To Secure Access to Enterprise Server Logs

Enterprise Server external security using an LDAP security manager must be configured and enabled for the region.
  1. In the LDAP repository, in the resource container (default CN=Enterprise Server Resources), create the class container CN=Communications Server, if it does not already exist.
  2. In the class container CN=Communications Server, create the resource access control objects CN=Enterprise Server Console Log and CN=Communications Server Log, if they do not already exist. Use the LDAP class microfocus-MFDS-Resource, unless a different resource class is specified in your Security Manager configuration (this is rare). Access to the console and communications logs through the administration web interfaces (or by HTTP requests directly to the communications server) is now restricted by these objects. The logs cannot be viewed remotely unless Access Control Lists (ACLs) are set.
    Note: When security is enabled for an Enterprise Server log, Enterprise Server uses HTTP Basic Authentication to request a username and password. To avoid credentials being sent in plaintext over the network, configure SSL for the region's Communications Servers. The username and password are validated, and then the user's identity is checked against the Access Control List.
  3. Edit the CN=Enterprise Server Console Log and CN=Communications Server Log objects to specify access to the console and communications logs, respectively. Edit the value of the attribute microfocus-MFDS-Resource-ACE to add one or more Access Control Entries granting access to the log.
  4. Save your changes to the LDAP data and either restart the region or send it a Security Update notification. Your new settings will take effect.
For example, the access control entry allow:SYSAD:read will allow the SYSAD user to retrieve the log over HTTP and view it in the web administration interfaces.