Starting with this release, the Enterprise Server security functionality provided by the VSAM External Security Manager (VSAM ESM) module is enabled by default out of the box. This means you now need to supply valid credentials when you interact with:
For more information about the default VSAM Security Manager, see VSAM ESM Module.
If security is already configured for a domain (Data Tools, MFDS, or the default Enterprise Server security), the installation process does not change this configuration. If data already exists in either the old or new VSAM ESM default data directory, it will not be altered. However, Micro Focus recommends backing up the following before reinstalling or updating the product - the Data Tools and MFDS configuration files (commonwebadmin.json and mfdsacfg.xml), the MFDS repository data, and the VSAM ESM Module security data. By default, the MFDS repository data and the VSAM ESM Module data are located under %ProgramData%\Micro Focus (Windows) or $COBDIR/etc (UNIX).
The installation generates a random password for the system administrator account, SYSAD. To retrieve this password, execute the following from an Visual COBOL command prompt or Visual COBOL command prompt (Windows) or from a terminal that has the COBOL environment set (UNIX):
mfsecretsadmin read microfocus/temp/admin
The password value stored in this vault location is not used by the default Security Manager (VSAM ESM) to validate input credentials. Its purpose is to enable users to initially discover their randomly generated password. Additionally, Server Explorer uses this location to pre-populate the Micro Focus Servers connection and the credentials dialog box at region start-up. Once entered, you can optionally save the credentials in IDE-specific storage. Micro Focus recommends that once the credentials are safely known or changed that you remove this value from the vault (using mfsecretsadmin delete microfocus/temp/admin).
Micro Focus recommends that you promptly replace this password with one that conforms to your security policy. You can do this from the ESCWA logon page - click Change Password. Alternatively, you can use the esfadmin SETPASSWORD command.and specifying the "vsam_esm" module file.
You need to provide credentials to access ESCWA. After the installation, the ESCWA logon page shows information on how to obtain the default admin (SYSAD) generated password. You can disable this message in the ESCWA Security Settings dialog ("Show Default Security Warning on Log On").
For local installations, the default Directory Server will automatically be authenticated with the ESCWA credentials. Otherwise, you might need to provide its own credentials. You may use the same credentials as the ones for ESCWA.
Note the default 5-minute (300 second) session time out setting for inactivity in ESCWA. If required, you can change this from the ESCWA Security Settings dialog ("Session Inactivity Timeout").
The Server Explorer window in Data Tools, requires credentials for the Micro Focus Servers node to connect to the default local ESCWA and the MFDS. Additionally, you need to provide credentials to start any regions. By default, the credentials will be pre-populated in the dialog using the values stored in the microfocus/temp/admin vault location. These credentials can optionally be stored by the IDE so they do not need to be manually input again.
If you want to view or delete Fileshare instances in ESCWA, you now need to log on using authorized credentials (such as the default SYSAD user).
There are multiple command line utilities that control and access enterprise server region. These use Enterprise Server credentials specified as parameters - for example, casstart /z.
See Administration and Configuration Commands for individual commands to determine how to specify authorized credentials.
There are a variety of samples and tutorials supplied with the product. Many of these assume that security is not enabled, so to work through these unaltered default security will first need to be disabled. See To Disable the Default Enterprise Server Security Configuration. If security is not disabled, you will need to it take into account when you:
The mf-client.dat file which is used by the Micro Focus Common Client (MFCC), is configured out-of-the box to use the default generated "readonly" credentials from the microfocus/common/readonly vault location. This means that access to the Micro Focus Directory Server using the default security configuration works automatically for read-only access.
MFCC is used by COBOL web service proxy programs, the Interface Mapping Toolkit service-deployment mechanism, Fileshare clients (when configured appropriately), various utilities such as cassub (depending on the operating mode), the CICS Web Interface and CICS Web Services, and product components such as MFCS and ESCWA. See Micro Focus Common Client.