Authentication mechanisms

You can configure the HCL OneDB™ server authentication mechanisms to meet varying requirements, such as different security methods required for local and remote connections, database access by users without operating system accounts on the servers host computer, and non-root installation.

Authentication is the mechanism of verifying the identity of a user or an application.

The simplest, default authentication method operates for a local connection by relying on OS user lookup. For this type of connection, a user ID and password pair are passed directly to the OS for verification that the user is legitimate. This method requires that users are granted connection privileges by the DBSA and have corresponding OS user accounts on the HCL OneDB host computer.

On UNIX™ and Linux™, the HCL OneDB installation can be configured to support other authentication mechanisms that maintain security while reducing the dependency on system administrator and root-level privileges.

Authentication layers

You can develop modules and configure a server to have a self-defined authentication mechanism for local and remote connections. An authentication-layer mechanism can function so that you are not required to make changes in the application. The database server supports these authentication layers:

  • Pluggable Authentication Modules (PAM) for HCL® OneDB systems running on UNIX or Linux. The PAM framework provides a set of APIs for authentication, account, session, and password management.
  • Lightweight Directory Access Protocol (LDAP) Authentication Support for Windows™. Use the LDAP Authentication Support module when you want to use an LDAP server to authenticate users.

The HCL OneDB client can be a local or a remote user. For network-based business models, the database server uses the network authentication mechanism provided by the OS, but requires the DBSA to set up trusted-hosts information or trusted-user information. Trusted-hosts information is set in the hosts.equiv file or the file specified by the REMOTE_SERVER_CFG configuration parameter. Trusted-user information is set in each user's rhosts file or in the file specified by the REMOTE_USERS_CFG configuration parameter. You can modify lookup options in the sqlhosts file.

Users that connect to the database server without login to the host computer OS are internal users.