Micro Focus recommends disabling features you don't need, particularly for production regions, by editing your various
Enterprise Server for .NET configuration files. These are items you can disable in a listener configuration file.
Most of the settings in a listener configuration file tell the listener how to connect to the dispatchers for one or more
regions, or configure listener operating parameters. Reducing the listener attack surface is simply a matter of disabling
any listener
channels that are not required by the applications you run in
Enterprise Server for .NET and the utility programs you use. The listener channel types are:
- HTTP
- The HTTP channel is currently used only for making REST web services and EXCI requests (which are implemented using REST)
to
Enterprise Server for .NET CICS regions. If you do not have client programs invoking CICS transactions or programs using REST or EXCI, you can disable
or remove this type of channel. HTTP channels are not currently useful for JES regions and should not be configured for them.
- MFBINP
- The MFBINP channel is used by various utility programs supplied with the product. For CICS regions, this includes the
casfile command, used to manipulate CICS files. For JES regions, it is used for
cassub (to submit JCL) and
casout (to retrieve JES output, start and stop initiators, etc). The MFBINP channel is also used by the Event Manager publish/subscribe
mechanism and JES scheduler integration (MFBSI). CICS regions that do not use any of these features do not need an MFBINP
channel; JES regions need an MFBINP channel to be useful.
- TN3270
- CICS regions use a TN3270 channel to permit terminal sessions to connect to the region. While it's possible to have a CICS
region that does not allow TN3270 connections (and receives all its work via REST or EXCI, for example), this is not a typical
configuration for
Enterprise Server for .NET. (The scale-out features of
Enterprise Server for .NET make the TOR/AOR architecture often seen with mainframe CICS much less desirable.) CICS reegions will usually have a TN3270
channel. TN3270 channels are not useful for JES regions and should not be configured for them.