Stored passwords

If client users use the nzpassword command to store database user passwords on a client system, they can supply only a database user name and host on the command line. Users can also continue to enter a password on the command line if displaying clear-text passwords is not a concern for security.

If you supply a password on the command line, it takes precedence over the environment variable NZ_PASSWORD. If the environment variable is not set, the system checks the locally stored password file. If there is no password in this file and you are using the nzsql command, the system prompts you for a password, otherwise the authentication request fails.

In all cases, using the -pw option on the command line, using the NZ_PASSWORD environment variable, or using the locally stored password that is stored through the nzpassword command. Netezza Performance Server compares the password against the entry in the system catalog for local authentication or against the LDAP or KERBEROS account definition. The authentication protocol is the same, and Netezza Performance Server never sends clear-text passwords over the network.

In release 6.0.x, the encryption that is used for locally encrypted passwords changed. In previous releases, Netezza Performance Server used the Blowfish encryption routines; release 6.0 now uses the Advanced Encryption Standard AES-256 standard. When you cache a password by using a release 6.0 client, the password is saved in AES-256 format unless there is an existing password file in Blowfish format. In that case, new stored passwords are saved in Blowfish format.

If you upgrade to a release 6.0.x or later client, the client can support passwords in either the Blowfish format or the AES-256 format. If you want to convert your existing password file to the AES-256 encryption format, you can use the nzpassword resetkey command to update the file. If you want to convert your password file from the AES-256 format to the Blowfish format, use the nzpassword resetkey -none command.

Important: Older clients, such as those for release 5.0.x and those clients earlier than release 4.6.6, do not support AES-256 format passwords. If your password file is in AES-256 format, the older client commands prompt for a password, which can cause automated scripts to hang. Also, if you use an older client to add a cached password to or delete a cached password from an AES-256 format file, you can corrupt the AES-256 password file and lose the cached passwords. If you typically run multiple releases of Netezza Performance Server clients, use the Blowfish format for your cached passwords.