directory. If this is set to
yes, the status codes from the file handler are logged.
[VSAM timeout] section
- retry count=integer
- Set the maximum number of retries to open a file in the VSAM
ESM file directory. The time between each retry attempt is specified by
wait length.
The maximum value is a signed 32-bit integer and the default retry count when
retry count and
max wait are not specified is 30.
- wait length=integer
- Set the time in milliseconds to wait between retries when opening a file in the VSAM
ESM file directory.
The maximum value is a signed 32-bit integer and the default value when not specified is 1000, which is one second.
- max wait=integer
- Set the maximum time to wait to open a file in the VSAM
ESM file directory.
The maximum value is a signed 32-bit integer and the default value when not specified is 0, which disables the maximum wait.