Security managers process the security queries generated by the ESF, and return either an allow, deny, or unknown status.
You can configure multiple security managers in an installation's security manager pool. From the pool, you can create a default
list of the security managers to use and lists for individual Enterprise Servers.
Note: Security managers are sometimes referred to as External Security Managers, or ESMs.
The ESF sends security queries to the security managers in the order in which they are configured in the list.
You configure Enterprise Server to:
- Authorize access when the first security manager authenticates it.
- Authorize access only when all security managers authenticates it.
- Authorize or block access requests that return an unknown status.
Enterprise Server includes the following security managers that you can configure and use:
- osesm
- This security manager provides access to the Windows operating system's user configuration. You can use it to authenticate
Windows users.
- mldap_esm
- This security manager allows you to integrate your Enterprise Server security with an LDAP. You can use
mldap_esm with both Microsoft Active Directory, and other LDAPs, for example, OpenLDAP. With
mldap_esm, you can implement access control for users, and for the resources and files that an application uses.
- pam_esm
- On Linux, this security manager provides access to the Pluggable Authentication Modules (PAM) framework. You can use it to
authenticate Linux users.
- vsam_esm
- This security manager provides authentication and authorization using security data stored in COBOL indexed files. It is a
simpler alternative to
mldap_esm if you do not need a central repository of security data or some of the advanced features of
mldap_esm. As of the 10.0 release, it is used to implement default security when the product is installed fresh, not upgraded from
a previous release. See
The Default Enterprise Server Security Configuration for more information.
- MFDS Internal Security
- Directory Server security can be implemented through the MFDS internal security manager. This security manager is used for
Directory Server when no other security manager is present in its security manager list. It enables you to specify users and
groups, and restrict access to Enterprise Server administration functions.
Note: MFDS Internal Security is now deprecated.Micro Focus recommends you use a security manager with
vsam_esm instead.
- CASESM
- The CAS ESM Module (casesm) uses the Enterprise Server legacy security definitions which are stored in the CICS resource tables. This is the model used
in
Net Express or
Server Express 5.0 and earlier.
This enables you to use any security configurations from
Net Express or
Server Express prior to release 5, which uses the current architecture.
Note: casesm can only be used within CAS and the CAS command-line utilities, and is ignored by MFDS, MFCS, and any non-CAS utilities such
as esfadmin.
casesm is now deprecated.Micro Focus recommends you use a security manager with
vsam_esm instead.
In addition to the above, security managers can be anything that processes the API security queries that the ESF generates,
and that can return results to the ESF. You can develop a security manager to suit your requirements. A security manager could
be a database, a directory, or an operating system mechanism.