Authentication mechanisms in IDS
Authentication is the mechanism of verifying the identity of a user or an application. The database server allows only those users who confirm their identities to access data, as shown in Figure 1. IDS conforms to the client-server architecture, where a client can be a remote or a local user.
Figure 1. Authentication flow
A local connection is a connection between a client and a server residing in the same machine. A remote connection is a connection between a client and server residing in different machines. IDS supports a traditional authentication mechanism under which a user has to provide an ID and password to connect to a database. IDS also supports additional authentication mechanisms such as pluggable authentication modules (PAM).
IDS servers follow UNIX security requirements for making connections. In traditional authentication, IDS validates the users using their UNIX or Windows® login ID and passwords with the operating system (OS) APIs.
A pluggable authentication module (PAM) is a framework that enables the user to develop and implement a customized user authentication mechanism without making any changes to the application. The modes supported by IDS are password mode and challenge-response mode. In password mode, the user password is sufficient to satisfy the authentication. In the challenge response mode, the server raises a challenge and the client sends a response. A client gets access to the database only if the response is as expected.
Here are the basic steps to configure IDS to use a PAM module (some of the details are platform specific, however the concept is generic):
- Define the PAM module: Identify or create the PAM module that you would like to use. For example, you can use pam_unix/pam_aix/pam_unix_auth, which does the traditional network-file based authentication. Typically, this shared object is located in a platform-dependent path (like /usr/lib/security/pam_unix.so on Solaris). If you create a module yourself, you need to copy it to the correct location.
Configure the PAM module: Add the option field in the
$INFORMIXDIR/etc/sqlhosts file to indicate that PAM
authentication will be used. Listing 1 shows how to
configure a password-type module:
Listing 1. sqlhosts entry for PAM
#Server-name service machinename portno Options demo_on ontlitcp demohost 1111 s=4,pam_serv=(login),pamauth=(password) Where login is name of the PAM module set the PAM configuration file sqlhosts entry for a challenge-type module #Server-name service machinename portno Options demo_on ontlitcp demohost 1111 s=4,pam_serv=(xxx),pamauth=(challenge) Note: Here xxx is a challenge-oriented module which will have the required entry in the PAM configuration file.
Single sign-on is an authentication feature that bypasses the need to provide user name and password after a user logs in to the client computer's operating system. IDS delivers support for single sign-on (SSO) using Kerberos 5 security protocol.
With SSO, authentication for the DBMS and other SSO-enabled services happens when a user first logs in to the client computer (or domain, in the case of Windows). The Kerberos implementation validates the user credentials. Kerberos authentication generates a system of secret keys that store login credentials. When a user action tries to access a Dynamic Server database, an exchange of ticket-granting tickets (TKTs) allows database access without a login prompt.
SSO also includes support for confidentiality and integrity services, so an SSO environment does not need to have other Dynamic Server CSMs. With confidentiality enabled, the data transmitted to and from the SSO-authenticated user is encrypted and can be viewed only by the user logged in with the authorized credentials. Integrity service ensures that data sent between user and the DBMS is not altered during transmission.
Configuring IDS to use SSO requires a lot of platform-specific setup. However, for the fundamentals exam, you just need to understand how to set up the sqlhosts file and the concsm.cfg file to use SSO. This is explained in the Generic Security Services Communications Support Module (GSSCSM) topic under "Encryption Support in IDS."