Configuring Windows Users - Impersonation - LDAP Resource Control

This topic describes an ESF configuration that might be used for a typical production JES region.

• ES users are Windows users. They use their Windows usernames and passwords when submitting jobs or otherwise authenticating.
• Application program code runs under the security token of the job user.
• Resource access is controlled by security rules stored in Active Directory (or another LDAP server). These rules are grouped by resource class and applied based on the resource name, with wildcard matching. The rules contain Access Control Lists (ACLs) which specify permissions by user and group (again with wildcard matching). They use the same rule format as native ES, and can share rules with native ES.

To define this configuration:

1. Set up an LDAP repository for ES security.
   1. If you already have an LDAP repository configured for security for native Enterprise Server, you can use that and proceed with step 2. Otherwise:
   2. Identify or install and configure an LDAP server. For ease of configuration, Micro Focus recommends Active Directory or an instance of Microsoft's AD/LDS (Active Directory Lightweight Directory Services).
   3. Configure the repository for ES security using the procedure for native Enterprise Server. Refer to the product documentation:
2. Create a Security Manager that specifies the LogonEsm ESM module. In most cases, none of the other configuration settings for this manager need to be changed from their defaults.
3. Create a Security Manager that specifies the LdapEsm ESM module. Configure it to use your LDAP repository from step 1:
   1. On the General tab, provide a name. Use "LdapEsm" as the module name. Make sure Disable security manager is not checked.
   2. On the Connection Settings tab, set the Connection path to the hostname and port of your server. (These can be omitted if using the defaults.) If you want a secure connection (LDAP-over-TLS) and the server is configured for it, specify these using the form ldaps://hostname[:port].
   3. Add settings under the Configuration tab as necessary, based on your repository structure. See the section on configuring the LdapEsm above for more information. If you are using the sample LDAP configuration supplied with the product with a new AD/LDS instance, you probably will not have to add any settings here.
4. Create a Security Configuration that specifies your security managers from steps 2 and 3, in that order (LogonEsm manager first and LdapEsm manager second).
5. Edit your JES region, configuring it to use the security configuration from step 4.
6. Start the region. If there are any issues, review the previous steps and the security rules in the LDAP repository.
7. Submit a job using the cassub command-line utility. Specify a valid username and password with the -u and -p options to cassub. As with the previous step, if there are any issues, review the previous steps and the security rules in the LDAP repository.
8. Ensure the job you submitted runs properly (start an initiator for the job class if necessary).
9. Once the region runs correctly with your security configuration, enable user impersonation:
   1. Stop all running regions and exit the Enterprise Server for .NET management console.
   2. Stop the Enterprise Server for .NET Event Monitor service using the Services control panel or the command net stop seemonitor.
   3. Follow the instructions in the product documentation for editing machine.config to enable user impersonation:
   4. Run the wasreset.cmd script (included with the product) to restart WAS-hosted processes.
10. Repeat steps 5 - 8 to test execution with user impersonation enabled.

To investigate any problems encountered during this process, be sure to consult the Windows Security event log and the Micro Focus Server event log as well as the region console log.