Security Managers and security configurations

64/32-bit Security Managers

It is necessary to have the correct bitism for the security domain that is going to use the Security Manager. If the enterprise server region is a 64-bit region, it will require a 64-bit security manager. Similarly, the security manager used for MFDS must have the same bitism as MFDS.

If MFDS and the enterprise server region have different bitisms, they might not be able to use the same Security Manager. They can use the same external security manager (for example, LDAP repository) but two separate Security Manager definitions might be required. These would use essentially the same configuration details but any bitness-specific configuration items would differ.

For example, the MLDAP ESM Module has an optional provider configuration setting to specify an LDAP client library; this would need to name a library of the correct bitness. The details will depend on the platform and installation decisions made by the system administrator, but it might look like the following.

In the Security Manager, for 32-bit enterprise server regions and for MFDS (which is normally 32-bit, except on 64-bit-only platforms):

[LDAP]
provider=/usr/lib/libldap_r-2.4.so.2.7.1

In the Security Manager for 64-bit regions:

[LDAP]
provider=/usr/lib64/libldap_r-2.4.so.2.7.1

The difference in this case is in the location of the shared object, /usr/lib versus /usr/lib64.

The ESM Module must be the correct bitness for the Security Manager. If one of the standard ESM Modules provided with Enterprise Server is used, and it is specified in the Security Manager definition using just its base name (for example, mldap_esm) with no path or extension, then ESF will automatically select the module of the correct bitness. If the Security Manager specifies a path or extension for the module, only that specific file will be used, and you will need separate 32- and 64-bit Security Manager definitions.

Security Manager configuration

Hardening recommendations for Security Managers depend on the ESM Module used. See the following subtopics listed below for each standard ESM Module.

Security Configuration options

Each of the Security Configuration pages — Default ES Security, Security for a specific region, Directory Server Configuration, and the ESCWA Security Settings — provide options to configure ESF. The MFDS Directory Server Configuration and ESCWA Security Settings pages also have some options specific to those components.

ESF options relevant to hardening include:

Allow unknown users

This option should typically only be enabled for certain test situations. It allows anyone to sign on to the system using an unrecognized user ID and any password.

Allow unknown resources

Avoid this option where security is a concern; it permits the use of any unrecognized resource, which might, for example, let an attacker access system files through Enterprise Server applications. It is useful primarily for developers using their own test installations and while phasing in the initial set of security rules.

Verify against all Security Managers

Typically, user authentication (the Verify operation) is decided by the first Security Manager which returns a definite result — either allow or deny sign-on. When this option is enabled, all Security Managers are consulted until either one returns a deny result, or they have all returned allow or unknown (and at least one returned allow, unless "Allow unknown users" is also enabled). In effect, this option lets each Security Manager veto user authentication. It may be appropriate in some security configurations, particularly if a Security Manager has been configured specifically to reject certain users under certain circumstances, such as time of day.

Create audit events

Auditing can improve security by providing an audit trail for forensic analysis if a breach is discovered or suspected. Audit information can also be processed in real time or periodically to check for suspicious activity, or to monitor particularly sensitive resources. Note that enabling this option requires configuring the Micro Focus Audit API, and using a Security Information Event Manager (SIEM) such as syslogd or the Micro Focus Sentinel or ArcSight product to receive and process audit data.

Use all groups

While neither setting of this option is necessarily more secure, some organizations choose to disable it so they can give users particular roles based on their choice of sign-on group. For example, a user might have both an "application" role and an "administration" role, with different resource permissions in each, selected by which group is specified when signing on. Other organizations prefer to enable this option so the system behaves more like Windows or UNIX.

Cache TTL and limit

These options disable ESF caching (if either is set to zero) or enable it (if they are both non-zero). Depending on the organization's threat model and security posture, there may be a security benefit to disabling caching, to prevent ESF from using stale results when changes are made to the security information held by ESMs. For most organizations, some caching is desirable for improved performance. The organization should determine its tolerance for stale security results and set the Cache TTL appropriately. A setting of 60, for example, means no result more than a minute old will be returned by the cache. Also, the ESF Update mechanism can be used to flush the cache.

Configuration text: Group federation

The group federation mechanism can be enabled in the configuration text field using the following setting:

[Operation]
Federate=yes

Note: Section names and keywords are case-insensitive.

Group federation only applies if there are multiple Security Managers being used.

When group federation is enabled, all security managers for the security domain (enterprise server region, MFDS, or ESCWA) share a single list of user groups. Each security manager may add groups to the list, access control rules in one security manager may refer to groups defined in other security managers, and so on. When federation is explicitly disabled with Federate=no, each security manager has its own group list and understanding of which users belong to which groups. If no federation setting is specified, the security managers operate in backward-compatibility mode, which has semantics that are complicated and probably undesirable.

Micro Focus recommends enabling group federation unless the organization has a specific reason for requiring each Security Manager to keep separate group information.

Configuration text: Redundant mode

Redundant mode is an option for customers who are concerned about availability and can put all of their security information in a single security manager. In redundant mode, the security managers are not treated as separate sources for making security decisions. Instead, only the first security manager is used, unless it fails; then the second is used, and so on. So for redundant mode, all security managers must be equivalent in how they make security decisions, for consistency. Redundant mode also requires group federation.

Settings that apply to redundant mode are as follows:

[Operation]
redundant=yes
failover retry interval=time

The failover retry interval setting determines whether failed ESMs will be retried, and if so, how often. An appropriate value for this setting depends on the customer's requirements. See your product Help for more information.

Configuration text: Verify throttling

Verify throttling helps prevent brute-forcing user credentials by slowing down processing when too many Verify (authentication) requests are received by a process in a certain time interval. By default, this is triggered if more than 100 Verify requests are received in a second. The threshold can be changed, or throttling disabled entirely, using the [Operation] verify throttle threshhold setting. Micro Focus recommends leaving throttling enabled, although you might need to adjust the threshold if your workload triggers it.

Configuration text: ESF cache options

In addition to the cache size and TTL parameters discussed above, some additional cache options can be set in the configuration text:

[Cache]
requests=types of requests to cache
flush on change=yes|no
report interval=time in seconds
ignore=request fields to ignore in comparison

These are discussed in more detail in your product Help, but briefly:

• requests sets which types of ESF requests can be cached. By default, authorization requests are cached, but authentication requests are not, so that each user authentication is processed by the ESMs.
• If flush on change is enabled, then when the result of a request changes, any existing cached information for that request is removed. This is useful if authentication (Verify) caching is enabled and an ESM implements account lockout. See your product Help for more information.
• The list of request fields in the ignore setting are ignored when comparing an incoming request with entries in the cache. This can improve cache performance if the fields in question are not considered security-sensitive by the customer. By default, the subsystem and facility fields are ignored.

Micro Focus recommends using the defaults caching options for maximum security, and changing them for performance if necessary. If Verify caching is enabled, Micro Focus recommends enabling flush-on-change.

Configuration text: Audit options

Options for auditing only apply if auditing is enabled. The audit options are:

password change success

This controls whether an audit event is generated for a successful password change.

category 3 events

This controls whether audit events are generated for calls to ESF, as well as the results of those calls. The category-3 events are largely redundant, so some customers prefer to suppress them.

selective

This enables selective auditing. In selective mode, audit events are controlled by additional LDAP attributes of users, groups, and resource access rules. Only the MLDAP ESM Module provides selective-audit capabilities. Selective auditing is useful if you only want audit events generated for ESF requests that apply to certain sensitive security objects. Using this requires additional administrative effort, to set the attributes appropriately for objects of interest.

Micro Focus has no specific recommendations regarding these options. Whether they are appropriate will depend on your requirements.

Configuration text: miscellaneous options

Other configuration text settings affect:

• The ESF user exit (user exit)
• The ESF Administration feature (allow-list)
• Username mapping (map short names)
• Update processing (update interval)
• Trimming whitespace from character fields in requests (trim whitespace)
• Passtokens (allow)

See your product Help for more information.