Encrypted passwords

Database user accounts must be authenticated during access requests to the database. For user accounts that use local authentication, Netezza Performance Server stores the password in encrypted form in the system catalog.

Local authentication requires a password for every account. If you use LDAP authentication, a password is optional. During LDAP authentication, Netezza Performance Server uses the services of an LDAP server in your environment to validate and verify Netezza Performance Server database users.

  • When you are using the Netezza Performance Server CLI commands, the clear-text password must be entered on the command line. You can set the environment variable NZ_PASSWORD to avoid typing the password on the command line, but the variable is stored in clear text with the other environment variables.
  • To avoid displaying the password on the command line, in scripts, or in the environment variables, you can use the nzpassword command to create a locally stored encrypted password.

You cannot use stored passwords with ODBC or JDBC.

The nzpassword command syntax is:
nzpassword add -u user -pw password -host hostname
Where:
  • The user name is the Netezza Performance Server database user name in the Netezza Performance Server system catalog. If you do not specify the user name on the command line, the nzpassword command uses the environment variable NZ_USER.
  • The password is the Netezza Performance Server database user password in the Netezza Performance Server system catalog or the password that is specified in the environment variable NZ_PASSWORD. If you do not supply a password on the command line or in the environment variable, the system prompts you for a password.
  • The host name is the Netezza Performance Server host. If you do not specify the host name on the command line, the nzpassword command uses the environment variable NZ_HOST. You can create encrypted passwords for any number of user name/host pairs.

When you use the nzpassword add command to cache the password, quotation marks are not required around the user name or password values. You must only qualify the user name or password with a surrounding set of single quotation mark, double quotation mark pairs (for example, '"Bob"') if the value is case-sensitive. If you specify quoted or unquoted names or passwords in nzpassword or other nz commands, you must use the same quoting style in all cases.

If you qualify a user name that is not case-sensitive with quotation marks (for example '"netezza"'), the command might still complete successfully, but it might not work in all command cases.

After you type the nzpassword command, the system sends the encrypted password to the Netezza Performance Server host where it is compared against the user name/password in the system catalog.

  • If the information matches, the Netezza Performance Server stores the encrypted information in a local password cache, and displays no additional message.
    • On Linux® and Solaris, the password cache is the file .nzpassword in the user home directory. The system creates this file without access permissions to other users, and refuses to accept a password cache whose permission allows other users access.
    • On Windows, the password cache is stored in the registry.
  • If the information does not match, Netezza Performance Server displays a message that indicates that the authentication request failed. Netezza Performance Server also logs all verification attempts.
  • If the database administrator changed a user password in the system catalog, the existing nzpasswords are invalid.