Pluggable authentication modules (UNIX or Linux)

A Pluggable Authentication Module (PAM) is a well-defined framework for supporting different authentication modules that were originally developed by Sun Microsystems. PAM is supported in both 32- and 64-bit modes on Solaris, Linux™, HP-UX and AIX®.

System administrators can use PAM to implement different authentication mechanisms for different applications. For example, the requirements of a system like the UNIX™ login program might be different from an application that accesses sensitive information from a database. PAM allows for many such scenarios in a single computer because the authentication services are attached at the application level.

System administrators can use PAM to enable an application to select the authentication as required. You can stack many modules one after another to enable the application to be authenticated in multiple ways before the application grants access. PAM provides a set of APIs to support authentication, account management, session management, and password management.

The system administrator can enable or disable the use of PAM. By default, the database server uses the traditional HCL OneDB™ authentication mechanism (which is based on the BSD rhosts mechanism) to avoid forcing major changes on users.

To use PAM with HCL® OneDB:

  • Your HCL OneDB database server must be on an operating system platform that supports PAM.
  • If your client applications are written with Client SDK, the version of Client SDK must be sufficiently recent.
  • If your client applications use Distributed Relational Database Architecture™ (DRDA®) connections, you can configure password authentication but not challenge-response authentication.
  • You must have the appropriate PAM service configured in the operating system.
  • You must decide which PAM authentication method provides sufficient security: the client connection password, correct input to a challenge-response prompt (for example, a RADIUS authentication server), or a combination of both.
  • For Linux platforms, when you configure PAM to require both password and challenge-response authentication, the PAM service always ignores the password that is sent in the client connection request and prompts for the password a second time.
  • If you require that an application authenticate in challenge-response mode before connecting to the database server, then design the application to handle the challenge prompt.
  • You must ensure that Enterprise Replication and high availability clusters are not affected by PAM authentication.
  • You must modify the server entry in the sqlhosts file for both the client application and the database server (if they are on separate computers or in separate locations on a single computer).