Security Guide
Introduction to Ingres Security
Security Features
Level of Security
Ingres Security Mechanisms
Directory and File Permissions
User Authentication
Remote Users
Installation Passwords
The ingvalidpw Utility (UNIX)
DBMS Authentication
Authorization Identifiers
Subject Privileges
Object Permissions
Security Alarms
Security Auditing
Database Procedures
Data at Rest Encryption
Understanding Directory and File Permissions
Directory and File Permissions
File Permissions on Windows
File Permissions on UNIX
Security Features on UNIX
Ingvalidpw Program (Password Validation)
Create Password Validation Program (UNIX)
Ingvalidpam Program (Password Validation Through PAM)
Access Control with Setuid (UNIX)
Use Chmod to Set the Setuid Bit
Example: Refer to Setuid in an Embedded SQL Application
Authorizing User Access
Common Types of Ingres Users
Ingres Users and the DBA
How to Establish User Access
Users and Profiles
Working with User Objects
Create a New User with Accessdb
User Expiration Date
User Password
Authorize Multiple Users with SQLscript
Working with Profile Objects
Example of Using a Profile
Default Profile
Groups and Roles
Groups
Working with Group Objects
Example: Creating, Altering, and Dropping a Group using SQL Statements
Groups and Permissions
Roles
Working with Role Objects
Example: Creating, Altering, and Dropping a Role using SQL Statements
Roles and Permissions
Assigning Privileges and Granting Permissions
Subject Privileges
Auditor Privilege
Change_Password Privilege
Createdb Privilege
Ima_sec_read Privilege
Maintain_Audit Privilege
Maintain_Locations Privilege
Maintain_Users Privilege
Operator Privilege
Security Privilege
Trace Privilege
Sets of Privileges Associated with a Session
Object Permissions
Working with Grants
Object Ownership and Granting Object Permissions
The GRANT Statement
Database Grants
How Database Permissions for a Session are Determined
Database Grant Examples
Table and View Grants
Table Grant Examples
Procedure Grants
Database Event Grants
Role Grants
How Grants Restrict Data Access
Grant Overhead
Multiple Permission Checks
How Privileges for a Session Are Determined
Access to Tables, Views, or Procedures and the Authorization Hierarchy
Access to Databases and the Authorization Hierarchy
How Database Privileges for a Session Are Determined
Dbmsinfo--View Permissions for Current Session
Example: Return the Value of Query Row Limit for Current Session
Implementing Security Auditing
Security Alarms
Working with Security Alarm Objects
How to Implement a Security Alarm
Security Alarm Example
Security Auditing
Audit Focus
How to Enable Security Auditing
How to Verify Security Auditing Levels
Security Auditing Configuration Parameters
Security Audit Statements
Security Audit Levels for Users and Roles
Changes to Security Audit Status During a Session
Access to the Security Audit Log
Registering the Security Audit Log File
Querying the Registered Virtual Table
Obtain the Current Audit File Name
Controlling Access through Database Procedures
Database Procedures
Working with Procedure Objects
How to Implement a Database Procedure
Database Procedure Example
Access Control through Database Procedures
Implementing PAM in Ingres
What Is PAM?
The Ingvalidpam Program
Requirements for Using PAM
Build the Ingvalidpam Program
How to Implement Standard Linux or UNIX Security Using PAM
Ingres PAM Configuration File (For Linux or UNIX)
How to Implement LDAP Authentication Using PAM
LDAP Requirements
The ldap.conf File--Configure LDAP Daemon (slapd)
Browse slapd Database
The Ingres PAM Configuration File (for LDAP)
Active Directory Configuration
Browse Active Directory Database
How to Implement Kerberos Authentication Using PAM
Ingres Kerberos Driver versus Ingvalidpam
The krb5.conf File--Configure Kerberos
The Ingres PAM Configuration File (for Kerberos)
Netutil Entries for Ingvalidpam
Test Ingvalidpam
Using Data at Rest Encryption
What Is Data at Rest Encryption?
How Encryption Works
The Power of Encryption
Transparent vs. Function-based Encryption
Transparent Column Encryption (DBMS Server-level Encryption)
Access Enabled for New Tables
Create an Encrypted Table
Enable Access to Encrypted Data
Disable Access to Encrypted Data
Change the Passphrase
Function-based Encryption (Application-level Encryption)
Encryption Information Displayed with HELP TABLE
How to Compute the Width of Encrypted Data
Data at Rest Encryption Restrictions
Implications of Data Encryption for Database Design and Operations
Understanding Salt
Indexing Encrypted Columns
Encryption and Copydb/Unloaddb Considerations
Optimizedb Considerations for Data at Rest Encryption
Encrypted Data in Log Records and Auditdb Output
Encryption and Tables that Hold Audit Trails
Encryption and Partitioned Tables
Using Column Masking
Column Masking
Column Masking Example
Using Secure Communications Encryption with AES
AES Security Mechanism
Configure AES Encryption (Ingres Net and GCA Remote Access)
INGRES Mechanism Configuration for Encryption
AES Security Mechanism Configuration
Configure AES Encryption (JDBC and .NET)
A. Configuring Ingres to Use Kerberos
Kerberos
Kerberos Configuration in the Enterprise
Kerberos Configuration Files--Configure Kerberos for Ingres
The Ingres Service Principal--Authorize Client Connections
Prerequisite Kerberos Software on Windows
How to Configure Ingres to Use Kerberos
iisukerberos Command--Perform Basic Kerberos Configuration
Ingres Configuration Options for Kerberos
Basic Configuration for Kerberos
mechanisms Parameter--Specify Dynamic Mechanism
domain Parameter--Specify Domain Name
remote_mechanism Parameter--Configure Client in a Homogeneous Kerberos Environment
vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment
Encryption Parameters--Enable Kerberos Encryption
How Name Server Delegation Works
Set Delegation
Service Principal Host Name Resolution
VMS Considerations for Kerberos
Glossary
Security Guide
Glossary