Connection security
You can administer the security of the connections to the database server by using authentication and authorization processes.
The first step toward connecting to the HCL OneDB™ server is authentication. Authentication is the mechanism of verifying the identity of a user or an application. The HCL OneDB server supports a traditional authentication mechanism in which a user must provide a valid user ID and password combination to connect to a database. But you can configure the database server to add or modify an authentication mechanism.
By default in root installations, access to the database server also requires that the authentication credentials match the credentials of an OS user account on the HCL OneDB host computer. However, you can change the USERMAPPING parameter setting in the onconfig file to selectively remove the dependency on local OS user accounts and to enable a database server administrator (DBSA) to grant database server access to specific users without the OS user accounts.
With a non-root installation, the user who installs the product is the DBSA and typically chooses this type of installation because it requires less system administrator overhead than a root installation. The database server of a non-root installation cannot authenticate users or applications based solely on their login to the local OS. The DBSA must set up internal users to grant database access to others. Typically, the number of database users with a non-root installation is lower than with many root installations.
Authenticated users must specify a database to which to connect. A user can perform certain database actions or access certain database objects only if they have been authorized to do so by the DBA. For example, users with CONNECT privileges can connect to a database and run queries, while users with RESOURCE privileges can also create objects. See the HCL OneDB Guide to SQL: Syntax for details about database-level privileges.
On a multitier network, you can create trusted connections between an application server and the HCL OneDB database server. You can use trusted connections to set the identity of each specific user accessing a database through the middle-tier server, which facilitates discretionary access control and auditing based on user identity. Without a trusted connection in such an environment, each action on a database is performed with the single user ID of the middle-tier server, potentially lessening granular control and oversight of database security.
You can ensure that connection authentication passwords are secure by encrypting them by using a communication support module (CSM). The simple password CSM (SPWDCSM) provides password encryption. SPWDCSM is available on all platforms.
If you want to support a single sign-on (SSO) environment, you can use the Generic Security Services CSM (GSSCM) to implement a Kerberos authentication layer. In addition, the Kerberos protocol has several built-in features that can provide the same security benefits that simple password CSM and encryption CSM have. SSO authentication verifies a user's identity, and it facilitates centralized management of user IDs and passwords. If confidentiality and integrity services are enabled in GSSCSM, Kerberos authentication encrypts data transmissions and ensures that transmissions are not altered between legitimate user and the database server.
Enterprise Replication and high availability connections cannot use authentication modules, but can function with these modules by restricting specific network ports to the replication and high availability connections.
You can configure HCL® OneDB to check whether the ID of the user who is running the program matches the ID of the user who is trying to connect to the database.
You can limit the ability of denial-of-service attacks to prevent legitimate connections to the database server from being blocked.