Jump to main content
HCL Logo Product Documentation
  • Customer Support
HCL OneDB 2.0.1
  • What's new in HCL OneDB™ 2.0.1
  • Getting Started
  • Installing
  • Administering
  • Migrating and upgrading
  • Data warehousing
  • Security
  • Client APIs and tools
  • SQL programming
  • JSON compatibility
  • Extending HCL OneDB™
  • Designing databases
  • Embedding HCL OneDB™
  • Release information
  • Troubleshooting HCL OneDB™
  1. Home
  2. SecurityYou can secure your HCL OneDB™ database server and the data that is stored in your HCL OneDB™ databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
  3. Security in HCL OneDB™The HCL OneDB™ Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
  4. Securing data
  5. Connection securityYou can administer the security of the connections to the database server by using authentication and authorization processes.
  6. Authentication module deployment
  • SecurityYou can secure your HCL OneDB™ database server and the data that is stored in your HCL OneDB™ databases. You can encrypt data, secure connections, control user privileges and access, and audit data security.
    • Security in HCL OneDB™The HCL OneDB™ Security Guide documents methods for keeping your data secure by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server.
      • Securing data
        • HCL OneDB™ directory securityHCL OneDB™ utilities and product directories are secure by default.
        • Network data encryptionUse network encryption to encrypt data transmitted between server and client, and between server and other server.
        • Column-level encryptionYou can use column-level encryption to store sensitive data in an encrypted format. After encrypting sensitive data, such as credit card numbers, only users who can provide a secret password can decrypt the data.
        • Connection securityYou can administer the security of the connections to the database server by using authentication and authorization processes.
          • Authentication mechanismsYou can configure the HCL OneDB™ server authentication mechanisms to meet varying requirements, such as different security methods required for local and remote connections, database access by users without operating system accounts on the servers host computer, and non-root installation.
          • Internal users (UNIX™, Linux™)The DBSA can grant database access to users that do not authenticate on the OS of the host computer by mapping PAM-authenticated users to OS-level entities or by configuring the server to perform internal authentication.
          • Guest account (Windows™)Disable the Windows™ Guest account to prevent anonymous logins.
          • Trusted-context objects and trusted connections You can use trusted-context objects and trusted connections to increase system performance and security within a three-tier application model.
          • Pluggable authentication modules (UNIX™ or Linux™)A Pluggable Authentication Module (PAM) is a well-defined framework for supporting different authentication modules that were originally developed by Sun Microsystems. PAM is supported in both 32- and 64-bit modes on Solaris, Linux™, HP-UX and AIX®.
          • LDAP authentication support on Windows™
          • Authentication module deployment
            • Implicit connections with authentication modulesAuthentication responses to authentication modules, such as PAM and LDAP, expect a password. However, in implicit connections to the database server, there is no password.
            • Application development for authentication modulesThe authentication method depends on the PAM or LDAP Authentication Support module installed.
            • Distributed transactions and authentication modulesWhen HCL® OneDB® initiates a distributed connection after the session is established, it cannot respond to authentication challenges because the timing is unpredictable. Also, the password required to connect to the local server might not be the same as the password required to connect to the remote server. Consequently, authentication for distributed connections must be completed by the remote server on the basis of trust. The remote server must trust the local server and the remote administrators must explicitly permit the user to connect from the local server to the remote server.
            • Client APIs and authentication support modulesOnly specific HCL OneDB™ client APIs support PAM and LDAP Authentication Support modules. To use the other APIs when an authentication module is enabled on HCL® OneDB®, you can connect to a DBSERVERALIASES.
            • Compatibility issues with authentication modulesOnly specific HCL OneDB™ products support authentication modules. To use the other products when an authentication module is enabled on HCL® OneDB®, you can connect to a DBSERVERALIASES.
          • Securing local connections to a hostThe database server administrator (DBSA) can use the SECURITY_LOCALCONNECTION configuration parameter to set up security checking for local connections with the same host.
          • Limiting denial-of-service flood attacksHCL® OneDB® has multiple listener threads (listen_authenticate) to limit denial-of-service (DOS) attacks.
        • Discretionary access controlDiscretionary access control verifies whether the user who is attempting to perform an operation has been granted the required privileges to perform that operation.
        • Label-Based Access ControlYou can use label-based access control (LBAC), an implementation of multi-level security (MLS), to control who has read access and who has write access to individual rows and columns of data.
        • Storage space encryptionYou can encrypt storage spaces (dbspaces, blobspaces and smart blobspaces) with Onedb Server. The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on disk.
      • Auditing data security

Authentication module deployment

When you use authentication modules, you must consider the following issues:

  • Implicit connections with authentication modules
  • Application development for authentication modules
  • Distributed transactions and authentication modules
  • Client APIs and authentication support modules
  • Compatibility issues with authentication modules
  • Implicit connections with authentication modules
    Authentication responses to authentication modules, such as PAM and LDAP, expect a password. However, in implicit connections to the database server, there is no password.
  • Application development for authentication modules
    The authentication method depends on the PAM or LDAP Authentication Support module installed.
  • Distributed transactions and authentication modules
    When HCL OneDB initiates a distributed connection after the session is established, it cannot respond to authentication challenges because the timing is unpredictable. Also, the password required to connect to the local server might not be the same as the password required to connect to the remote server. Consequently, authentication for distributed connections must be completed by the remote server on the basis of trust. The remote server must trust the local server and the remote administrators must explicitly permit the user to connect from the local server to the remote server.
  • Client APIs and authentication support modules
    Only specific HCL OneDB client APIs support PAM and LDAP Authentication Support modules. To use the other APIs when an authentication module is enabled on HCL OneDB, you can connect to a DBSERVERALIASES.
  • Compatibility issues with authentication modules
    Only specific HCL OneDB products support authentication modules. To use the other products when an authentication module is enabled on HCL OneDB, you can connect to a DBSERVERALIASES.
Rate this topic


Comment on this topic.
  • Share: Email
  • Twitter
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences