Security Management

An enterprise server that is configured to use a Security Manager that uses the mldap_esm module (that is, using LDAP for security) cannot be started using a file repository, either by using the -m option to casstart and specifying a file path, or by running casstart when MFDS is not available. [542314]

A new facility called passtokens can be configured to let administrators move back and forth between MFDS and ESMAC without signing in each time they switch from one to the other. (This requires that MFDS and Enterprise Server use the same security configuration, and that the user has appropriate privileges.) However, the passtoken is created when the HTML page with the link to the other facility (for example, the MFDS "server details" page with the ESMAC link) is generated, and passtokens expire after a short time. If you wait too long before clicking the link to go from MFDS to ESMAC or from ESMAC to MFDS, you will be forced to sign on again. [543176]

Customers who use the audit feature of Enterprise Server security should be aware that we cannot enforce auditing for administrative changes to the security configuration (adding or removing users, changing permissions, etc). A user with sufficient privilege (an administrator) can disable auditing before performing other administrative changes, or use third-party tools to update the configuration in the ESM without using any Micro Focus tooling at all.[543360]

When external security is enabled for Enterprise Server, user credentials (username and password) have to be supplied to casstart in order to start the region. casstart uses those to do an ESF Verify and Auth to ensure that the user has authority to start the region. casstart also uses those credentials to bind to MFDS. A problem can arise because MFDS is a different security domain from Enterprise Server and may have a different security configuration, particularly if Enterprise Server is using an ESM (such as the eTrust one) that doesn't support MFDS. Consequently, administrators may have to define user accounts twice, once in the ESM used by Enterprise Server, and once in MFDS internal security (or a different ESM used by MFDS), in order to let those users start a region. [543472]