Use this page to define the security settings to be used with Directory Server.
Click this to add a security manager from the pool of available definitions.
Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.
You might use this in circumstances where you only want to restrict access to some resources.
Check this if you want to allow unknown users to log in.
There are two main methods that a remote user can use to connect to the Directory Server:
If Directory Server is running in Restricted mode, Web browser clients have to authenticate themselves to the Directory Server, carry out any operations, and then log off. (Program clients always run in Restricted mode.) During the time period between the authentication and removal the client is entered into the authenticated client list maintained internally by the Directory Server process. To s the list from accidentally growing too large (not all users or applications log off correctly after they have been authenticated) and also to maintain security, the Directory Server removes both Web browser and program client sessions after a configurable timeout period.
Enter the maximum size in kilobytes that enterprise server's security facility can use for caching the results of security queries.
Enter the maximum time in seconds that an entry in the cache can be used to satisfy requests before the details must be requeried from the security manager.
Custom server certificate passphrase (optional).
Click this to add a security manager from the pool of available definitions. This button is only present if you are using the MFDS Internal Security Manager. As MFDS Internal Security cannot be used alongside other security managers, when you add the new manager MFDS Internal Security will be removed.
Specify the maximum interval in seconds since the last activity of a program client before it is automatically unbound.
The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period.
The default value is 6000 seconds (100 minutes).
Specify any additional configuration settings that the enterprise server security facility requires.
Check this to enable the enterprise server to generate security audit events. These events can be captured and logged by the Audit Facility.
The description column indicates the description for a security manager.
This column indicates whether or not the security manager is enabled. If it is not enabled, it will be ignored by Directory Server and those enterprise servers that reference it.
Custom keyfile path.
Custom keyfile passphrase.
This column indicates the module used by a security manager to access an external security manager or to implement the security rules.
This column indicates the name that used to identify a security manager.
Indicates the position of the security manager in the sequence in which the security managers are queried.
Click this to remove the currently selected definition from this list.
Check this to cause all administrative access to the Directory Server to be authenticated and authorized by the entries on the Security Manager Priority List.
Unless a specific secure port is specified, the SSL connection will use a dynamically assigned port each time the MF Directory Server process is restarted. A fixed known port may be useful if configuring firewall settings.
This is the list of security managers (taken from the available pool) that MF Directory Server can use to perform security queries.
Use the up and down arrows to reposition the selected entry.
Use this to select a security manager for removal or for moving to a different position in the list.
Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.
Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.
If this is turned off, the default DemoCA root certificate, server certificate, keyfile and passphrase that are installed with the product will be used. For production purposes it is recommended that the default certificates are not used, and that the customers own certificates are specified. In addition, the MF_ROOT_CERT environment variable will need to be set so that the MF Directory Server process can pick up the value of the root certificate path.
Check this if you want to use your default ES security manager list for Directory Server, rather than the Security Manager List below. To define the default ES Security settings, click Security on the menu on the left hand side, and then click Security > Default ES Security.
Select this if you want to start Enterprise Server Administration so that it requires authorized browser connections to use SSL. If the state is changed from the current active selection then the MF Directory Server process will need to be re-started to use the new setting. If encrypted connections are selected, administrative access must also be set to restricted.
Set this if you want each security query to be checked by all entries on the Security Manager Priority List.
If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken.
If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.
If a security manager does not have a rule for the resource or user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown resources or Allow unknown users.
Specify the maximum interval in seconds since the last activity of a Web browser client, for example, a browser refresh, before it is automatically logged off.
The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period. We recommend you use this value sparingly and always reset to a finite period as soon as possible. This is because if the Directory Server is running with an infinite Web client timeout, there is more likelihood that an unauthorised user might gain access to the system using an unattended machine; also the Directory Server will tend to become overloaded with clients who have not logged off.
The default value is 300 seconds (5 minutes).