MF Directory Server Security

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Use this page to define the security settings to be used with Directory Server.

Add

Click this to add a security manager from the pool of available definitions.

Authenticated client sessions

There are two main methods that a remote user can use to connect to the Directory Server:

  • Using Enterprise Server Administration, which runs in a Web browser. This method is intended for the administrative functions. These clients are known as Web browser clients.
  • Using the underlying MLDAP API, usually via some higher level application interface or product, to carry out some short-lived operation such as to search for the address of a service or to modify the properties of an object. These clients are known as program clients.

If Directory Server is running in Restricted mode, Web browser clients have to authenticate themselves to the Directory Server, carry out any operations, and then log off. (Program clients always run in Restricted mode.) During the time period between the authentication and removal the client is entered into the authenticated client list maintained internally by the Directory Server process. To s the list from accidentally growing too large (not all users or applications log off correctly after they have been authenticated) and also to maintain security, the Directory Server removes both Web browser and program client sessions after a configurable timeout period.

Certificate
Custom server certificate path.
Certificate passphrase

Custom server certificate passphrase (optional).

Change

Click this to add a security manager from the pool of available definitions. This button is only present if you are using the MFDS Internal Security Manager. As MFDS Internal Security cannot be used alongside other security managers, when you add the new manager MFDS Internal Security will be removed.

Cipher suites

Specifies the priority of cipher suites to be used.

The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:

!
Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+
Add. Add the cipher suite to the end of the collection.
-
Delete. Delete the cipher suite from the existing collection.

For example, to use only high security ciphers ordered by strength and then speed, excluding all others, type the following:

kEECDH+ECDSA kEECDH kEDH HIGH +SHA !RC4 !aNULL !eNULL !MEDIUM !LOW !3DES !MD5 !EXP

To determine the cipher suites supported by your version of OpenSSL, type the following from a command prompt:
openssl ciphers -v 'ALL:COMPLEMENTOFALL'
Client program timeout

Specify the maximum interval in seconds since the last activity of a program client before it is automatically unbound.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period.

The default value is 6000 seconds (100 minutes).

Description

The description column indicates the description for a security manager.

Enabled

This column indicates whether or not the security manager is enabled. If it is not enabled, it will be ignored by Directory Server and those enterprise servers that reference it.

Keyfile

Custom keyfile path.

Keyfile passphrase

Custom keyfile passphrase.

Module

This column indicates the module used by a security manager to access an external security manager or to implement the security rules.

Name

This column indicates the name that used to identify a security manager.

Priority

Indicates the position of the security manager in the sequence in which the security managers are queried.

Remove

Click this to remove the currently selected definition from this list.

Note: The definition is only removed from this list, not from the available pool of definitions.
Restrict user access

Check this to cause all administrative access to the Directory Server to be authenticated and authorized by the entries on the Security Manager Priority List.

Secure Port

Unless a specific secure port is specified, the SSL connection will use a dynamically assigned port each time the MF Directory Server process is restarted. A fixed known port may be useful if configuring firewall settings.

Security Manager List

This is the list of security managers (taken from the available pool) that MF Directory Server can use to perform security queries.

Note: Security managers are queried in the order that they appear in the list. If the Verify against all Security Managers checkbox is not checked, the first manager in the list that responds with a definite answer will determine the result of a security query. See the text for Verify against all Security Managers for more details.

Use the up and down arrows to reposition the selected entry.

Select

Use this to select a security manager for removal or for moving to a different position in the list.

TLS honor server cipher list

Check this option to force clients to use the specified cipher list in the order of precedence listed in the server's Cipher suites field.

TLS protocols

Specifies the list of TLS protocols to be used in order of precedence listed.

Valid protocols are SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3 and TLS1.4, where TLS1.3 and TLS1.4 are placeholders to enable support for future versions. By default, only the TLS protocols are enabled. Each specified protocol is preceded by one of the following operators:
!
Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
+
Add. Add the protocol to the existing collection.
-
Delete. Delete the protocol from the existing collection.
Note: You can use the special option ALL to specify all of the supported protocols. Use -ALL to empty the default options list followed by the new options you require.

For example, to only use TLS1.1 and TLS1.2, type the following:

-ALL+TLS1.1+TLS1.2

Use all groups

Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.

Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.

Use custom server ID certificate

If this is turned off, the default DemoCA root certificate, server certificate, keyfile and passphrase that are installed with the product will be used. For production purposes it is recommended that the default certificates are not used, and that the customers own certificates are specified. In addition, the MF_ROOT_CERT environment variable will need to be set so that the MF Directory Server process can pick up the value of the root certificate path.

Update when external Security Manager properties change
Check this to update the configuration to reflect changes made to any external Security Manager used.
Use default ES Security Manager List

Check this if you want to use your default ES security manager list for Directory Server, rather than the Security Manager List below. To define the default ES Security settings, click Security on the menu on the left hand side, and then click Security > Default ES Security.

Use encrypted connections

Select this if you want to start Enterprise Server Administration so that it requires authorized browser connections to use SSL. If the state is changed from the current active selection then the MF Directory Server process will need to be re-started to use the new setting. If encrypted connections are selected, administrative access must also be set to restricted.

Web browser timeout

Specify the maximum interval in seconds since the last activity of a Web browser client, for example, a browser refresh, before it is automatically logged off.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period. We recommend you use this value sparingly and always reset to a finite period as soon as possible. This is because if the Directory Server is running with an infinite Web client timeout, there is more likelihood that an unauthorised user might gain access to the system using an unattended machine; also the Directory Server will tend to become overloaded with clients who have not logged off.

The default value is 300 seconds (5 minutes).

Security Facility Configuration

The Security Facility Configuration parameters are available on this screen only when MFDS is configured to use an ESF (i.e. set up to use a Security Manager other than "MFDS Internal Security"). Otherwise no ESF security configuration options (including the caching options) will be seen on this MFDS Security tab screen:

Allow unknown resources

Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.

You might use this in circumstances where you only want to restrict access to some resources.

Allow unknown users

Check this if you want to allow unknown users to log in.

Cache limit

Enter the maximum size in kilobytes that enterprise server's security facility can use for caching the results of security queries.

Cache TTL

Enter the maximum time in seconds that an entry in the cache can be used to satisfy requests before the details must be required from the security manager.

Configuration information

Specify any additional configuration settings that the enterprise server security facility requires.

Create audit events

Check this to enable the enterprise server to generate security audit events. These events can be captured and logged by the Audit Facility.

Verify against all Security Managers

Set this if you want each security query to be checked by all entries on the Security Manager Priority List.

If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken.

If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.

If a security manager does not have a rule for the resource or user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown resources or Allow unknown users.

See Configuring a Cipher Suites List in the product Help for more information.

For additional information on cipher suite configuration please refer to the OpenSSL documentation, click here.