mfsecconv sub-command parameters [options]
Administer security definitions for the
VSAM ESM Module.
Sub-commands
- init
- Initialize the default
Enterprise Server security configuration. This sub-command will only make changes to the system if there is currently no
VSAM ESM Module security data in the default location, which is
%ProgramData%\Micro Focus\product-name\vsam_esm.
- reset
- Equivalent to the
init sub-command, except that it will overwrite any existing security configuration in the default location. It will also overwrite
any entries in the default
Micro Focus Secrets Vault used by the default
Enterprise Server security configuration,
microfocus/temp/admin and
microfocus/common/readonly (possibly affected by options specified on the command).
- import
-
- Import security definitions from a YAML or LDIF file into a set of VSAM (COBOL indexed) data files for the
VSAM ESM Module. Options specify whether existing definitions will be replaced, updated, or left unchanged, and whether new definitions will
be added.
- Convert security definitions in an LDIF file into YAML format.
- export
- Create a YAML file containing the security definitions from a set of
VSAM ESM Module data files.
init and reset
These sub-commands create the security definitions for the default
Enterprise Server security configuration, and (by default) put user account credentials in the vault. The only difference between init and
reset is that init will not overwrite existing security data, and reset will.
mfsecconv init is run by the product installer to create the default
Enterprise Server security configuration when the product is installed.
Note: These commands only update the
VSAM ESM Module security data (in the default location) and information in the vault. They do not change the security definitions in
ESCWA or MFDS. See
To Recreate the Default Enterprise Server Security Configuration if you need to restore the full default configuration.
CAUTION:
Micro Focus recommends that you back up your existing security data prior to running the
mfsecconv reset command.
Options for init and reset
- -h|-H|--help
- Displays the command help.
- -s|-S|--user
username
- Add
username as an administrator to the security definitions. This can be used multiple times. If at least one instance of this option
is used, the
SYSAD default administrator will not be installed, unless it is also specified with this option, that is
--user SYSAD is specified. Unless a password is also supplied with the
--pass option or one of its aliases, a random password will be generated for the user and stored in the list of credentials in the
vault under
microfocus/temp/admin.
- -p|-P|--pass
password
- Set the password for the previous user account, specified with
--user. If no password is supplied for a user, a random one will be generated, as described for
--user.
- -d|-D|--displaypass
- Rather than writing generated credentials to the vault, write them to standard output.
- -i|-I|--interactive
- Rather than generating passwords, read them from standard input.
- -x|-X|--exit-codes
- Typically, mfsecconv exits with an exit code of 0 if no error messages were logged, that is, nothing more severe than a warning.
If the
--exit-codes option is specified, it exits with a return code of 3 if there was a fatal (critical) error, 2 if there were any non-fatal
errors, 1 if there were any warnings, or 0 if there were no warnings or errors. This might be useful when invoking mfsecconv
from a script.
For example:
mfsecconv reset --user MYADMIN --pass Secret_1
import
Syntax:
mfsecconv import source-file destination [options]
- source-file
- This is a YAML or LDIF file. It must have one of the following extensions
.yaml,
.yml,
.ldif, or
.ldf and is case insensitive.
- destination
- This is either a directory where VSAM files will be created, or a YAML file, which must have an extension of
.yaml or
.yml.
This sub-command either generates
VSAM ESM Module security data from a YAML or LDIF file, or converts an LDIF file containing security data (using the
Micro Focus LDAP schema) to YAML. It can be used to generate the VSAM security data for first use, for example to install a stock security
configuration on a new system or initialize security for an
enterprise server instance running in a container, to update existing security data with new or modified definitions, to migrate from LDAP-based security
to VSAM-based, and so on.
When importing to VSAM, there are three options which control how the new data interacts with any existing security data:
--truncate,
--update, and
--append. Either one or two of these needs to be specified for the command to have an effect. The options and their affect are as
follows:
- --truncate
- Any existing security data is deleted. The target directory is created if necessary.
- --append
- New records are added to the existing security data, where the imported information does not conflict with the existing data.
Information in the source which matches an existing record is ignored.
- --update
- Existing data is updated where the imported information refers to an existing record. Information in the source which does
not correspond to an existing record is ignored.
- --truncate --append
- Any existing data is deleted, the directory is created if necessary, and the source information is used to create the security
data.
- --append --update
- No existing data is deleted. Information in the source that matches an existing record updates the existing record; new records
are created for new information in the source.
Note: When using the
--update option, ensure the file you are importing does not contain definitions for any objects in the existing security configuration
that you do not wish to change. Specifically, avoid using
--update with
es_default_security.yaml, as you will overwrite any changes that have been made to your security configuration, including the password generated for
the SYSAD user during product installation.
Options for import:
- -h|-H|--help
- Displays the command help.
- -a|-A|--append
- Imported information which does not match an existing record will be added.
- -t|-T|--truncate
- Delete existing security data.
- -u|-U|--update
- Imported information which matches an existing record will update that record.
- -l|-L|--loglevel
value
- Set the logging verbosity.
value is an integer 0-4, with higher numbers suppressing more messages. Level 1 suppresses debug messages, level 2 also suppresses
informational messages, level 3 also suppresses warning messages, and level 4 also suppresses non-fatal error messages, only
critical errors are displayed.
For example:
mfsecconv import security_defs.yaml $COBDIR/etc/vsam_esm --append --update
The
VSAM ESM file directory structure will be similar to the following:
$COBDIR/etc/vsam_esm
|---Users.dat
|---PasswordHistories.dat
|---Groups.dat
|---Memberships.dat
|---Classes.dat
|---ACICSPCT # A resource class name
|---|---ACEs.dat
|---|---Rules.dat
|---CCICSCMD # Another resource class name
|---|---ACEs.dat
|---|---Rules.dat
export
Syntax:
mfsecconv export source destination-file [options]
- source
- This is a directory containing
VSAM ESM Module security data files.
- destination
- This is a YAML file, which must have an extension of
.yaml or
.yml, and is case insensitive.
This subcommand creates a YAML file representing the VSAM ESM security data in the source directory. This can be used to back
up or replicate the security configuration, or create a text version which can be edited and then imported back into the security
data files.
Options for export:
- -h|-H|--help
- Displays the command help.
- -l|-L|--loglevel
value
- This sets the logging verbosity.
value is an integer 0-4, with higher numbers suppressing more messages. Level 1 suppresses debug messages, level 2 also suppresses
informational messages, level 3 also suppresses warning messages, and level 4 also suppresses non-fatal error messages, only
critical errors are displayed.
For example:
mfsecconv export "c:\ProgramData\Micro Focus\Enterprise Developer\vsam_esm" c:\secdefs.yaml