HCL Informix Security for IOT

                                                                                                            Updated: 8/30/18
​​
Security features fall into three categories that are important to IoT.

​We need to concentrate on how each of these is important to IoT concerns.

1. Connection Security. This includes User Authentication and Encrypted communication methods.
2. Data Security. Encryption at rest and other ways to encrypt data, e.g. CLE.
3. Transaction Security. Backup and Restore. Auditing to determine who did what and when.

1.   Connection Security
HCL Informix server always requires that you have permission to connect to the database server. The first step in connecting to the server is to identify yourself by giving your username. The HCL Informix server must recognize you as a valid user or else the connection will fail. The recognition of your username also provides the server information on how to validate your access.

Note that in some of the connection software, CSDK, JDBC, etc. that you don’t always directly specify a username. In these cases, the username comes from the username of your process.

There are two basic ways that the HCL Informix server authenticates users:

A.    You have access because you are on a trusted machine.
There are several different ways to make a machine trusted:

• The machine running the HCL Informix server is always a trusted machine.
• Machines listed in the /etc/hosts.equiv file are trusted. See #4 below.
• Machines listed in the ~/.rhosts file for a given user are trusted. See #5 below.
• In lieu of /etc/hosts.equiv file, you can specify a different file that the HCL Informix server will use by specifying that file name in the ONCONFIG file as the REMOTE_SERVER_CFG entry. Note that this file name must be relative to the INFORMIXDIR/etc directory. That insures that the file is created by user HCL informix. This method is preferred because it does not open up the system to other access that can be used by the /etc/hosts.equiv file – such as rlogin and it can be configured by the HCL Informix DBSA instead of the OS administrator.
• In lieu of ~/.rhosts file, you can specify a different file that the HCL Informix server will use by specifying that file name in the ONCONFIG file as the REMOTE_USERS_CFG entry. Note that this file name must be relative to the INFORMIXDIR/etc directory.

Note that you can use the INFORMIXSQLHOSTS file to control this access. In the options column (column 4), you can specify a s=0,1,2,3 value.
s=0           do not use either hosts.equiv or .rhosts.
s=1           use hosts.equiv but not .rhosts
s=2           use .rhosts but not hosts.equiv
s=3           (default) use both hosts.equiv and .rhosts
 
B.    You must supply a password
The password you supply can be authenticated several different ways depending on whether you are a database user (user created with CREATE USER … statement) or an OS user. Note that if you are a database user and your name is the same as an OS user, the database user properties will apply to you.

Authenticate as a database user by supplying the password that was included in the CREATE USER … statement or (ALTER USER … to change the password).

Authenticate as an OS user by supplying the OS password for the user.

Authenticate using PAM. This is the most flexible authentication method. To make the authentication exactly the same as login to the machine (i.e. expired passwords, locked accounts) use PAM with the ‘login’ service. i.e. use s=4,pam_serv=login,pamauth=password.

Encrypted Communication
HCL Informix offers two ways to do this:

1. CSM (Communication Service Modules)CSM is a method of encryption supplied by the HCL Informix server. To use CSM you must first create the concsm.cfg file in the INFORMIXDIR/etc directory. This file contains one line for each CSM method you create. For encrypted communication, you want to choose ENCCSM. In the options column in the sqlhosts file put, csm=ENCCSM, where ENCCSM is the name you chose in the concsm.cfg file. See the details online.
2. SSL/TLSIn order to use SSL/TLS, you need to create a keystore for both the client and the server and to put an SSL certificate into the keystore. HCL Informix server includes a tool, gsk8capicmd[_64], to create these key stores, to create self signed certificates, and to manage certificates in key stores. See the details online.

2.   Data Security
HCL Informix Server provides two ways to encrypt data:
A.    Encryption at Rest
Encryption at rest can only be enabled at server initialization. To use Encryption at Rest you must set the DISK_ENCRYPTION parameter in the ONCONFIG file.

The value of this parameter must contain the name of the keystore and optionally which encryption method to use. HCL Informix server supports AES128 (default), AES192, and AES256.

E.g. DISK_ENCRYPTION keystore=servername,cipher=aes128

B.    Column Level Encryption (CLE)
CLE provides functions to encrypt and decrypt your data. There are two encrypt functions, ENCRYPT_AES and ENCRYPT_TDES. You can encrypt every entry in a table with the same password or use a different password for each row. Note that because each value is ‘slated’ before it is encrypted, that you cannot have an index on a CLE column.

For the CLE column, you need to determine how many characters wide the column needs to be. There is a formula included in the CLE description but the easy way is to take an example of your longest data and use the length() function to tell you the answer, e.g.
execute function length(encrypt_aes("This is my data", "p@ssw0rd"));

(expression) 43

So for this case you could use char(43) for your CLE column.

Also, the documentation for CLE says that it only works for character-type columns. While this is true, there are builtin casts for integers and float types to character. So, the following works:

Create table cletab(clecol char(43));

Insert into cletab values(encrypt_aes(1234567890, “p@ssw0rd”));

Select decrypt_char(clecol) from cletab;

Note that the returned result is a character string, not an integer.

Please see the documentation on CLE for more details.

3.   Transaction Security
A.    Backup and Restore
HCL Informix provides two utilities for backing up and restoring database server data. Both utilities backup and restore storage spaces and logical logs. However, they support different features and it is important to know the differences.

ON-Bar backs up and restores storage spaces (dbspaces) and logical files, by using a storage manager, whereas ontape does not use a storage manager.

A recovery system, which includes backup and restore systems, enables you to back up your database server data and later restore it if your current data becomes corrupted or inaccessible. Please see the Backup and Restore guide.

B.    Auditing
Auditing creates a record of selected activities that users perform. An audit administrator who analyzes the audit trail can use these records for the following purposes:

• To detect unusual or suspicious user actions and identify the specific users who performed those actions
• To detect unauthorized access attempts
• To assess potential security damage
• To provide evidence in investigations, if necessary
• To provide a passive deterrent against unwanted activities, as long as users know that their actions might be audited

​Auditing is based on the notion of audit events and audit masks. Audit masks represent events that can be audited, e.g. Create Table (CRTB). Audit masks are one or more audit events that you wish to audit. An audit mask is assigned to a user (or group of users). The audit mask determines which audit events are audited for that user.

In a normal running system, 95%+ of all audit events are the four events for a row, i.e. read row (RDRW), insert row (INRW), update row (UPRW) and delete row (DLRW). For these events you can choose which tables will or will not be included in the audit logs. This set of events is called ROW level auditing.

Audit is controlled by the adtcfg file in the INFORMIXDIR/aaodir directory. After you server reads this file it will write a new file named adtcfg.nn, where nn is the DBSERVERNUM from the ONCONFIG file. This is so that if you have multiple HCL Informix servers using the same INFORMIXDIR that the adtcfg information is separate for each instance. You can edit this file before you start the server or you can use the onaudit utility to configure and print audit configuration.

There are five entries in the adtcfg file:

1. ADTMODE             Determines if audit is enabled. 0 = off.
2. ADTPATH               The directory where audit logs are written.
3. ADTSIZE               The size of an audit log file. A new file will be started when this size is reached.
4. ADTERR                  What to do if there is an error writing to an audit log file.
5. ADTROW                Whether ROW level auditing is selected by tables.

onaudit -c -n nn                Will print the current audit configuration for server number nn.

onshowaudit -n nn is the utility to print the contents of the audit log files. Various options are available to format and limit the output. For example, if you were interested in the actions of a particular user, you could use ‘onshowaudit -n nn -u username’ to print only those entries.

Note that whenever an audit log file fills up and a new one is created, a server alarm is generated. You can use the ALARMPROGRAM to immediately save or process audit log files if necessary.

For more information on HCL Informix auditing see the HCL Informix Server Secure Auditing Facility.

Other Online HCL Informix Security Documentation:
HCL Informix Server v12.10 documentation.
Security in HCL Informix documentation - Security
HCL Informix + security white paper or book - Redbook
Presentations on Slideshare.

Comment below with any questions.

Dave Desautels
Senior Software Engineer
Connect with me on LinkedIn

Informix is a trademark of IBM Corporation in at least one jurisdiction and is used under license.