Security Configuration Custom Configuration Information

Each security configuration for MFDS, ES Default Security, or a particular enterprise server instance support additional configuration that can be set by modifying the text in the Configuration Information field. Text in this field is organized into sections which begin with a tag label in square brackets, followed by lines containing name-value pairs.

You can add these settings in the Configuration Information field for the security configuration, and not a Security Manager. Security Managers also have a custom configuration setting, with parameters defined by the External Security Manager module they use. See the documentation for the specific ESM module for more information.

The following are the configuration sections, and the options that can be set in each section:

[Admin] section

allow-list=yes | no
If this is set to yes, then Admin LIST requests, for example, list users, groups, and resource access rules are allowed for all users, with no additional access check.

[Audit] section

category 3 events=yes | no
Setting this option disables audit category 6 events for SAF Auth and XAuth calls, and enables category 3 events for Verify, Auth, and XAuth calls. This option is provided for backwards compatibility.

The default value is no.

password change success = yes | no
Setting this option enables an extra audit event for every successful password change.
Note: Password change rejections and related errors are always audited. See Audit event 6 2 in Audit Event Codes for more information.

The default value is no.

selective=yes | no
This setting enables the optional selective-auditing feature. It has no effect if auditing is not enabled.

When selective auditing is enabled, auditing for normal ESF requests is suppressed unless the AUDIT flag is set in the request, or an ESM Module determines that the particular request should be audited. The flag can be set by the caller. Currently, only the MLDAP ESM Module performs selective auditing. If a user, group, or resource access rule object contains the optional LDAP Boolean attribute microfocus-MFDS-Audit, and the value of the attribute is TRUE, then requests pertaining to that object will be audited. For example, if a user is defined in LDAP with microfocus-MFDS-Audit set to TRUE, and selective auditing is enabled, then any request pertaining to that user - a Verify request signing the user on or an Auth request for resource access on that user's behalf - will be audited.

The default value is no.

[Cache] section

flush on change=yes | no
Set to yes to tell the cache to discard any cached Verify result if it receives another request for the same user with a different result. See Using Flush on Change for more information. This is only useful when Verify caching is enabled.
ignore=list of request fields
When the ESF cache checks to see whether the request it is currently processing matches a cached request, it will ignore the fields listed in this configuration entry when comparing them. That means the cached result will be used even if the current request and the cached request differ in one of more of the listed fields. This is useful if the fields in question do not change security decisions in your environment.

The list can be zero or more field names, separated with whitespace and/or commas.

Currently the fields that can be included are:

The Enterprise Server subsystem, such as CICS or IMS.
An alias for "subsystem".
The facility, which is usually a terminal name or other input source.
The transaction name, for subsystems where this is relevant.
An alias for "transaction".

Currently no ESM Modules make use of any of these fields when making security determinations, so it is safe to ignore any or all of them.

The default values are subsystem, facility. Transaction is not ignored by default because it is one of the most likely to be encountered in custom ESM Modules.

report interval=seconds
You can configure how often reporting happens by setting the report interval option. Its value is an integer, representing the approximate time between reports in seconds. Setting this to 0 disables reporting.
requests=list of request types
This setting specifies what type of ESF requests can be cached. It is set to a list of tokens, separated by commas or spaces. See Requests for a full list of possible tokens.
Controls trace messages from the ESF cache. If this is set to 0, tracing is disabled. Positive values enable progressively verbose trace information; currently values 1-5 are supported.

The default value is 0.

See the chapter ESF Caching for more information.

[Operation] section

failover retry interval=seconds | never
This option changes the behavior of redundant mode. It is ignored if redundant mode is not enabled. See the redundant setting below for more information. By default, when redundant mode is enabled, failing Security Managers are retried on every request when they would normally be invoked. This might cause performance issues if a failed manager takes a long time to respond.

If this option is set to a positive number, a failed Security Manager only retries when at least that many seconds have elapsed since it failed.

If this option is set to 0 or never, a failed Security Manager is disabled until ESF is reinitialized or the process is restarted.

federate=yes | no | compatible
Control the federation of group information among Security Managers. See Security Federation for more information. This only has an effect if more than one Security Manager is configured.

The default value is compatible for product versions through to 8.0, and yes for 9.0 and later. Micro Focus recommends setting it to yes if multiple Security Managers are used.

password case=upper | lower | preserve [8]
Fold passwords to upper or lower case when processing Verify requests, or leave them as supplied. The default value is preserve.
protect sensitive data=yes | no
If enabled, sensitive data such as passwords are obfuscated in memory to help prevent its disclosure.

The default value is yes. This should only be disabled if an issue is suspected with sensitive data protection.

redundant=yes | no
If this option is set to yes, you can configure multiple equivalent Security Managers and let processing continue as long as at least one Security Manager is available. By default, if any Security Manager returns an error during initialization or security request processing, the request fails. If redundant mode is enabled, initialization and request processing only need one successful Security Manager.

The default value is no.

trim whitespace=yes | no
If enabled, leading and trailing whitespace in any of the character-string fields of an ESF request will be removed. This is useful if requests are likely to contain extraneous whitespace.

The default value is yes. This should only be disabled if an issue is suspected with whitespace trimming.

update interval=seconds
If this is set to a positive number, ESF waits at least that many seconds between checks for administrative update notifications. Update notifications are used to tell ESF that security information has changed and it should discard cached data and update information it has stored about users and groups. This check might affect performance under heavy loads, in which case setting an update interval can improve performance, at the cost of ESF taking more time to recognize that security information has been changed.
user exit=module-name
Configure a user exit module. See ESF User Exit for more information.
userid case=upper | lower | preserve [8]
Fold (force) userids, also known as usernames, to upper or lower case when processing Verify requests, or leave them as supplied. The default value is preserve (do not alter userids).
username case=upper | lower | preserve [8]
A synonym for userid case. If both are set, the userid case setting takes precedence.
verify throttle threshold=integer | none
Set this to specify at what point verify throttling is activated, or to disable verify throttling. If the value is a positive integer, it represents the maximum number of Verify requests that will be accepted within one second before the process starts throttling (imposing a delay) on them. This makes it more difficult to guess valid credentials by brute force.
Note: In an enterprise server instance Verify requests are typically processed by SEPs, so the effective threshold is actually this value times the number of regular SEPs available.

If the value is negative or zero, or the word none, then throttling is disabled.

The default value is 100.

[Passtoken] section

allow=none | generate | signon | both | yes
Specifying none disables pastokens, generate enables passtoken generation but not their use, signon enables passtoken use for signon but not generation, both enables both generation and signon, and yes which is a synonym for both.

See Passtoken Options for ESF Manager for more information.

[Trace] section

name mapping=yes | no
If enabled, trace messages are logged during name-mapping operations.

The default value is no.

[Verify] section

map short names=yes | no
If enabled, when a request to Verify (authenticate) a user is submitted with a username that is no more than 8 characters long, ESF will first attempt to map this to a "long name" (ESM username). If that is successful, the long name will be used in place of the name provided in the request. This option is useful when name mapping is enabled, because some Enterprise Server facilities do not permit entering long names, and have to use Enterprise Server mainframe-style 8-character userids ("short names") instead. These include the CICS CESN and CESL transactions and the USER parameter on the JCL job card.

The default value is no. Micro Focus recommends you enable this feature if you use name mapping.