Enterprise Server Security Considerations

Starting with this release, the Enterprise Server security functionality provided by the VSAM External Security Manager (VSAM ESM) module is enabled by default out of the box. This means you now need to supply valid credentials when you interact with:

  • Enterprise Server Common Web Administration (ESCWA)
  • The Micro Focus Directory Server (MFDS)
  • enterprise server regions via:
    • ESCWA
    • Certain command-line utilities (such as casstart)
    • TN3270 emulator access
    • The Server Explorer window in the IDE or in the new Data Tools available in 10.0
    • IMTK deployment

For more information about the default VSAM Security Manager, see VSAM ESM Module.

Upgrading an Existing Security Configuration

If security is already configured for a domain (Data Tools, MFDS, or the default Enterprise Server security), the installation process does not change this configuration. If data already exists in either the old or new VSAM ESM default data directory, it will not be altered. However, Micro Focus recommends backing up the following before reinstalling or updating the product - the Data Tools and MFDS configuration files (commonwebadmin.json and mfdsacfg.xml), the MFDS repository data, and the VSAM ESM Module security data. By default, the MFDS repository data and the VSAM ESM Module data are located under %ProgramData%\Micro Focus (Windows) or $COBDIR/etc (UNIX).

Default Generated Password for SYSAD

The installation generates a random password for the system administrator account, SYSAD. To retrieve this password, execute the following from an Enterprise Developer command prompt or Enterprise Server command prompt (Windows) or from a terminal that has the COBOL environment set (UNIX):

mfsecretsadmin read microfocus/temp/admin

The password value stored in this vault location is not used by the default Security Manager (VSAM ESM) to validate input credentials. Its purpose is to enable users to initially discover their randomly generated password. Additionally, Server Explorer uses this location to pre-populate the Micro Focus Servers connection and the credentials dialog box at region start-up. Once entered, you can optionally save the credentials in IDE-specific storage. Micro Focus recommends that once the credentials are safely known or changed that you remove this value from the vault (using mfsecretsadmin delete microfocus/temp/admin).

Change the Default Password for SYSAD

Micro Focus recommends that you promptly replace this password with one that conforms to your security policy. You can do this from the ESCWA logon page - click Change Password. Alternatively, you can use the esfadmin SETPASSWORD command.and specifying the "vsam_esm" module file.

Authentication in the Browser-Based ESCWA

You need to provide credentials to access ESCWA. After the installation, the ESCWA logon page shows information on how to obtain the default admin (SYSAD) generated password. You can disable this message in the ESCWA Security Settings dialog ("Show Default Security Warning on Log On").

For local installations, the default Directory Server will automatically be authenticated with the ESCWA credentials. Otherwise, you might need to provide its own credentials. You may use the same credentials as the ones for ESCWA.

Note the default 5-minute (300 second) session time out setting for inactivity in ESCWA. If required, you can change this from the ESCWA Security Settings dialog ("Session Inactivity Timeout").

Authentication Inside the IDE and the Data Tools Utility

The Server Explorer window in the IDE and in Data Tools, requires credentials for the Micro Focus Servers node to connect to the default local ESCWA and the MFDS. Additionally, you need to provide credentials to start any regions. By default, the credentials will be pre-populated in the dialog using the values stored in the microfocus/temp/admin vault location. These credentials can optionally be stored by the IDE so they do not need to be manually input again.

Note: If you delete the SYSAD user or change the password generated for it by the installer in the default VSAM Security Manager, you need to provide new sufficiently authorized credentials for the Server Explorer connection.

Authentication for HACloud

HACloud will initially use the default generated "readonly" credentials specified in the microfocus/common/readonly vault location. If ESCWA and/or the Micro Focus Directory Server are subsequently configured with non-default credentials, you need to manually configure HACloud to use these. See Authenticating HACloud for Work with ESCWA and MFDS.

Fileshare

If you want to view or delete Fileshare instances in ESCWA, you now need to log on using authorized credentials (such as the default SYSAD user).

Command-Line Utilities

There are multiple command line utilities that control and access enterprise server region. These use Enterprise Server credentials specified as parameters - for example, casstart /z.

See Administration and Configuration Commands for individual commands to determine how to specify authorized credentials.

Samples and Tutorials

There are a variety of samples and tutorials supplied with the product. Many of these assume that security is not enabled, so to work through these unaltered default security will first need to be disabled. See To Disable the Default Enterprise Server Security Configuration. If security is not disabled, you will need to it take into account when you:

  • Use ESCWA
  • Start a region
  • Run a cas command line utility
  • Run a transaction using TN3270. You need to sign in via CESN.
  • Submit a JCL job

In Server Explorer inside the IDE, the SignOn dialog boxes to ESCWA will have the default generated SYSAD credentials pre-populated. If the SYSAD password has been changed, or you need to use different credentials, you need to sign on using the required details.

Micro Focus Common Client

The mf-client.dat file which is used by the Micro Focus Common Client (MFCC), is configured out-of-the box to use the default generated "readonly" credentials from the microfocus/common/readonly vault location. This means that access to the Micro Focus Directory Server using the default security configuration works automatically for read-only access.

MFCC is used by COBOL web service proxy programs, the Interface Mapping Toolkit service-deployment mechanism, Fileshare clients (when configured appropriately), various utilities such as cassub (depending on the operating mode), the CICS Web Interface and CICS Web Services, and product components such as MFCS and ESCWA. See Micro Focus Common Client.