The
OS ESM Module also supports some additional configuration that can be set by editing the text in the Configuration Information area. Text
in this area is organized into sections which begin with a "tag" in square brackets, followed by lines in the form
name=value.
Here are the various configuration sections, and the options that can be set in each section.
[Operation] section
- domain=domain
- Set the default domain for checking the user's credentials. By default this is ".", which means to try to log the user on to the local system.
- type=network | interactive
- Set the type of logon to use. Windows supports a number of logon types. Servers typically use the network logon to verify
user credentials, as it is supposed to be faster and use fewer resources. However, it requires that the user have the "Use
this computer over a network" right, which some user accounts may not have. Also, it does not work in some situations where
the user should be able to log on, for example when a Windows system is trying to verify a domain user who does not have a
local account. If you find users cannot log on using their correct domain usernames and passwords, try setting this to
interactive, which will perform a full Windows interactive logon.
The default is
network.
[Passtoken] section
- enable=none | self | any
- Set the passtoken creation and use privileges:
- none disables passtokens.
- self allows the creation and use of self-only passtokens (users can use passtokens to transfer their credentials between MFDS
and ESMAC, for example).
- any allows the creation of self and surrogate passtokens. This is a security risk: an attacker who learns how to forge surrogate
passtokens could use them to sign on to any facility that accepts surrogate passtokens. (Currently
Enterprise Server does not use surrogate passtokens, but they might be used in the future for inter-region transaction routing, for example.)
The default is
none. Set it to
self if you want to be able to move between MFDS and ESMAC without signing on twice.
- secret=string
- Set the secret data which will serve as the key for the Message Authentication Code (MAC) in
ESF Passtokens generated by the
ESM Module. This data prevents attackers who do not know it from forging passtokens. Note that any setting here will obviously not be
secret from anyone who can read the MFDS repository. If this value is set, it must be set the same for all security domains
(MFDS and
Enterprise Server regions) that will exchange passtokens.
- secret file=path
- Set the path to a file that contains the secret data for the passtoken MAC. This is more secure than setting the secret data
directly in the configuration. If SecretFile is set, any Secret directive is ignored. (If neither is set, a built-in default
is used.)
- duration=seconds
- Set the duration for passtokens. A token will be valid for this length of time after it's generated; after that it will be
rejected. The default is
60 (one minute).
[Trace] section
- verify=yes
- Enables trace messages for the
osesm
Verify operation. Trace messages are written to the same location as error messages, for example the console log. Tracing is useful
in diagnosing issues, but might reveal sensitive data to an attacker who can obtain copies of log files. Disable tracing when
it is not needed.