Jump to main content
HCL Logo Product Documentation
  • Customer Support
HCL OneDB V1.0.0.0
  • Getting Started
  • Product overview
  • Installing
  • Administering
  • Security
  • Client APIs and tools
  • SQL programming
  • JSON compatibility
  • Extending HCL OneDB™
  • Designing databases
  • Embedding HCL OneDB™
  • Release information
  1. Home
  2. SecurityYou can secure your HCL OneDB™ database server and the data that is stored in your HCL OneDB™ databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
  3. Security in HCL OneDB™These topics document methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.The HCL OneDB™ Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
  4. Securing data
  5. Connection securityYou can administer the security of the connections to the database server by using authentication and authorization processes.
  6. Single sign-onSingle sign-on is an authentication feature that bypasses the requirement to provide user name and password after a user logs into the client computer's operating system.
  7. Configuring the HCL OneDB™ instance for SSOComplete the following tasks for the server side of your system to enable SSO functionality with HCL OneDB™:
  • SecurityYou can secure your HCL OneDB™ database server and the data that is stored in your HCL OneDB™ databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
    • Security in HCL OneDB™These topics document methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.The HCL OneDB™ Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
      • Securing data
        • HCL OneDB™ directory securityHCL OneDB™ utilities and product directories are secure by default.
        • Network data encryptionUse network encryption to encrypt data transmitted between server and client, and between server and other server.
        • Column-level encryptionYou can use column-level encryption to store sensitive data in an encrypted format. After encrypting sensitive data, such as credit card numbers, only users who can provide a secret password can decrypt the data.
        • Connection securityYou can administer the security of the connections to the database server by using authentication and authorization processes.
          • Authentication mechanismsYou can configure the HCL OneDB™ server authentication mechanisms to meet varying requirements, such as different security methods required for local and remote connections, database access by users without operating system accounts on the servers host computer, and non-root installation.
          • Internal users (UNIX™, Linux™)The DBSA can grant database access to users that do not authenticate on the OS of the host computer by mapping PAM-authenticated users to OS-level entities or by configuring the server to perform internal authentication.
          • Guest account (Windows™)Disable the Windows™ Guest account to prevent anonymous logins.
          • Trusted-context objects and trusted connections You can use trusted-context objects and trusted connections to increase system performance and security within a three-tier application model.
          • Pluggable authentication modules (UNIX™ or Linux™)A Pluggable Authentication Module (PAM) is a well-defined framework for supporting different authentication modules that were originally developed by Sun Microsystems. PAM is supported in both 32- and 64-bit modes on Solaris, Linux™, HP-UX and AIX®.
          • LDAP authentication support on Windows™
          • Authentication module deployment
          • Single sign-onSingle sign-on is an authentication feature that bypasses the requirement to provide user name and password after a user logs into the client computer's operating system.
            • Kerberos authenticationFor single sign-on, the user login process and authentication must employ a Kerberos 5 network infrastructure, including a dedicated Key Distribution Center computer.
            • Setting up an SSO authentication environmentEstablishing SSO authentication for HCL OneDB™ involves configuration of a secured Key Distribution Center computer and connectivity files, along with generation of client and server service principals.
            • Clients supporting SSOClient programs that are available in the HCL OneDB™ Client Software Development Kit (Client SDK) can connect to HCL OneDB™ with SSO.
            • Preparing the HCL OneDB™ DBMS for Kerberos authenticationConfigure your login process and user authentication to function with a Kerberos 5 mechanism before you set up HCL OneDB™ for single sign-on.
            • Configuring the HCL OneDB™ instance for SSOComplete the following tasks for the server side of your system to enable SSO functionality with HCL OneDB™:
              • Set SQLHOSTS information for SSOThis task configures the SQLHOSTS connectivity options so that your HCL OneDB™ instance can support single sign-on.
              • Set up the concsm.cfg File for SSO
              • Ensure keytab file has the required key (UNIX™ and Linux™)Add the service principal key generated in the Key Distribution Center to the credentials information stored in the keytab file on the HCL OneDB™ host computer, and then validate that all necessary credentials are stored in this file.
              • Verify HCL OneDB™ uses Kerberos authentication for SSOBefore you set up the SQLHOSTS information and concsm.cfg file for the client computer in a single sign-on implementation, verify that your login service is correctly configured to use Kerberos authentication.
            • Configuring ESQL/C and ODBC drivers for SSOThe steps for preparing the SQLHOSTS information and the Generic Security Services (GSS) CSM configuration file for ESQL/C and ODBC and a client computer are similar to the corresponding server-side setup procedures.
            • Configuring JDBC Driver for SSOWhen JDBC Driver is the client for SSO, use the DriverManager.getConnection() method, with an SSO connection property set to the HCL OneDB™ service principal.
          • Securing local connections to a hostThe database server administrator (DBSA) can use the SECURITY_LOCALCONNECTION configuration parameter to set up security checking for local connections with the same host.
          • Limiting denial-of-service flood attacksHCL® OneDB® has multiple listener threads (listen_authenticate) to limit denial-of-service (DOS) attacks.
        • Discretionary access controlDiscretionary access control verifies whether the user who is attempting to perform an operation has been granted the required privileges to perform that operation.
        • Label-Based Access ControlYou can use label-based access control (LBAC), an implementation of multi-level security (MLS), to control who has read access and who has write access to individual rows and columns of data.
        • Storage space encryptionYou can encrypt storage spaces (dbspaces, blobspaces and smart blobspaces) with Informix Dynamic Server. The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on disk.
      • Auditing data security

Configuring the HCL OneDB instance for SSO

Complete the following tasks for the server side of your system to enable SSO functionality with HCL OneDB™:

Before you begin

About this task

Procedure

  1. Set SQLHOSTS information for SSO
  2. ids_sso_007.html#ids_sso_007
  3. Ensure keytab file has the required key (UNIX and Linux)
  4. Verify HCL OneDB uses Kerberos authentication for SSO

Example

What to do next

  • Set SQLHOSTS information for SSO
    This task configures the SQLHOSTS connectivity options so that your HCL OneDB instance can support single sign-on.
  • Set up the concsm.cfg File for SSO
  • Ensure keytab file has the required key (UNIX and Linux)
    Add the service principal key generated in the Key Distribution Center to the credentials information stored in the keytab file on the HCL OneDB host computer, and then validate that all necessary credentials are stored in this file.
  • Verify HCL OneDB uses Kerberos authentication for SSO
    Before you set up the SQLHOSTS information and concsm.cfg file for the client computer in a single sign-on implementation, verify that your login service is correctly configured to use Kerberos authentication.
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences