Welcome
Security
You can secure your Informix® database server and the data that is stored in your Informix databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
Security in HCL Informix®
The HCL® Informix® Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
Securing data
Connection security
You can administer the security of the connections to the database server by using authentication and authorization processes.
Trusted-context objects and trusted connections
You can use trusted-context objects and trusted connections to increase system performance and security within a three-tier application model.
Creating a trusted-context object
You must create trusted-context objects before you can create trusted connections to a database server.
Example of assigning user-specific privileges in a trusted-context object
This example demonstrates how to assign user-specific privileges for a trusted connection by using the ROLE object. You can use the structure of this example to assign privileges for users of a trusted-context object.

HCL Informix® V15.0.0 documentation
Welcome to the documentation for HCL Informix® 15.0.0 and related client tools and products.
Product overview
HCL Informix® is a fast and scalable database server that manages traditional relational, object-relational, and dimensional databases. Its small footprint and self-managing capabilities are suited to embedded data-management solutions.
Installing
These topics describe how to install HCL Informix® database servers, client products, and modules.
Administering
In addition to administering the database server, you can tune performance, replicate data, and archive data.
Migrating and upgrading
You can upgrade to the 15.0.0 release of HCL Informix® or migrate from other database servers to Informix. Upgrading is an in-place migration method that uses your existing hardware and operating system software. Some changes to the Informix database server can affect upgrading from a previous release.
Client APIs and tools
You can use the HCL Informix® implementation of client APIs to develop applications for Informix database servers.
Embedding Informix®
When you embed HCL Informix®, you can use enterprise-class high-availability and high performance with embeddability features such as easy programmability, a small disk and memory footprint, and silent deployment.
Extending Informix®
Beyond standard relational database objects, HCL Informix® can be extended to handle specialized data types, access methods, routines, and other objects. Informix includes many built-in extensions that are fully integrated in the database server. Informix also provides modules, which are packages of extended database objects for a particular purpose and that are installed separately from the database server. Alternatively, you can create your own user-defined objects for Informix.
Data warehousing
In addition to designing and implementing Informix® dimensional databases, you can use tools to create data warehouse applications and optimize your data warehouse queries.
Designing databases
The first step in creating a relational database is to construct a data model, which is a precise, complete definition of the data you want to store. After you prepare your data model, you must implement it as a database and tables. To implement your data model, you first select a data type for each column and then you create a database and tables and populate the tables with data. You can also implement fragmentation strategies and control access to your data.
JSON compatibility
You can use the popular JSON-oriented query language created by MongoDB to interact with data stored in HCL Informix®.
Security
You can secure your Informix® database server and the data that is stored in your Informix databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
- Security in HCL Informix®
  The HCL® Informix® Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
  - Securing data
    - HCL Informix® directory security
      utilities and product directories are secure by default.
    - Network data encryption
      Use network encryption to encrypt data transmitted between server and client, and between server and other server.
    - Column-level encryption
      You can use column-level encryption to store sensitive data in an encrypted format. After encrypting sensitive data, such as credit card numbers, only users who can provide a secret password can decrypt the data.
    - Connection security
      You can administer the security of the connections to the database server by using authentication and authorization processes.
      - Authentication mechanisms
        You can configure the Informix® server authentication mechanisms to meet varying requirements, such as different security methods required for local and remote connections, database access by users without operating system accounts on the servers host computer, and non-root installation.
      - Internal users (UNIX™, Linux™)
        The DBSA can grant database access to users that do not authenticate on the OS of the host computer by mapping PAM-authenticated users to OS-level entities or by configuring the server to perform internal authentication.
      - Guest account (Windows™)
        Disable the Windows™ Guest account to prevent anonymous logins.
      - Trusted-context objects and trusted connections
        You can use trusted-context objects and trusted connections to increase system performance and security within a three-tier application model.
        The three-tier application model
        The traditional three-tier application model has system performance and security issues that can be addressed by trusted-context objects and trusted connections.
        Requirements for trusted-context objects and trusted connections
        Before you create trusted-context objects and use trusted connections, you must ensure that system and user requirements are met.
        Creating a trusted-context object
        You must create trusted-context objects before you can create trusted connections to a database server.
        Examples of defining trusted locations
        These trusted-context examples show how to define trusted locations by using the ADDRESS attribute.
        Examples of specifying authentication requirements for trusted connections
        These examples show how to specify authentication requirements for trusted connections by using the WITH USE FOR clause and the WITH AUTHENTICATION and WITHOUT AUTHENTICATION attributes.
        Example of assigning a default role in a trusted-context object
        This example demonstrates how to assign a default role for users of a trusted connection by using the DEFAULT ROLE clause. You can use the structure of this example to specify privileges for users of a trusted-context object.
        Example of assigning user-specific privileges in a trusted-context object
        This example demonstrates how to assign user-specific privileges for a trusted connection by using the ROLE object. You can use the structure of this example to assign privileges for users of a trusted-context object.
        Creating a trusted connection
        Using your application, you can create a trusted connection to your database.
        Switching the user ID on a trusted connection
        You can switch user IDs after a trusted connection is established.
        Rules for switching the user ID on a trusted connection
        Specific rules apply to switching users on a trusted connection. Use the following rules to preserve security and auditing capability for trusted connections that are used by multiple users.
      - Pluggable authentication modules (UNIX™ or Linux™)
        A Pluggable Authentication Module (PAM) is a well-defined framework for supporting different authentication modules that were originally developed by Sun Microsystems. PAM is supported in both 32- and 64-bit modes on Solaris, Linux™, HP-UX and AIX®.
      - LDAP authentication support on Windows™
      - Authentication module deployment
      - Simple password encryption
        The simple password communication support module (SPWDCSM) provides password encryption.
      - Single sign-on
        Single sign-on is an authentication feature that bypasses the requirement to provide user name and password after a user logs into the client computer's operating system.
      - Securing local connections to a host
        The database server administrator (DBSA) can use the SECURITY_LOCALCONNECTION configuration parameter to set up security checking for local connections with the same host.
      - Limiting denial-of-service flood attacks
        HCL® Informix® has multiple listener threads (listen_authenticate) to limit denial-of-service (DOS) attacks.
    - Discretionary access control
      Discretionary access control verifies whether the user who is attempting to perform an operation has been granted the required privileges to perform that operation.
    - Label-Based Access Control
      You can use label-based access control (LBAC), an implementation of multi-level security (MLS), to control who has read access and who has write access to individual rows and columns of data.
  - Auditing data security
SQL programming
You can use the HCL Informix® implementation of the SQL language to develop applications for Informix database servers.
Troubleshooting HCL Informix®
Several troubleshooting techniques, tools, and resources are available for resolving problems that you encounter in your HCL Informix® database server environment.

Example of assigning user-specific privileges in a trusted-context object

This example demonstrates how to assign user-specific privileges for a trusted connection by using the ROLE object. You can use the structure of this example to assign privileges for users of a trusted-context object.

In this example, the trusted-context object tcx1 grants user newton a trusted connection if the request is coming from the IPv4 address 192.0.2.1. The trusted connection that newton is granted can be switched to brock without a password. The trusted connection can be switched to hayes, but hayes must provide a password.

newton is granted the default AUDITOR role and privileges. If the connection is switched to brock, brock is granted the default AUDITOR role and privileges. If the connection is switched to hayes, hayes is granted the specific MANAGER role and privileges instead of the AUDITOR role and privileges.

CREATE TRUSTED CONTEXT tcx1
  USER newton
  ATTRIBUTES (ADDRESS '192.0.2.1')
  DEFAULT ROLE AUDITOR
  ENABLE
  WITH USE FOR brock WITHOUT AUTHENTICATION,
               hayes WITH AUTHENTICATION ROLE MANAGER;