On
Windows and
UNIX,
Micro Focus strongly recommends that you configure additional security to restrict access to your vault.
On Windows,
Micro Focus strongly recommends you restrict access to the vault files and to the
mfsecrets.cfg file, which contains information required to read secrets from the vault. Modifying the filesystem permissions can be used
to achieve this:
- Create a group named, for example, "Micro Focus ES". Add the Administrators group and the LOCAL_SYSTEM account to that group.
- Set an inheritable Access Control List (ACL) on
%PROGRAMDATA%\Micro Focus\Enterprise Developer\mfsecrets so that only the "Micro Focus ES" group can read, write, and delete.
- Set an ACL on
%COBDIR%\etc\secrets.cfg so that only the "Micro Focus ES" group can read, write, and delete.
Note: All users who start
enterprise server regions from the command line need to be members of the "Micro Focus ES" group; similarly any accounts used to start
enterprise server regions by running casstart (for example, schedulers) need to be members of that group; and similarly if the MFDS service account
is changed, it needs to be a member of that group.
On UNIX, you can restrict access to the vault files and to the
mfsecrets.cfg, to do this:
- Change the permissions of the
secrets.cfg file, typically located at
$COBDIR/etc/secrets.cfg, to be read and write (600) by the ES_USER used at install.
- Change the permissions of the vault directory, default location
/opt/microfocus/secrets/<install hash>, to be read, write, and execute (700) by the ES_USER used at install.