About Security Managers

Security managers process the security queries generated by the ESF, and return either an allow, deny, or unknown status. You can configure multiple security managers in an installation's security manager pool. From the pool, you can create a default list of the security managers to use and lists for individual Enterprise Servers.

Note: Security managers are sometimes referred to as External Security Managers, or ESMs.

The ESF sends security queries to the security managers in the order in which they are configured in the list.

You configure Enterprise Server to:

Authorize access when the first security manager authenticates it.
Authorize access only when all security managers authenticates it.
Authorize or block access requests that return an unknown status.

Enterprise Server includes the following security managers that you can configure and use:

osesm: This security manager provides access to the Windows operating system's user configuration. You can use it to authenticate Windows users.
mldap_esm: This security manager allows you to integrate your Enterprise Server security with an LDAP. You can use mldap_esm with both Microsoft Active Directory, and other LDAPs, for example, OpenLDAP. With mldap_esm, you can implement access control for users, and for the resources and files that an application uses.
pam_esm: On Linux, this security manager provides access to the Pluggable Authentication Modules (PAM) framework. You can use it to authenticate Linux users.
MFDS Internal Security: Directory Server security can be implemented through the MFDS internal security manager. This security manager is used for Directory Server when no other security manager is present in its security manager list. It enables you to specify users and groups, and restrict access to Enterprise Server administration functions.
CASESM: The CAS ESM Module (casesm) uses the Enterprise Server legacy security definitions which are stored in the CICS resource tables. This is the model used in Net Express or Server Express 5.0 and earlier.
This enables you to use any security configurations from Net Express or Server Express prior to release 5, which uses the current architecture.

Note: casesm can only be used within CAS and the CAS command-line utilities, and is ignored by MFDS, MFCS, and any non-CAS utilities such as esfadmin.

In addition to the above, security managers can be anything that processes the API security queries that the ESF generates, and that can return results to the ESF. You can develop a security manager to suit your requirements. A security manager could be a database, a directory, or an operating system mechanism.