Service Deployment and Security

Enterprise Server provides a deployment feature to allow developers to package COBOL programs as Web Services or EJBs and deploy them to an Enterprise Server instance. The deployment process uploads the packaged service (in the form of a COBOL Archive or CAR file) to Enterprise Server, then invokes an installer (mfdepinst) that extracts the contents from the archive, creates package and service objects in the Micro Focus Directory Server repository, and notifies Enterprise Server of the new service.

Service deployment is initiated by a deployment client, running under the control of a developer or administrator. Deployment clients include those generated by the Interface Mapping Toolkit (IMTK), or the imtkmake command-line tool. All of these are documented elsewhere.

Deployment and Security

Creating service and package objects in the MFDS repository requires update access, which may not be granted to all users. mfdepinst has to present credentials (a username and a password) to MFDS when it tries to create those objects. In a secured installation, deployment requests from users may fail to create service and package objects because of insufficient permissions.

The default configuration installed with Enterprise Server allows mfdepinst to create objects in the MFDS repository, but when security options are changed it's easy to cause deployment requests to fail. (This is actually the appropriate behavior; when an installation is secured, it should prevent unauthorized access.) This is particularly true when external security is enabled.

How Deployment Credentials are Verified and Authorized

In early releases of Enterprise Server, the credentials sent to MFDS by mfdepinst were verified against entries in the file cciusers.dat. In more recent releases, MFDS keeps its own database of user information as part of the repository.

External security, which is enabled by specifying an external security manager (ESM) for MFDS security, allows MFDS to use an outside facility, such as an LDAP server, to verify user credentials.

How MFDS is configured determines how the username and password sent by mfdepinst will be verified, and what determines their level of access. If you are using internal security, you'll have to ensure that the username and password sent by mfdepinst are configured in MFDS, and that the user account used by mfdepinst has "add" access for the MFDS repository. Similarly, if you're using external security, your ESM will have to accept the username and password sent by mfdepinst and grant it access to add objects to MFDS.

The Enterprise Server Administration Guide discusses these topics in more detail.

How Deployment Credentials are Set

With Net Express version 5.0, WebSync 2 or later, you can specify a username and password when deploying a service interface to a secure server either through the Net Express IDE or when using imtkmake from the command line.

Additional considerations and advanced security for deployment

As organizations have become more conscious of potential security issues within corporate networks, additional considerations for Enterprise Server service deployment have been identified.

Newer releases of Enterprise Server have additional security features for deployment, as described in Deployment Listeners.