If a client, Connection Manager, or any of the database
servers that a Connection Manager connects to are on an untrusted
network, you can create encrypted password files to verify connection
requests.
About this task
In certain situations, an encrypted password file is required
for trusted network environments, such as when a local system account
attempts to connect to a database server in a high-availability cluster
or Enterprise Replication domain, or when the user ID does not exist
on a database server. The password file provides the correct system-level
access, so that a local system account or a Windows™ account can connect directly to a
remote server.
The password file has separate entries for the
following items:
- Each Enterprise Replication group
- Each High-availability cluster group
- Each High-availability cluster server
- Each Enterprise Replication server that is in a group that is
also configured for high-availability
- Each database server's alternative server alias, if the database
server is using a secure port for communication
A password file entry contains the following information:
- The name of an alternative server to connect to if a connection
cannot be made to the listed server or group. For example, alternative_server_name is
used when server_or_group_name uses a secure port,
as specified by the
s=6
option in an sqlhosts file
entry.
- The user ID for a database server or the database servers in a
group. User IDs must have the following privileges:
- Permission to connect to the sysadmin database
- CONNECT permission on the remote servers
- On UNIX™ operating systems,
membership in the group informix DBSA group
- On Windows operating
systems, membership in the Informix-Admin DBSA group
Only user informix has all of these privileges by default
- The password for a server
Procedure
- On a Connection Manager host, use a text editor to create
an ASCII text file to be used as a password file. Save the file to
the $ONEDB_HOME/tmp directory.
If
you have a high-availability replication system, your password file
contains password information for replication servers and cluster
servers.
Note: The password file must not contain comments.
The replication-server entries of the password file have
the following format:
group_name database_server_alias user_name database_server_password
database_server_name database_server_alias user_name database_server_password
database_server_alias database_server_alias user_name database_server_password
For
example:
group_1 unsecure_server_alias_1 user_1 password_1
server_1 unsecure_server_alias_1 user_1 password_1
alias_1 unsecure_server_alias_1 user_1 password_1
group_2 unsecure_server_alias_2 user_2 password_2
server_2 unsecure_server_alias_2 user_2 password_2
alias_2 unsecure_server_alias_2 user_2 password_2
group_n unsecure_server_alias_n user_n password_n
server_n unsecure_server_alias_n user_n password_n
alias_n unsecure_server_alias_n user_n password_n
The cluster-server entries of the password file
have the following format:
alias_group_name db_server_alias user_name db_server_password
db_server_name db_server_alias user_name db_server_password
For
example:
alias_group_1 unsecure_alias_1 user_1 password_1
alias_group_1 unsecure_alias_2 user_2 password_2
alias_group_1 unsecure_alias_n user_n password_n
alias_group_2 unsecure_alias_1 user_1 password_1
alias_group_2 unsecure_alias_2 user_2 password_2
alias_group_2 unsecure_alias_n user_n password_n
alias_group_n unsecure_alias_1 user_1 password_1
alias_group_n unsecure_alias_2 user_2 password_2
alias_group_n unsecure_alias_n user_n password_n
server_1 unsecure_alias_1 user_1 password_1
server_2 unsecure_alias_2 user_2 password_2
server_n unsecure_alias_n user_n password_n
- Encrypt the password file with the onpassword utility
and an encryption key.
For example, if your password
file is
$ONEDB_HOME/tmp/my_passwords.txt, and
the encryption key you want to use is
my_secret_encryption_key_efgh,
run the following command:
onpassword -k my_secret_encryption_key_efgh -e my_passwords.txt
This
example creates the encrypted passwd_file file
in the $ONEDB_HOME/etc directory.
To later decrypt the password file, you must enter the same
key that was used to encrypt the password file. If you lose the encryption
key that was used to encrypt a password file, re-encrypt the original
ASCII text password file. If the ASCII text password file was deleted,
you must create a new one.
- Distribute $ONEDB_HOME/etc/passwd_file to
all the database servers that Connection Managers or the cdr utility
connects to, and to all Connection Managers.
Note: An encrypted
password file that is created on one type of operating system is not
supported on a different type of operating system. On each operating
system, you must run the onpassword utility with
the same text file and encryption key.