Updating connections for crypto support

If you use the SP 800-131a cryptography support on your Netezza Performance Server system, check your connection definitions and make sure that they all use SHA256 authentication.

Netezza Performance Server system does not allow connections that use the MD5 or CRYPT authentication types. You must drop these non-compliant connections and redefine them to use SHA256 authentication.

Checking the connection types

Procedure

  1. Log in to the Netezza Performance Server system as the nz user.
  2. Connect to a database and run the SHOW CONNECTION command to review the current connection definitions.
    Sample command output follows:
    SYSTEM.ADMIN(ADMIN)=> SHOW CONNECTION;
     CONNID | CONNTYPE | CONNDB | CONNIPADDR |   CONNIPMASK    | CONNAUTH
    --------+----------+--------+------------+-----------------+----------
          1 | local    | all    |            |                 | trust
          2 | host     | all    | 0.0.0.0    | 0.0.0.0         | md5
          3 | host     | all    | 127.0.0.1  | 255.255.255.255 | sha256
    (3 rows)

    As shown in the sample output, connection 2 uses md5 connection authentication, which is not supported in an enhanced cryptography environment, You must change the connection to use SHA256 authentication.

  3. To change the authentication for connection 2, use the following command:
    SYSTEM.ADMIN(ADMIN)=> SET CONNECTION HOST DATABASE 'all' IPADDR '0.0.0.0' 
    IPMASK '0.0.0.0' AUTH 'SHA256';
    SET VARIABLE
  4. Repeat for each connection definition that uses md5 or crypt authentication.

Results

After you updated your connections, you can enable the crypto support with the nzconfigcrypto command and start the NPS software by using the nzstart command. If you have any md5 or crypto connections defined, the nzstart command fails. You must disable crypto support and use the procedure in this topic to update your connections, then re-enable crypto support, and restart the NPS software.