MLDAP ESM Module

For Security Managers using the MLDAP ESM Module, Micro Focus makes the following hardening recommendations:

Module

Set this to mldap_esm, with no path, and for Linux/UNIX installations, no bitness, threadedness, or file extension suffixes. ESF loads ESM Modules from the product installation directory automatically – it does not search the library load path. ESF will select the appropriate bitness and threadedness automatically.

Connection path

For optimal security, use LDAP-over-TLS by enabling TLS in your LDAP server and using the ldaps: scheme prefix in the value for this field. Depending on the LDAP client library (also known as "provider") in use, you might also have to configure the LDAP client to support TLS. For OpenLDAP, for example, you might need to edit a configuration file such as ldaprc to set the root-certificate file or path so that the OpenLDAP client can validate the server's certificate.

Authorized ID / Password

Micro Focus strongly recommends that you do not use the default credentials. For improved security, configure your LDAP server with an account which gives the appropriate level of access for Enterprise Server use. Typically, this is read-only access to groups and resource access rules, and write access to user objects if necessary for updating attributes such as passwords and last-login-time. Then set these fields to use that account.

Note: You can use the Micro Focus Vault Facility to store a secret for the Authorized ID and Password fields. These fields can be specified using the forms:

mfsecret:configuration-name:secret-path

or:

mfsecret::secret-path

or:

mfsecret:secret-path

Cache Limit / Cache TTL

From Enterprise Server 7.0, the MLDAP ESM Module can cache the results of some LDAP searches. This can significantly improve performance, but introduces the possibility of making security decisions with stale information. If the cache is enabled, set the TTL to meet the organization's tolerance for latency in recognizing changes to security information.

Note: The ESF Update mechanism will flush the MLDAP ESM Module's cache, reducing this exposure.

Configuration Information settings relevant to hardening

The MLDAP ESM Module supports a large number of options that can be added to the Configuration Information field. Many of these relate to LDAP repository configuration or other aspects which do not directly affect the security of Enterprise Server. Some options which might be useful when hardening an installation are discussed here.

Set login count / Set login time

Enables the module to update these attributes in the user record can provide useful information to administrators. The login-count attribute is also required for implementing account lockout, which is a useful security feature in many environments. This require giving Enterprise Server write access to user objects in LDAP, which is a risk. You will need to determine if that trade-off is appropriate to your organization.

Signon attempts

If Set login count is enabled, this setting can be used to lock accounts out after the specified number of failed signon attempts. This is generally considered good practice.

Note: This requires write access to the user object. Also, the MLDAP ESM Module does not currently support automatic unlocking after a period of time; the account must be manually unlocked by an administrator.

Check TLQ first / Maximum qualifiers for initial check

These options affect the processing of security rules, particularly for data sets. They can improve performance but could result in unexpected behavior and undesirable, if the organization uses rules which begin with wildcards.

Bind

On Windows, the negotiate and es-user options for this setting are somewhat more secure, particularly if LDAP-over-TLS is not used. These options are not currently supported on other platforms.

Password type

This setting only has an effect if Micro Focus password hashes are in effect, and only when users or administrators set passwords. Currently the best choice for this is MF-A2, which uses a salted Argon2 hash, a state-of-the-art type of password verifier. This is the default in current product releases.

Migrate passwords

Enabling this setting is useful if the customer is using Micro Focus password hashes, and has existing user objects that use password verifiers that are not of the MF-A2 type. In this case, Micro Focus recommends enabling this feature.

Password settings

A variety of settings under the [Password] section affect password processing and enables the administrator to harden password use. Most of these only apply when MF-hash passwords are used; otherwise the LDAP server and its interaction with the operating system determine the password-strengthening rules. With MF-hash passwords, Micro Focus recommends the following settings for hardening:

Configure Expiration to meet the organization's requirements. Note many security experts now believe regular password expiration is counterproductive.
The History setting can be used to prevent password reuse.
Set length requirements using Minimum length and Maximum length. Remember that Enterprise Server supports long passphrases in most interfaces, but some applications, such as older CICS applications, might not.
The Required and Complexity settings can be used to enforce password complexity. Often organizations have specific requirements for passwords which can be represented using the Required setting; otherwise, Micro Focus recommends setting Complexity to 2 or 3 if the minimum password length is less than 20 characters.

SecretFile

If ESF passtokens are used, for passing authentication between subsystems such as MFDS and ESCWA, or for DCAS, then Micro Focus strongly recommends using this option. The "secret file" can contain anything, as long as it has at least 128 bits of entropy; even 1 KB or so of ordinary text would suffice. The point of this setting is to avoid using either the built-in secret (which is available to anyone with a copy of the product) or a secret in the configuration (which is available to anyone who can view the configuration) to generate passtokens. Otherwise, a technically-skilled attacker could forge passtokens.

Note: there is no space between "Secret" and "File" in the name of this setting.

Trace settings

Tracing can useful in diagnosing issues, but might reveal sensitive data to an attacker who can obtain copies of log files. Micro Focus recommends that you disable tracing when it is not required.