Distributed transactions and authentication modules

When HCL® OneDB® initiates a distributed connection after the session is established, it cannot respond to authentication challenges because the timing is unpredictable. Also, the password required to connect to the local server might not be the same as the password required to connect to the remote server. Consequently, authentication for distributed connections must be completed by the remote server on the basis of trust. The remote server must trust the local server and the remote administrators must explicitly permit the user to connect from the local server to the remote server.

HCL OneDB provides two options to support distributed connection PAM authentication:
  1. sysuser:sysauth

    The sysauth table in the sysuser database on a server records the trusted remote servers and the host on which those servers run and controls incoming connections from other servers. If PAM or an LDAP Authentication Support Module is enabled in the remote servers, the system administrator can enter authorized users in the sysauth table in the sysuser database for each remote server.

    Database: sysuser

    Table: sysauth
    Table 1. Schema of the sysauth table
    Column Type
    username CHAR(32)
    groupname CHAR(32)
    servers VARCHAR(128)
    hosts VARCHAR(128)

    The table can contain multiple rows for a single user to permit connections from different servers and hosts. A unique index exists on the combination of username, servers, and hosts, none of which allow nulls. The groupname column must be empty; any value in the column is ignored.

    For example, to permit the server to accept distributed transactions from a user known as user1 from database server server1 running on host host1.example.com:
    insert into sysauth values ("user1", NULL, "server1", "host1.example.com");

    For forward compatibility, ensure that each row in the table identifies one user name, one HCL OneDB server name, and one host name. Do not use comma-separated or space-separated lists of server or host names in one entry.

  2. On Linux/Unix platforms through OS rhosts PAM module, for example, define your PAM configuration file as
    
    auth	  sufficient    pam_rhosts.so
    auth	  required 	pam_unix.so
    account   required	pam_unix.so