Updated: 8/30/18 Security features fall into three categories that are important to IoT. We need to concentrate on how each of these is important to IoT concerns.
1. Connection Security HCL Informix server always requires that you have permission to connect to the database server. The first step in connecting to the server is to identify yourself by giving your username. The HCL Informix server must recognize you as a valid user or else the connection will fail. The recognition of your username also provides the server information on how to validate your access. Note that in some of the connection software, CSDK, JDBC, etc. that you don’t always directly specify a username. In these cases, the username comes from the username of your process. There are two basic ways that the HCL Informix server authenticates users: A. You have access because you are on a trusted machine. There are several different ways to make a machine trusted:
Note that you can use the INFORMIXSQLHOSTS file to control this access. In the options column (column 4), you can specify a s=0,1,2,3 value. s=0 do not use either hosts.equiv or .rhosts. s=1 use hosts.equiv but not .rhosts s=2 use .rhosts but not hosts.equiv s=3 (default) use both hosts.equiv and .rhosts B. You must supply a password The password you supply can be authenticated several different ways depending on whether you are a database user (user created with CREATE USER … statement) or an OS user. Note that if you are a database user and your name is the same as an OS user, the database user properties will apply to you. Authenticate as a database user by supplying the password that was included in the CREATE USER … statement or (ALTER USER … to change the password). Authenticate as an OS user by supplying the OS password for the user. Authenticate using PAM. This is the most flexible authentication method. To make the authentication exactly the same as login to the machine (i.e. expired passwords, locked accounts) use PAM with the ‘login’ service. i.e. use s=4,pam_serv=login,pamauth=password. Encrypted Communication HCL Informix offers two ways to do this:
2. Data Security HCL Informix Server provides two ways to encrypt data: A. Encryption at Rest Encryption at rest can only be enabled at server initialization. To use Encryption at Rest you must set the DISK_ENCRYPTION parameter in the ONCONFIG file. The value of this parameter must contain the name of the keystore and optionally which encryption method to use. HCL Informix server supports AES128 (default), AES192, and AES256. E.g. DISK_ENCRYPTION keystore=servername,cipher=aes128 B. Column Level Encryption (CLE) CLE provides functions to encrypt and decrypt your data. There are two encrypt functions, ENCRYPT_AES and ENCRYPT_TDES. You can encrypt every entry in a table with the same password or use a different password for each row. Note that because each value is ‘slated’ before it is encrypted, that you cannot have an index on a CLE column. For the CLE column, you need to determine how many characters wide the column needs to be. There is a formula included in the CLE description but the easy way is to take an example of your longest data and use the length() function to tell you the answer, e.g. execute function length(encrypt_aes("This is my data", "p@ssw0rd")); (expression) 43 So for this case you could use char(43) for your CLE column. Also, the documentation for CLE says that it only works for character-type columns. While this is true, there are builtin casts for integers and float types to character. So, the following works: Create table cletab(clecol char(43)); Insert into cletab values(encrypt_aes(1234567890, “p@ssw0rd”)); Select decrypt_char(clecol) from cletab; Note that the returned result is a character string, not an integer. Please see the documentation on CLE for more details. 3. Transaction Security A. Backup and Restore HCL Informix provides two utilities for backing up and restoring database server data. Both utilities backup and restore storage spaces and logical logs. However, they support different features and it is important to know the differences. ON-Bar backs up and restores storage spaces (dbspaces) and logical files, by using a storage manager, whereas ontape does not use a storage manager. A recovery system, which includes backup and restore systems, enables you to back up your database server data and later restore it if your current data becomes corrupted or inaccessible. Please see the Backup and Restore guide. B. Auditing Auditing creates a record of selected activities that users perform. An audit administrator who analyzes the audit trail can use these records for the following purposes:
Auditing is based on the notion of audit events and audit masks. Audit masks represent events that can be audited, e.g. Create Table (CRTB). Audit masks are one or more audit events that you wish to audit. An audit mask is assigned to a user (or group of users). The audit mask determines which audit events are audited for that user. In a normal running system, 95%+ of all audit events are the four events for a row, i.e. read row (RDRW), insert row (INRW), update row (UPRW) and delete row (DLRW). For these events you can choose which tables will or will not be included in the audit logs. This set of events is called ROW level auditing. Audit is controlled by the adtcfg file in the INFORMIXDIR/aaodir directory. After you server reads this file it will write a new file named adtcfg.nn, where nn is the DBSERVERNUM from the ONCONFIG file. This is so that if you have multiple HCL Informix servers using the same INFORMIXDIR that the adtcfg information is separate for each instance. You can edit this file before you start the server or you can use the onaudit utility to configure and print audit configuration. There are five entries in the adtcfg file:
onshowaudit -n nn is the utility to print the contents of the audit log files. Various options are available to format and limit the output. For example, if you were interested in the actions of a particular user, you could use ‘onshowaudit -n nn -u username’ to print only those entries. Note that whenever an audit log file fills up and a new one is created, a server alarm is generated. You can use the ALARMPROGRAM to immediately save or process audit log files if necessary. For more information on HCL Informix auditing see the HCL Informix Server Secure Auditing Facility. Other Online HCL Informix Security Documentation: HCL Informix Server v12.10 documentation. Security in HCL Informix documentation - Security HCL Informix + security white paper or book - Redbook Presentations on Slideshare. Comment below with any questions. Dave Desautels Senior Software Engineer Connect with me on LinkedIn Informix is a trademark of IBM Corporation in at least one jurisdiction and is used under license.
9 Comments
Fauziah
8/23/2017 06:47:15 pm
Thank you for sharing, Sam.
Reply
12/1/2017 05:40:53 am
Installing an access control system at your business premises has many advantages. This article discusses a few of those advantages.
Reply
3/26/2018 07:08:18 am
I think that thanks for the valuabe information and insights you have so provided here.
Reply
7/4/2018 02:36:20 am
Get panic door push bars installed to ensure your office is always prepared in case of a life-threatening emergency.
Reply
7/24/2018 07:55:30 am
There is a popular misconception about locksmiths. Many people think that if they lose their keys that Mobile Locksmiths can come to their location, look at the lock, make a mould somehow and then produce a new key.
Reply
9/8/2018 04:32:14 am
when you hire a security guard company, how often can you see whether the guard company is doing their job which includes running background checks and drug screenings, providing good training for your guards, and effectively monitoring and supervising your security guards.
Reply
7/11/2019 10:15:41 pm
All workmanship and products are guaranteed and we pride ourselves on offering outstanding value for money,
Reply
4/4/2020 11:48:28 am
No doubt this is an excellent post I got a lot of knowledge after reading good luck. Theme of blog is excellent there is almost everything to read, Brilliant post.
Reply
8/6/2020 01:50:08 am
Thanks for such an informative article!! No doubts security is very essential in this digital age
Reply
Leave a Reply. |