Attention: This topic applies to a feature that is in Early Adopter Program (EAP) release status. We intend to provide the finalized
feature in a future release. Please contact
Micro Focus Customer Care if you require further clarification.
The
VSAM ESM Module supports some additional configuration that can be set by editing the
Config field. Text in this area is organized into sections which begin with a "tag" in square brackets, followed by lines in the
form of
name=value pairs. The following are the various configuration sections, and corresponding options that can be set in each section:
[Operation] section
- signon attempts=integer
- Set the maximum number of consecutive failed sign in (Verify) attempts before a user account is automatically disabled. If
integer is set to a value greater than 0, then after that many attempts to sign in a user using an incorrect passwords, the account
is disabled. Successfully signing a user in with the correct password will resets the count. The default value is 0, which
disables this feature.
[Password] section
- expiration=integer
- Set the default password expiration interval, in days. It only applies for MF-hash verify mode, that is
Micro Focus password hashes are being used. This is the default, but you might use bind verify mode, in which case password expiration has to be managed
by your LDAP server. If a user changes their password and their account is configured with a password expiration date (user-password-expire-date
attribute), and that date is in the past or less than the specified days in the future, then it is changed to this many days
in the future. The default value is 90 days.
- history=integer
- Stores an
integer number of previous password hashes for each user. When users try to change their passwords, if the new password matches one
of the stored hashes, then the request is rejected. This option has no effect if the module configuration does not let the
module update the user's attributes. The default value is 0, that is, no password history is stored.
- minimum length=integer
- Requires that new passwords be at least an
integer number of characters long. If you are using a password type other than "MF", you might also be able to configure this and
other password requirements in your LDAP server or OS security policy.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum
of 8 characters.
- maximum length=integer
- Requires that new passwords be no more than
integer number of characters long. If you are using a password type other than "MF", you might also be able to configure this and
other password requirements in your LDAP server or OS security policy.
CAUTION:
While ESF itself supports long passwords, some Mainframe Subsystem Support (MSS) programs and APIs are limited to a maximum
of 8 characters.
- required=alphabetic|mixed-case|numeric|punctuation,...
- Requires a new passwords to include at least one character from each of the listed classes. The supported classes are alphabetic,
mixed-case, numeric, and punctuation. Class names should be separated with whitespace and/or commas.
For example:
[Passwords]
required=alphabetic, numeric
this results in the password change failing if the new password does not include at least one letter and one digit.
- complexity=1-5
- Requires a new passwords to include at least one character from number + 1 character classes. Uppercase and lowercase are
counted separately, for example, complexity=1 would be satisfied by a mixed-case password, or a password with lowercase letters
and digits, or digits and punctuation characters, and so on. Characters that are not (ASCII) letters, digits, or punctuation
are counted as another character class, so there are five classes in total, uppercase, lowercase, digit, punctuation, and
other.
The various password restriction options can be used in combination, for example:
[Passwords]
minimum length=6
required=mixed-case
complexity=2
this would enforce passwords that had a minimum of 6 characters, with both uppercase and lowercase letters and at least one
non-letter character.
[Trace] section
- Config=yes|no
- Traces configuration settings. Setting this to
yes generates a message for each valid configuration setting specified in the
Config field of your
External Security Manager Configuration dialog box. This can be used for auditing and debug purposes.
The default value is
no.
- Groups=string
- Logs various messages regarding the processing of user groups. If this is set to a string beginning with "y" or to "1", the
ESM Module makes a log entry when it determines that a user belongs to a group during Verify, or when it finds a group ACE
that applies to a request during Auth. This is particularly useful when debugging problems with All-Groups mode.
- Modify=fail|all|y|yes
- Enables the logging of some LDAP modify operations which are normally not logged. If this is set to
fail, the ESM Module makes a log entry if one of these "silent modify" operations fails. If it is set to
all,
y, or
yes, it logs all of these modify operations, including ones that succeed. Affected operations include setting the last-login-time
user attribute, and possibly others.
- Update=y|yes|changes|all
- Logs update requests, which are ESF control requests, made using
ESCWA or the esfupdate command-line utility, that notify ESF and the ESM Modules of changes to security configuration or data.
If this is set to
y or
yes, update requests are logged. If it is set to
changes, additional messages are logged when an update request causes the module to change internal state, such as the MSS attributes
(operator class, and so on) of a user or a user's group membership. If it is set to
all, additional messages are logged when an update request does not cause changes.
- Vsam=yes
- Logs file-handler status codes for VSAM I/O operations on the
ESM file directory. If this is set to
yes, the status codes from the file handler are logged.
[VSAM timeout] section
- retry count=integer
- Set the maximum number of retries to open a file in the VSAM
ESM file directory. The time between each retry attempt is specified by
wait length.
The maximum value is a signed 32-bit integer and the default retry count when
retry count and
max wait are not specified is 30.
- wait length=integer
- Set the time in milliseconds to wait between retries when opening a file in the VSAM
ESM file directory.
The maximum value is a signed 32-bit integer and the default value when not specified is 1000, which is one second.
- max wait=integer
- Set the maximum time to wait to open a file in the VSAM
ESM file directory.
The maximum value is a signed 32-bit integer and the default value when not specified is 0, which disables the maximum wait.