HP Neoview User Management and Security Administration Guide HP Part Number: 613271-001 Published: July 2010 Edition: HP Neoview Release 2.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................11 Intended Audience................................................................................................................................11 New and Changed Information in This Edition...................................................................................11 Document Organization.......................................................................
Restarting NDCS Services After Policy Changes............................................................................39 Viewing and Updating the Password Encryption Policies.............................................................41 Viewing Password Encryption Policy Settings..........................................................................42 INFO CERT POLICY Command..........................................................................................
UniqueIdentifier .............................................................................................................................70 UserIdentifier (Active Directory only)............................................................................................72 UserIdentifierFormat ......................................................................................................................73 UserIdentifierMapping (Active Directory only)...............................................
Revoking a Role from a User....................................................................................................101 Changing a User's Default Role (or Your Own Default Role)..................................................102 Listing a User's Roles ...............................................................................................................102 Listing Your Own Roles ...........................................................................................................
SETDEFAULT ROLE Command (database users)........................................................................119 Syntax.......................................................................................................................................119 Parameters................................................................................................................................120 Error Conditions.............................................................................................
Example Queries......................................................................................................................143 A Secure Login and Role Selection for Neoview Users.............................................145 Overview ............................................................................................................................................145 Secure Login and Multiple-Role Support in Neoview Clients...........................................................
List of Figures 1-1 3-1 3-2 4-1 4-2 Neoview on the Corporate Network.............................................................................................17 Tree-structured Directory..............................................................................................................63 Directory Partitioned by Region....................................................................................................64 Use of UniqueIdentifier and Associated Parameters..........................
List of Tables 1-1 1-2 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 2-9 4-1 4-2 4-3 4-4 5-1 5-2 5-3 5-4 5-5 5-6 5-7 5-8 5-9 5-10 5-11 5-12 5-13 5-14 5-15 5-16 5-17 5-18 5-19 5-20 5-21 5-22 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 10 Predefined Users and Roles ..........................................................................................................21 Security Administration Task Map...............................................................................................
About This Document This guide describes Security features of the Neoview platform, including user and role management for database and platform users, support for integration with Lightweight Directory Access Protocol (LDAP) directory servers, password encryption, and database security. Intended Audience This guide is intended for security administrators and others who will define users and roles, manage certificates, and configure the Neoview platform to interact with external directory (LDAP) servers.
Italic Letters Italic letters, regardless of font, indicate variable items that you supply. Items not enclosed in brackets are required. For example: file-name Computer Type Computer type letters within text indicate case-sensitive keywords and reserved words. Type these items exactly as shown. Items not enclosed in brackets are required. For example: myfile.sh Bold Text Bold text in an example indicates user input typed at the terminal. For example: ENTER RUN CODE ?123 CODE RECEIVED: 123.
ATTRIBUTE[S] attribute [, attribute]... {, sql-expression}... An ellipsis immediately following a single syntax item indicates that you can repeat that syntax item any number of times. For example: expression-n… Punctuation Parentheses, commas, semicolons, and other symbols not previously described must be typed as shown. For example: DAY (datetime-expression) @script-file Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must type as shown.
Neoview Customer Library The manuals in the Neoview customer library are listed here for your convenience. • Administration Neoview User Management and Security Administration Guide Information about security features on the Neoview platform, including user and role management for database and platform users, support for integration with Lightweight Directory Access Protocol (LDAP) directory servers, password encryption, and database security.
• Connectivity Neoview JDBC Type 4 Driver API Reference information about the HP Neoview JDBC Type 4 Driver API. Reference Neoview JDBC Type 4 Driver Programmer’s Reference Information about using the HP Neoview JDBC Type 4 driver, which provides Java applications on client workstations access to a Neoview database. Neoview ODBC Drivers Manual Information about using HP Neoview ODBC drivers on a client workstation to access a Neoview database. • Neoview ADO.
1 Introduction to Security on the Neoview Platform Authentication and Authorization on the Neoview Platform A user logs on to the Neoview platform using a convenient name, such as jsmith or agent123, and a password. This combination of name and password is used to authenticate the user—to verify that the user is known on the Neoview platform and is, by virtue of having supplied the correct password, who he or she claims to be.
occurs on the Neoview platform, allowing them to take action even if an external directory server is unavailable. Different users on the platform can have different access privileges, but on the Neoview platform privileges are not defined as attributes of the user. Rather, each user is associated with a Neoview role (such as ROLE.MGR or ROLE.DBA), which has privileges defined for it.
platform can be customized to accommodate different directory schemas, routing methods, and other features that can vary among directory implementations. For more information about LDAP integration on Neoview, including a list of tasks the Security Administrator needs to perform using HPDM or NCI, see “LDAP Integration Overview” (page 63). Special Roles for HP Support and System Software One design objective of the Neoview platform is to restrict HP Support from viewing customer data.
A database role has a fully qualified name of the form ROLE.role. Some database roles are predefined, but a user who has the role ROLE.MGR can define additional roles, as discussed in “Roles and Role Assignment” (page 22). Platform User Names and Roles Certain users log on with personal names associated with special platform roles, similar to database roles in that they have associated access privileges.
Table 1-1 Predefined Users and Roles Role Function ROLE.MGR (and predefined user name “USERMGR”) Users in this role can: • Create new roles • Define locally authenticated database users and register remotely authenticated database users, except users having the ROLE.SECMGR role NOTE: Names and passwords of remotely authenticated database users are defined and managed on the external directory server.
Table 1-1 Predefined Users and Roles (continued) Role Function ROLE.DBA This role belongs to the database administrator and authorization manager, who: • Grants and revokes database access privileges to users (by associating those privileges with roles) • Creates new objects in schemas owned by users who have the role ROLE.DBA. • Owns the schema called DB, which is used to create database tables for end users.
Any user with ROLE.MGR privileges can define additional roles, up to a maximum of 255 roles. A natural scheme for defining roles is to align them with groups in your LDAP directory. For more information about LDAP groups, see “LDAP Integration Overview” (page 63). The same user can have multiple roles, of which one is the primary (or default) role. When the user logs on to Neoview, he or she optionally specifies the role that will apply to the session.
when you log on.) The security framework lets you substitute a CA certificate, as described in “Obtaining and Installing Certificates” (page 56). You also control security policies governing automatic download and behavior in the event of an expired certificate. Because the same workstation can connect to multiple Neoview platforms, it is possible for multiple certificates to be stored on the same workstation.
• • • that the password has not expired. If the password has expired, a user can still change his or her own password if a grace period is configured and in effect, as described in “Viewing and Updating the Password Quality and Control Policies” (page 44). The user can also change his or her own password at login in either NCI or HPDM if the password has expired or is about to expire. An authorization manager (that is, a person with the role ROLE.
NOTE: Login requests from the Neoview platform-level command interpreter (TACL) are not encrypted at present. TACL access is almost always restricted to the system console, which is usually on a private network, so the risk of password exposure is limited. In addition, the accounts used by HP personnel to log on to TACL do not permit access to customer data.
NOTE: A policy requiring two passwords has important implications for the maximum length of passwords: — For a locally authenticated database user or platform user needing to present a role password, the maximum total length of the individual and role passwords together is 53 bytes, including the slash, in the case of 1024-bit encryption and 129 bytes, including the slash, in the case of 2048-bit encryption.
password, and the third is the brace that the ODBC driver will interpret as a delimiter and strip off. If you want the password to be Use this value in the connection string {4mica1]} “PWD={{4mica1]}}};” fOrB3}4& “PWD={fOrB3}}4&};” LDAP Search User Password The Neoview LDAP daemon uses an additional password, called the LDAP search user password, in communication with an LDAP server.
Security Mode To perform security-administration functions such as managing certificates or configuring the interface to an LDAP server, you use either the HP Database Manager (HPDM) or the Neoview Command Interface (NCI). If you use NCI, you must be in security mode. To run a single command in security mode, precede it with .SEC, as in the syntax descriptions given throughout this manual.
Table 1-2 Security Administration Task Map (continued) Task Set LDAP server integration Managing database users and roles Managing platform users 30 Task and Link to Description Responsible Role(s) or User(s) “Creating New Platform and Power Users” (page 36) ROLE.MGR or ROLE.SECMGR (depending on the user or role) “Managing Security Policies” (page 39) ROLE.SECMGR “Obtaining and Installing Certificates” (page 56) ROLE.
Table 1-2 Security Administration Task Map (continued) Task Set Responsible Role(s) or User(s) Task and Link to Description “Changing Your Own Password” (page 107) Any platform user (unless the password has expired) Monitoring user Querying “User Management Views” (page 120) management actions ROLE.MGR ROLE.SECMGR Individual users have limited access Managing access to database objects “Grant/Revoke Access to Database Objects ” (page 131) ROLE.
2 Post-installation Security Setup Tasks The Neoview platform installation procedure installs and initializes the server-side processes and stored procedures required for LDAP integration, user and role management, and password handling. In addition, HP Support runs utilities that perform migration from an earlier release of Neoview to a release that potentially supports LDAP integration.
Obtaining and Installing Client Software Install or upgrade the following clients on workstations used for secure access to the Neoview platform: Client Product Name Notes HP Neoview ODBC Driver for Windows or HP Neoview Required if users will run applications that depend on ODBC Driver for UNIX ODBC APIs. Password encryption features are available on the following platforms, provided that you run a Release 2.
Download Neoview client software from the Software Depot website at www.software.hp.com to take advantage of features such as password encryption and role selection at login. Neoview 2.3 and 2.4 clients and drivers will work with Neoview Release 2.5 (if you set the security policy accordingly) but will not provide password security between the client and the server. Conversely, if you use a Release 2.5 client and driver and connect to a Neoview platform running Release 2.3 or 2.
Each of the predefined users and roles has an initial password; the ones you can change are listed in Table 2-1. The table also indicates whether you need to know the current password in order to change it. Passwords assigned to the platform roles SUPER.SERVICES, HP.SDI, and HP.VTS can be modified only by HP Support. Passwords assigned to predefined roles not listed here cannot be modified.
Note that you can define ROLE.SECMGR, ROLE.MGR, and ROLE.DBA users as either a locally authenticated or remotely authenticated database users, as described in “User and Role Management” (page 95). A remotely authenticated user in any of these roles has most of the same capabilities as the corresponding locally authenticated user but can log on to the Neoview platform only when a remote LDAP server is available. Thus it is usual to create at least some such users as locally authenticated—especially ROLE.
password and keep it under break-glass control for emergency use in troubleshooting LDAP server configuration problems. If you create additional users with the role ROLE.SECMGR, you need not apply such stringent restrictions to those users. Because only a user in the role ROLE.SECMGR can assign this role to database users, the initial assignment of this role to another user must be performed by a person logged on as SECURITYMGR. When setting the password for the ROLE.
making it quickly evident to users and administrative personnel why a given user is unable to log on or to change his or her own password. It may be that corporate policy prohibits user names that in any way indicate the user's privileges or status, and an LDAP server environment, if configured, might impose its own conventions.
Changes in any of these policy attributes require you to restart NDCS services: • Allow Down-rev Drivers to Connect • Log Successful Database Logins • Log Failed Database Logins • Abort Database Login if Logging Fails • Role password Required at Login-Database Users • Role password Required at Login-Platform Users NOTE: Although in almost every case, you change a policy by specifying it explicitly in a dialog or on a command line, HPDM also includes radio buttons labeled Load Default and Load Most Secure, w
NOTE: No Neoview client, other than HPDM, emits a message telling users to disconnect and reconnect after a policy change. HP recommends a practice like the following in connection with policy changes that require users to disconnect and reconnect: • Before changing the policy, the Security Administrator notifies all users that a policy change is scheduled for a certain time or is about to occur, and that they must disconnect from the Neoview platform before the change.
Table 2-2 Neoview Password Encryption Policies (continued) Display Name (NCI) Input Parameter Name (NCI) Policy Name (HPDM) Initial Value Comment AllowPreR25Drivers drevdrivers Allow Down-rev Drivers to Connect Y Specifies whether login requests are accepted from clients that do not provide password encryption.
INFO CERT POLICY Command This command lets you view the current password encryption policy settings. Only a user who has the ROLE.SECMGR role may enter this command. Syntax [.SEC] INFO {CERT | CERTIFICATE} POLICY SYSTEM_NAME Parameters • SYSTEM_NAME is required and identifies the Neoview platform whose policy you wish to display. The name consists of the first five characters of the platform name, for example SEC01.
corresponding value, the command prompts you for the value and echoes your input to the screen. If you specify a parameter and value more than once, an error is reported. • • • SYSTEM_NAME is required and identifies the Neoview platform whose policy you wish to modify. The name consists of the first five characters of the platform name, for example SEC01. AUTO-DOWNLOAD specifies whether the certificate is automatically downloaded if not already present when a client connects.
Table 2-3 Password Quality and Control Policies (continued) Display Name (NCI) Input Parameter Name (NCI) Policy Name (HPDM) Initial Value Range Comment PwdQualReqDigit digitreq Numeric Character Required N Y or N Specifies whether the password is required to contain at least one numeric character PwdQualReqSpecChar splcharreq Special Character Required N Y or N Specifies whether the password is required to contain at least one nonalphanumeric character PwdCtrlGracePeriod gperiod Grace per
Table 2-3 Password Quality and Control Policies (continued) Policy Name (HPDM) Initial Value PwdDefaultExprDate expdate Expiry Date None April Default password expiration date, if no 24, other date is specified when the user is 2007 to created. Dec 31, 2999 PwdDefaultExprDays expdays Expires Every...Days 0 0 to 365 Default number of days before a password expires after being reset, if no other number of days is specified when the user is created.
Table 2-4 User Management and Authentication Logging Policies Display Name (NCI) Parameter Name (NCI) Policy Name (HPDM) Initial Value Range LogUserMgmt usermgt Log User Management Operations N Y or N Specifies whether to log user management actions, such as adding or deleting a user or changing attributes of a user's account.
For additional information about using the HPDM Policies dialog to view policy settings, see the HPDM Online Help. For the syntax of the INFO POLICY command, see “INFO POLICY Command” (page 50) Changing User Management and Authentication Logging Policy Settings The Security Manager can use the Password tab of the HPDM Policies dialog to modify any of the current user management and authentication logging policy settings.
Table 2-5 Power Role Management Policies Display Name (NCI) Parameter Name (NCI) Policy Name (HPDM) Initial Value Range Comment PwdReqFor PowerRoleReset prreset Change Password for Power Role Requires Old Password N Y or N Specifies whether the Security Manager must supply the current password for ROLE.SECMGR, ROLE.MGR, or ROLE.DBA in order to change the role password. NOTE: A user in the role ROLE.SECMGR can enable this option, but only a user in the role SUPER.SUPER can disable it.
For additional information about using the HPDM Policies dialog to view policy settings, see the HPDM Online Help. For the syntax of the INFO POLICY command, see “INFO POLICY Command” (page 50) Changing Power Role Management Policy Settings The Security Manager can use the Password tab of the HPDM Policies dialog to modify any of the current power role management policy settings.
RolePwdForDB: false Password Quality Options: PwdQualMinLen: 8 PwdQualReqCriteria: 0 PwdQualReqSpecChar: false PwdQualReqUpper: false PwdQualReqLower: false PwdQualReqDigit: false PwdReqForPowerRoleReset: false PwdReqForSuperReset: false PwdQualNoUserName: false PwdQualNoRepeatChars: false Password Control Options: PwdCtrlGracePeriod: 7 PwdCtrlDefaultExprDate: PwdCtrlDefaultExprDays: 0 PwdHistory: 10 PwdCanChangeWithin: 0 PwdAuthFailsBeforeDelay: 30 PwdAuthFailDelayInSecs: 1 Compatibility Options: R2_93_Com
indicates the correlation between the input keywords and the display names in INFO POLICY output. For information about the semantics and ranges of these attributes, see “Password Quality and Control Policies” (page 44). NOTE: In this form of the ALTER POLICY command, you must include all the attributes listed here. To alter a single attribute, use the ALTER POLICY policyattribute form of the command.
Display Name in INFO POLICY Display Keyword Required Here IsPwdChangeLoggingRequired pwdchangereq LogPFLogonFailure pflogonfail LogDBLogonFailure dblogonfail LogPFLogonSuccess pflogonok LogDBLogonSuccess dblogonok IsDBLogonLoggingRequired dblogonlogreq LogFileAgingInDays agingindays resetattributes are as follows: Display Name in INFO POLICY Display Keyword Required Here PwdReqForPowerRoleReset prreset PwdReqForPowerRoleReset sreset policyattribute is a single attribute-value pair corr
NOTE: In earlier Neoview releases, the Windows driver displayed a prompt to change the password at login time when the password has expired but is within a configured grace period. That prompt is no longer supported; however, both HPDM and NCI provide such prompts and allow a platform user or locally authenticated database user to change the password at login provided that a grace period is configured and has not itself expired.
Table 2-6 User Authentication Error and Warning Messages (continued) Error or Warning Code Error Text Description and Recovery -8837 [ERROR 8837] CLI authentication : user : username : password has expired Your password has expired. See the administrator. If you are a platform user or a locally authenticated database user whose password has expired, you can no longer change your own password, but a ROLE.SECMGR or ROLE.
Table 2-6 User Authentication Error and Warning Messages (continued) Error or Warning Code Error Text Description and Recovery -8837 [ERROR 8837] CLI authentication : user : username : need to change password on initial logon or after reset The password policy on the remote directory server requires you to change your password upon your first logon or after having it reset, and you did not do so. This message applies only to remotely authenticated database users.
CREATE CERTIFICATE Command This command creates and installs a new self-signed certificate for a Neoview platform and downloads the certificate to the workstation from which this command was run. Only a user who has the ROLE.SECMGR role may enter this command. Once you have created and installed a new certificate on the Neoview platform, subsequent requests from clients will be handled as follows: • If auto-download is in effect, the new certificate is downloaded to the workstation.
1. Use the NCI create csr command or the Generate CSR tab on the HPDM CA Certificate screen to create a Certificate Signing Request (CSR). Table 2-8 CSR Creation Attributes 2.
4. 5. 6. Obtain the certificate of the CA that signed the certificate. This is sometimes called the intermediate certificate and is the one downloaded to each workstation for use in encrypting the password. In most cases, you can get the intermediate certificate from the CA, but if not, you can obtain it from your browser. The precise means of doing so varies with the browser and browser version, but be sure to export the intermediate certificate in Base-64 encoded X.509 (.CER) format.
• • • example grc101. If the external network name is different from the internal name, use the internal name. CSR is the local file to which the certificate signing request will be downloaded on the workstation where this command was run. This attribute is required. SUBJECT is required and is a valid certificate subject text string, enclosed in quotation marks. KEYSIZE is 1024 for 1024-bit encryption and 2048 for 2048-bit encryption. The default value is 2048.
Neoview platform and later downloaded to each workstation if automatic download is in effect. This parameter is required. The command fails and an error is returned if • You are not logged on as ROLE.SECMGR. • You omit the SYSTEM_NAME or are not connected to a Neoview platform having the specified name. • You specify an invalid value for an attribute. • The file at the specified location is not a certificate.
3 LDAP Integration Overview This chapter presents a few very basic directory-service concepts, introduces the tasks required to integrate the Neoview platform with an external directory, and characterizes Neoview platform support for integration with openLDAP and Microsoft Active Directory. LDAP Conceptual Overview An electronic directory-service is a database normally used to hold identifying information about the employees and resources of a corporation.
people or resources will come from the region or organization to which the person or resource belongs. Figure 3-2 Directory Partitioned by Region Because directories have high-read, low-update usage profiles, it is common for directory data to be replicated across all servers; an update made in any server is propagated to the others. In cases where all directory data is not replicated, it may be necessary to look up a person or resource in some other part of the directory.
3. 4. 5. For each LDAP server with which the Neoview platform will communicate directly, configure the server on the Neoview platform, as described in “LDAP Server Configuration on Neoview” (page 67). Add Neoview users to the external LDAP directory, as described in the documentation for your directory server or client. Register users on the Neoview platform, as described in “User and Role Management” (page 95).
4 LDAP Server Configuration on Neoview You can configure the Neoview security infrastructure to communicate with any number of external LDAP servers. HPDM is the preferred interface for configuring the servers because the interface does not allow you to make certain kinds of possible errors. However, you can also use NCI commands. To enable the Neoview platform to communicate with an LDAP server, you must: 1.
NOTE: Entries you make in the HPDM Common Parameters box overwrite any corresponding values in the default configuration entry. For example, if you define three servers of the openLDAP type and make some changes in the Common Parameters when you define the third server, those values will be used by default for any additional servers you define and will also retroactively affect the configurations already defined.
Configuration Parameters The following parameters can be specified in the configuration description file or in HPDM dialogs for server configuration. Parameters listed as applicable to openLDAP should also apply to other standard LDAP servers. However, LDAP server implementations sometimes vary. Parameters listed as applicable to Active Directory are valid for either a Global Catalog or a Domain Controller.
Use this parameter For this purpose Directory Server Type Comments DomainAttribute Specify the attribute whose Active Directory value includes the name of the user's domain • Valid only as a common parameter in HPDM • Valid only in the configuration description file for the default configuration in NCI DomainAttributeFormat Specify where the domain Active Directory name occurs with the value of DomainAttribute • Valid only as a common parameter in HPDM • Valid only in the configuration description fi
To account for the multiple forms of DN supported by a given LDAP server, specify the UniqueIdentifier parameter multiple times with different values, as in the following example: UniqueIdentifier uid,ou=People UniqueIdentifier cn,ou=Applications Authentication is most efficient when there is a single UniqueIdentifier. In such cases, the LDAP daemon does not have to perform a search; rather, it can build an exact DN and bind to the LDAP server, using the individual's credentials to authenticate.
For Active Directory, UserIdentifier is an alternative to UniqueIdentifier. These two parameters may not exist in the same configuration description file. UserIdentifier (Active Directory only) This parameter is an alternative to UniqueIdentifier and is used when the attribute that contains the user name is not part of the DN of the user. For example, AD has an attribute called UserPrincipalName (UPN), which usually contains the user's name and the DNS name of the domain, as in marychocolate@everest.
Figure 4-2 Use of UserIdentifier and Associated Parameters The parameters UniqueIdentifier and UserIdentifier cannot occur in the same configuration description file, and if you use UserIdentifier, it can occur only once in the file. UserIdentifierFormat This parameter is used when the user is expected to specify a domain name while logging on, as in everest\marychocolate This parameter can be defined only in the default configuration file or as a Common Parameter in HPDM.
UserIdentifierFormat domain\user Both keywords, user and domain, are required in the parameter value. The separator character can be any printable character except a hyphen, an asterisk, or a space. (Space characters are ignored.) This parameter can occur only once in the configuration description file. UserIdentifierMapping (Active Directory only) This parameter specifies how the user's login text, specified by UserIdentifierFormat, maps to the contents of the attribute specified by UserIdentifier.
This parameter can occur only once in a configuration description file. DomainAttributeFormat (Active Directory only) This parameter is used to specify how to find the domain name in the attribute specified by DomainAttribute. For example, AD has an attribute called UserPrincipalName (UPN), which usually contains the user's name and the DNS name of the domain, as in marychocolate@everest.rescorp.
If all users log on with the same syntax, and if user and domain names across the enterprise are stored in the same format in userPrincipalName, the configuration description file for the default configuration can look like this: directorybase dc=bellwether,dc=com useridentifier userPrincipalName useridentifierformat domain\user useridentifiermapping user@domain.* No separate configuration file is needed for any other directory server.
Example 2: Login format logonName, names unique across the directory This example presents an ambiguous situation, in that names are unique not within the domain but across the directory (or “unique in forest,” in directory parlance.) There is one John Smith defined in each domain, but the domain is not specified in the login string. The user logs on as SmithJ, which is the value stored in the sAMAccountName attribute.
SmithJ@DomainA.zorin.com To support this scenario, the directory entries for DomainA and DomainB have the following common parameters. The UserIdentifier gives the attribute that identifies the user, the DomainAttribute gives the attribute that includes the domain, and the DomainAttributeFormat indicates how to locate the domain within the userPrincipalName attribute. DirectoryBase dc=zorin, dc=com UserIdentifier userPrincipalName DomainAttribute userPrincipalName DomainAttributeFormat *@domain.
domainName The domain name of the LDAP server, or the predefined value default (lowercase or uppercase) to signify the default configuration. This attribute is required in configuration commands, except the * form of the INFO SERVER command. The value is a text field with a minimum length of 1 character and a maximum of 50 characters. Any character is permitted. However: • For openLDAP the domain name should always be NeoviewDirectoryServer.
• In NCI, you can use the ALTER SERVER command to specify a different value for any server or domain; to modify the default value, use the ALTER SERVER command specifying default as the domain name. • HPDM requires you to specify a port number. It does not recognize a default value, even if you set one in NCI.
• • • Must have at least 1 and no more than 128 characters. Only printable characters are permitted. If the password includes commas, it must be enclosed in double quotation marks ("). NOTE: A string enclosed in quotation marks can include any character in the ASCII range codes 32-126. A non-quoted string can include any character in that range except a space, quotation marks, left or right parenthesis, or comma. The value in the default configuration, as provided with the software release, is NULL.
The default configuration provided with the Neoview platform does not provide an initial value. You may use the ALTER SERVER command for a particular server to specify the appropriate configuration description file name, or identify a default by specifying default as the domain name. Encryption Indicates whether a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) interface is used for access to this LDAP server. Permissible values are as follows: • SSL means to use SSL. • TLS means to use TLS.
host ldaprh2.zorin.com port 389 version 3 searchuserDN "uid=search_user,out=People,dc=zorin.com" searchuserPwd "Searchpd" encryption tls CAcert C:\ldap\vca2ss Multiple Server Configuration Entries The following example, also typical of openLDAP, defines three directory server entries in addition to the default entry. The default entry includes all attributes common to the servers; it omits the host name and indicates a priority of 0, because this entry does not describe an actual directory server.
different server. On the Neoview platform, the LDAP daemon runs not as an individual process but as a class of processes that offer identical functionality; in this configuration, different LDAP daemon processes can interact with different LDAP servers. default 0 host (not set) port 636 version 3 searchuserDN "cn=ldapaccess,ou=Applications,o=hp.com" searchuserPwd xxxxxx encryption tls CAcert cert.txt ConfigText config.txt NeoviewDirectoryServer 100 host ldap.crefinc.
Table 4-1 Adding a Directory Server Configuration (continued) Parameter Name or Value (NCI) Field Name (HPDM) Initial Value Host Host Name None. You must Maximum of 128 provide a value. characters Host name of the LDAP server. If the server uses SSL or TLS encryption, this name must be fully qualified and must match the name in the security certificate; do not specify a numerical IP address. Port Host Port Number 389 for NCI. 1-65535 HPDM requires you to provide a value.
For additional information about using the Add Directory Server dialog and the Add Like button, see the HPDM Online Help. CREATE SERVER Command This command creates a configuration entry for a directory server. Only a user who has the ROLE.SECMGR role (for example, SECURITYMGR) may enter this command. Syntax [.SEC] CREATE [LDAP|ADDC|ADGC] SERVER domainName UsagePri, HOST [hostname][,attributes] Parameters See “Attributes of Directory Server Configurations” (page 78) for attribute definitions.
Examples The following command defines an openLDAP directory server called NeoviewDirectoryServer, with a priority of 9. The command specifies the host, port, and version. For all other parameters, values from the default configuration are substituted at runtime. .sec create LDAP server NeoviewDirectoryServer 9,host 127.0.0.
Table 4-2 Changing a Directory Server Configuration (continued) Parameter Name (NCI) Field Name (HPDM) Initial Value Range Comment SearchUserDN Search DN Value set when you added the server or when you last modified the configuration. 1-512 characters Distinguished name that the Neoview platform uses to connect to the LDAP server. Enclose in double quotes if the name includes commas. If the DN itself contains a double quote, precede that character with another double quote.
• server; if you want to change either of these values, you must delete the existing configuration entry and add a new entry with the desired domain name and priority. attributesis a comma-separated list of attributes that you want to change. Each attribute is expressed as a keyword followed by one or more blanks and, optionally, a value. If you need to include a comma or a trailing blank within an attribute value, enclose the attribute value in double quotation marks.
Table 4-3 Removing a Directory Server Configuration Parameter Name (NCI) Field Name (HPDM) Initial Value Comment domainName Domain Name Value set when you added the server. Domain name of the server. UsagePri Usage Priority Value set when you added the server. Usage priority of the server. For additional information about using the Directory Servers display, see the HPDM Online Help. DROP SERVER Command This command removes the configuration entry for a directory server.
Table 4-4 Viewing a Directory Server Configuration Parameter Name (NCI) Field Name (HPDM) Displayed Value Comment domainName Domain name Value set when you added Has the value the server. NeoviewDirectoryServer for openLDAP and for the global directory server in Active Directory. UsagePri Usage Priority Value set when you added Relative usage priority of the the server. server. Host Host Name Value set when you added Host name or IP address of the the server or when you last LDAP server.
or [.SEC] INFO SERVER *, {ALL|[,attributes]} Parameters See “Attributes of Directory Server Configurations” (page 78) for attribute definitions. The following considerations apply specifically to the INFO SERVER command: • • domainName and UsagePri , if provided must match an existing configuration entry. An asterisk (*) means to list configuration attributes for all defined directory servers.
DOMAIN NAME: NEOVIEWDIRECTORYSERVER USAGE PRIORITY: 1000 HOST NAME: 16.123.456.78 PORT NUMBER: 1389 ENCRYPTION: NONE --- SEC operation complete. The following output example shows the configuration options for a specific directory server. Notice that the contents of the password are not displayed. In this case the command that created the server specified its type as an Active Directory Global Catalog (ADGC), and therefore the display includes that information.
HOST NAME: ldap.flad.
5 User and Role Management This chapter describes the tasks involved in defining and managing users and roles on the Neoview platform, including the registration of users who log on to the database using corporate names and passwords authenticated on an external LDAP server.
Migration of Users from an Earlier Neoview Release If you upgraded your Neoview platform from a release earlier than 2.5, your platform already has a set of locally or remotely authenticated database users corresponding to database users defined on the platform from which you upgraded. You can use the procedures and interfaces described in this chapter to define additional users or replace one kind of database user with another.
performed only by users in the role ROLE.MGR. However, only a user in the role ROLE.SECMGR can assign another user the role ROLE.SECMGR or change the password and password expiration attributes of the ROLE.SECMGR role.
NOTE: A user in the role ROLE.SECMGR can also change the password of the SUPER.SUPER role, as described in “Changing a Platform Role Password” (page 106). A user who can change the password for a role can also change the password-expiration attributes, but HP recommends against this practice. By default, the passwords of predefined roles do not expire.
You may not delete the role ROLE.DBA, ROLE.MGR, or ROLE.SECMGR. (The only predefined database role you can delete is ROLE.USER.) You also may not delete a role that is currently granted to one or more users or a role that has database permission currently granted to it. Before deleting a role, revoke the role from any user who has it, and revoke any database privileges that had been assigned to the role.
Table 5-4 Adding a Database User Parameter Name (NCI) Field Name (HPDM) Initial Value DATABASE|DB Applies by default in NCI Can set as default in HPDM Options dialog NA Range Comment Indicates that this is a database user, as opposed to a platform user.
For a description of the NCI DROP USER command, see “DROP USER Command (platform users, database users)” (page 117). For more information about deleting a user in HPDM, see the HPDM Online Help. Assigning a New Role to an Existing User A user in the role ROLE.MGR can grant an additional role to an existing user with either the NCI GRANT ROLE command or the HPDM Grant Role dialog. However, only a user in the role ROLE.SECMGR can grant the ROLE.SECMGR role to a user.
Table 5-7 Revoking a Role Parameter Name (NCI) Field Name (HPDM) Initial Value Range Comment USER User Name NA 128 characters Must be an existing user on Neoview. No validation with remote directory server. ROLE Additional Roles NA ROLE.name, choose from list in HPDM name has 1–8 alphanumeric characters, the first of which must be alphabetic. Default Role NA Choose from list in HPDM Revoking a user's only role drops the user.
Changing a Database User Password There is no way to change the password of a remotely authenticated database user on the Neoview platform. However, a user in the role ROLE.MGR can use the NCI ALTER USER command or the HPDM Edit User dialog to change the password and password-expiration attributes of any locally authenticated database user except one who has only the ROLE.SECMGR role. Only a ROLE.SECMGR user can change the password of a user who has only the ROLE.SECMGR role.
Table 5-10 Changing Your Own Password Parameter Name (NCI) Field Name (HPDM) Initial Value Range OLD-PASSWORD Password None Maximum of 53 characters if you use 1024-bit encryption, 64 characters if you use 2048-bit encryption NEW-PASSWORD Password, Confirm New Password None Maximum of 53 characters if you use 1024-bit encryption, 64 characters if you use 2048-bit encryption Comment For a description of the NCI ALTER PASSWORD command, see “ALTER PASSWORD Command (platform users, locally authentic
Table 5-11 Adding a Platform User Parameter Name (NCI) Field Name (HPDM) PLATFORM|PF Initial Value Range Comment Can set as default in HPDM Options dialog Indicates that this is a platform user, as opposed to a database user. USER User Name, Users NA 32 characters Name used to log in to the Neoview database. ROLE User Role NA In NCI, specify one of Only role to be SUPER.SUPER, assigned to the user. SUPER.SERVICES, HP.
Changing a Platform User Password A user in the role ROLE.SECMGR can use the ALTER USER command or the HPDM Edit User dialog to change the passwords and password expiration attributes of platform users (with just a few exceptions), even if the user's existing password has expired. The following table indicates which users are permitted to change the passwords of other platform users.
The following table indicates the roles for which users in the ROLE.SECMGR and SUPER.SERVICES can change the passwords. Type of Account Role Required to Change Parameters Role Required to Change the Password Governing Password Expiration SUPER.SUPER role ROLE.SECMGR ROLE.SECMGR SUPER.SERVICES role SUPER.SERVICES SUPER.SERVICES HP.VTS role SUPER.SERVICES SUPER.SERVICES HP.SDI role SUPER.SERVICES SUPER.
ROLE.SECMGR can change your password, as described in “Changing a Platform User Password” (page 106). If an error occurs when you try to change your password, NCI displays one of the following types of errors: • If you entered the old password incorrectly or it is no longer valid, the error is 24135 Old password is not correct.
• optionally followed by the keyword SELF. If you use this form, NCI prompts you for the old and new passwords, then asks you to confirm the new password. If you do intend to enter an old password, a new password, or both on the command line, you must use the form of the command that includes the keywords OLD-PASSWORD and NEW-PASSWORD. If you use this form, SELF is required.
ALTER ROLE Command (platform roles, database roles) This command changes the password and password-expiration attributes of a role. In general, only a user in the role ROLE.SECMGR can change the password and password-expiration attributes of a role; for exceptions, see “Changing a Platform Role Password” (page 106). You can change the password without changing the password expiration attributes, or vice versa. Any parameter omitted from the command is left unchanged. NOTE: Predefined roles, such as ROLE.
password is changed during the logon. If date is the current date and the system grace period is greater than zero, then a user using username is required to change the password in order to logon. If you do not specify a date, the date is set to the value determined by the value of EXPIRY-DAYS last set for rolename; if EXPIRY-DAYS has never been set for rolename, the expiration date is cleared and thus the password will not expire.
NOTE: The ALTER PASSWORD command described in “ALTER PASSWORD Command (platform users, locally authenticated database users)” (page 108) lets any platform user or locally authenticated database user change his or her own password. However, if the user's password has expired and no grace period is configured in the security policy, only a user with the role ROLE.SECMGR (in the case of a platform user or a ROLE.SECMGR user) or ROLE.MGR (in the case of a database user other than a ROLE.
NOTE: When setting or altering the password of another user, it is a common practice to specify a password expiration date in the recent past but within the grace period. In this case, the user will receive a password-expiry warning when logging on for the first time and will be forced to change his or her password right away. Passwords for predefined users such as SECURITYMGR are created with no expiration. HP recommends that you not modify the expiry attributes in those cases.
CREATE USER Command (platform users, database users) This command creates a new platform user or locally authenticated database user or registers a user already created on a remote directory server. Only a user in the role ROLE.SECMGR may create a platform user or a database user with the role ROLE.SECMGR. Only a user in the role ROLE.MGR may create a database user, other than a database user assigned the role ROLE.SECMGR.
— — For platform user, username is a text string, with a maximum of 32 alphanumeric characters and special characters period (.), hyphen (-), and underscore (_). User names should not begin with the string “role”. The name is not case-sensitive. For a database user, username can consist of up to 128 characters and is not case-sensitive. NOTE: If you query the database for a user name, you must provide the name in uppercase, even if it was created using lower or mixed case.
policy applies. If no default value is specified in the security policy, the password never expires. This parameter is invalid if you are defining a remotely authenticated database user. • date is the date on which the password expires. If the configured grace period for password changes is zero, then the ability for this username to log on is suspended on the specified date.
The following command registers a locally authenticated user, whether or not an external directory server is configured. NCI will prompt for a password: .sec create database user maryjosephs local, role ROLE.DBA, password; The following command creates an account for an HP Support person to log on with SUPER.SERVICES privileges and requires NCI to prompt for the password, which remains valid for 90 days. This example omits .
A user logged on in the role ROLE.SECMGR may delete any platform user, other than the predefined users SUPERUSER, HPSUPPORT, USERMGR, SECURITYMGR, or VTS. He or she may not delete any database user. Syntax [.SEC] DROP USER [username] Parameters • username is the user name of an existing database or platform user. Error Conditions If the command is successful, a message is displayed indicating that the user was dropped.
• • • • The user executing the command is logged on in a role other than ROLE.MGR. The specified user does not exist on the Neoview plaform. The specified role does not exist on the Neoview platform. The user already has this role. Example GRANT ROLE ROLE.DBA, USER BettyBradford, PRIMARY N; REVOKE ROLE Command (database users) The REVOKE ROLE command revokes a role from an existing user.
Parameters rolename The role to be assigned as this user's default (or primary) role. A string consisting of the prefix “ROLE.” followed by 1 to 8 alphanumeric characters, the first of which may not be a number. username The name of an existing database user. The name can consist of up to 128 characters. Error Conditions If the command is successful, a message is displayed indicating that the role was assigned as the default role.
Table 5-16 VIEW NEO.HP_SECURITY.USERINFO Column Name Type Description Example of Value USER_NAME CHAR(128) Database user name MARVINMGR CREATION_TIME TIMESTAMP Local date and time when 2009–05–16 10:17:15.034405 the user was registered on the Neoview platform CREATION_UTC_OFFSET SMALLINT Number of minutes offset 180 between local time and Universal Time (UTC, equivalent to GMT).
Column Definitions Each row consists of the following columns: Table 5-17 VIEW NEO.HP_SECURITY.ROLEINFO Column Name Type Description Example of Value ROLE_NAME CHAR(128) Role name ROLE.SCRM CREATION TIMESTAMP Local date and time when 2009–05–16 10:17:15.034405 the role was defined on the Neoview platform UTC_OFFSET SMALLINT Number of minutes offset 180 from Coordinated Universal Time (UTC, equivalent to GMT).
Database Users and Their Roles (HP_SECURITY.USERROLEINFO) The USERROLEINFO view consists of one row per combination of database user and role, so a user who has multiple roles will be represented by the corresponding number of rows in the view. At any given time, this view reflects all database users defined on the Neoview platform. It excludes platform users. Neoview user names are unique across the platform. Column Definitions Each row consists of the following columns: Table 5-18 VIEW NEO.HP_SECURITY.
BESSTALMADGE BESSTALMADGE BESSTALMADGE CHESLEY3 CHESLEY3 CHESLEY3 DAVELEE5 DAVELEE6 DAVELEE6 DAVELEE7 DAVELEE8 DAVELEE8 DAVELEE9 ORVILLETANG1 ORVILLETANG1 ORVILLETANG1 ORVILLETANG2 ORVILLETANG2 ORVILLETANG2 ORVILLETANG4 ORVILLETANG5 ORVILLETANG6 ORVILLETANG6 ROLE.ROLE002 ROLE.ROLE003 ROLE.ROLE004 ROLE.ROLE001 ROLE.ROLE002 ROLE.ROLE003 ROLE.ROLE001 ROLE.ROLE002 ROLE.ROLE003 ROLE.ROLE001 ROLE.ROLE002 ROLE.ROLE003 ROLE.ROLE001 ROLE.ROLE002 ROLE.ROLE001 ROLE.MGR ROLE.MGR ROLE.ROLE002 ROLE.ROLE003 ROLE.
Table 5-19 VIEW NEO.HP_SECURITY.USERROLELOG Field Name Type Description Example of Value DATE_TIME TIMESTAMP Local date and time when the action occurred 2009–05–16 10:17:15.034405 UTC_OFFSET SMALLINT Number of minutes offset 180 from Coordinated Universal Time (UTC, equivalent to GMT). A positive number signifies that local time is later than UTC; a negative number signifies that local time is earlier than UTC. SUBJECT CHAR(128) Database user or role to which the action applies.
SQL>select date_time, substring(subject,1,15) as subject, substring(participant,1,15) as participant, substring(user_name,1,15) as username, substring(type,1,15) as type from hp_security.userrolelog where subject = 'ONEILLC9' order by date_time desc; DATE_TIME -------------------------2009-09-03 16:11:33.556952 2009-09-03 16:11:06.175486 SUBJECT --------------ONEILLC9 ONEILLC9 PARTICIPANT --------------ROLE.PUBS02 ROLE.
Table 5-20 VIEW NEO.HP_SECURITY.SYSUSERINFO (continued) Column Name Type Description Example of Value LAST_LOGIN TIMESTAMP Local date and time when 2009–05–16 10:17:15.082785 the user last logged on successfully LOGIN_UTC_OFFSET SMALLINT Number of minutes offset 180 from Coordinated Universal Time (UTC, equivalent to GMT). A positive number signifies that local time is later than UTC; a negative number signifies that local time is earlier than UTC.
Table 5-21 VIEW NEO.HP_SECURITY.SYSUSERLOG (continued) Field Name Type Description Example of Value PARTICIPANT CHAR(17) Platform role, one of: SUPER.SUPER SUPER.SUPER SUPER.SERVICES HP.SDI HP.
Table 5-22 VIEW NEO.HP_SECURITY.USERACCESSLOG Field Name Type Description Example of Value DATE_TIME TIMESTAMP Local date and time when the action occurred 2009–05–16 10:17:15.034405 UTC_OFFSET SMALLINT Number of minutes offset 180 from Coordinated Universal Time (UTC, equivalent to GMT). A positive number signifies that local time is later than UTC; a negative number signifies that local time is earlier than UTC.
--- 10 row(s) selected.
6 Database Security The Neoview platform extends ANSI-compliant database security features to enhance security and simplify administration tasks. Before performing the tasks described in this chapter, you or some other user must already have completed the post-installation setup, LDAP server integration if applicable, and user and role management tasks listed in the “Security Administration Task Map” (page 29) .
granted. For example, if a role is granted Execute access on schema S1, users in that role can automatically execute stored procedures on any new objects added to schema S1. The WITH GRANT OPTION for schema level grants might be disabled on your system depending on the settings for certain system defaults. Contact HP Support if you require changes in system default settings. NOTE: References and Update privileges at the schema level cannot specify individual columns.
The schema or object owner can grant to (or revoke from) the services ID any privilege that could be granted to (or revoked from) another user.
Database Security Views The views described in this section provide information about database users, roles, and database privileges. The information available to a user depends on the user's role: • A user with the role ROLE.MGR or ROLE.SECMGR can see all the data. • A user with SUPER.SUPER or SUPER.SERVICES privileges can see all the data. • A user with the role ROLE.DBA can see all the data in views except NEOUSERS and NEOROLES.
ORVILLETANG5 ORVILLETANG6 ORVILLETANG6 ROLE.SECMGR ROLE.SECMGR ROLE.MGR Yes Yes If the query is run by BESSTALMADGE, it displays only the following rows: User Name -------------------BESSTALMADGE BESSTALMADGE BESSTALMADGE ROLE_NAME DEFAULT_ROLE ------------- -----------ROLE.ROLE002 Yes ROLE.ROLE003 ROLE.ROLE004 Roles Defined on Neoview (HP_SECURITY.NEOROLES) The NEOROLES view consists of one row per role. At any given time, this view reflects all roles defined on the Neoview platform.
ROLE.MGR HP.SDI SUPER.SERVICES SUPER.SUPER 511 65279 65281 65535 --- 31 row(s) selected. Schemas and Their Owners (HP_SECURITY.SCHEMALIST) The SCHEMALIST view consists of one row per schema. It includes schemas in all catalogs except system catalogs. The only catalog currently available to customers is NEO. The list also excludes the system schema. This view is accessible to users assigned the role ROLE.SECMGR, ROLE.MGR, SUPER.SUPER, SUPER.SERVICES, and ROLE.DBA.
NEO NEO NEO NEO UAF USER_SCH USR VINCENT SUPER.SUPER ROLE.USER ROLE.USER SUPER.SUPER Privileges on Schemas in the NEO Catalog (HP_SECURITY.NEOSCHEMAPRIV) The NEOSCHEMAPRIV view includes one row per privilege per role per schema in the NEO catalog. For each schema, it indicates the roles and the applicable schema privileges.
schema_priv from hp_security.neoschemapriv; Schema Name Role Name ------------------------------ -------------------DB ROLE.DBA SHAKE2 ROLE.DBA USR ROLE.USER USER_SCH ROLE.USER DONALD.DUKE@RANC.COM ROLE.ROLE001 PNELSON1 ROLE.ROLE001 PARK5_SCH ROLE.ROLE001 PNELSON4 ROLE.MYROLE1 SHAKE1 ROLE.SECMGR HP_URI ROLE.MGR HPNCI_SAMPLE ROLE.MGR HP_TEST ROLE.MGR UAF ROLE.MGR QA_HPDM_TEST SUPER.SERVICES SERV SUPER.SERVICES HP_METRICS SUPER.SERVICES HP_METRICS_LXP SUPER.SERVICES HP_REPORTING SUPER.SERVICES HP_USTAT SUPER.
Table 6-6 VIEW NEO.HP_SECURITY.NEOOBJECTLIST (continued) Column Name Type Description Example of Value OBJECT_TYPE CHAR(10) Object type: TABLE57925792 TABLE VIEW PROCEDURE SYNONYM MAT.
HP_SP HP_SP HP_SP HP_SP HP_SP HP_SP HP_SP HP_SP HP_SP HP_SP CHECKHEALTHOFOBJECT CHECKHEALTHOFSCHEMA DELETEROLE DELETEUSER GETMYROLES GETROLESFORUSER GRANTROLETOUSER HISTOGRAMS HISTOGRAMS_FREQ_VALS HISTOGRAM_INTERVALS PROCEDURE PROCEDURE PROCEDURE PROCEDURE PROCEDURE PROCEDURE PROCEDURE TABLE TABLE TABLE SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER SUPER.SUPER If the same query were submitted by any user with ROLE.
Table 6-7 VIEW NEO.HP_SECURITY.NEOOBJECTPRIV (continued) Column Name Type Description Example of Value ROLE_NAME CHAR(128) Role ROLE.
PNELSON1 ... LISA TABLE ROLE.ROLE001 UPDATE If the same query were submitted by any user with ROLE.ROLE001 access, the output would look like this: Schema Name --------------PARK5_SCH PARK5_SCH PARK5_SCH PARK5_SCH PARK5_SCH PNELSON1 PNELSON1 PNELSON1 PNELSON1 PNELSON1 Object Name --------------TAB01 TAB01 TAB01 TAB01 TAB01 LISA LISA LISA LISA LISA OBJECT_TYPE ----------TABLE TABLE TABLE TABLE TABLE TABLE TABLE TABLE TABLE TABLE Role Name OBJECT_PRIV --------------- ---------ROLE.ROLE001 DELETE ROLE.
Table 6-8 VIEW NEO.HP_SECURITY.NEOCOLUMNPRIV (continued) Column Name Type Description Example of Value ROLE_NAME CHAR(128) Role ROLE.ACCTG COLUMN_PRIV CHAR(10) Privilege type: REFER REFER UPDATE Example Queries The following query lists the privileges for all columns in tables in the NEO catalog, excluding objects in system schemas.
A Secure Login and Role Selection for Neoview Users Overview Other than for maintenance and support, the Neoview platform is accessible only through ODBC, JDBC, or a client application that itself connects through ODBC or JDBC, and all clients demand that a database user log on with database user name.
• HP.VTS • SAP.USER Roles that always require you to provide both your password and the role password are: • SUPER.SERVICES • HP.SDI The format for providing multiple passwords at login varies from client to client. For example, NCI, ODBC, and JDBC use the format mypassword/rolepassword. Specifying the Certificate Location Certain clients, for example ODBC and JDBC, provide means for specifying, at login, the location of the certificate used to encrypt the password.
[ODBC Data Sources] TDM_Default_DataSource = Neoview Data Source [TDM_Default_DataSource] << --- DataSource section Description = TDM_Default_DataSource NeoviewCertificateDir = /h/bwell/custom/certdir <<-- overrides the one specified ion the ODBC section Catalog = NEO Schema = ODBC_SCHEMA DataLang = 0 FetchBufferSize = SYSTEM_DEFAULT Server = TCP:neo0101.parnet.
1. 2. Checks the location specified by CertificateDir and CertificateFile to determine whether a certificate exists at that location. If the application did not specify a directory, the driver checks the user's home directory. If the application did not specify a filename, the driver assumes the name SYSTEM_NAME.cer, where SYSTEM_NAME consists of the first five characters of the Neoview platform name.
Index A D Active Directory, 18, 64, 65, 69, 75, 76 Adding a directory server configuration, 84 Administrator privileges in WMS, 18 ALTER PASSWORD command, 107, 108 ALTER POLICY command, 43, 51 ALTER ROLE command, 110 ALTER SERVER command, 88 ALTER USER command, 106, 111 Assigning a role to a user, 101, 118 Authentication, 17 Authorization, 18 group, 63 Database user adding a, 99 logging on as, 145 users locally authenticated, 17, 95 remotely authenticated, 17, 95 Database objects and their owners, listin
Group LDAP, 63 H Home directory environment variables used to determine, 24 Host attribute, 79 HP Database Manager (HPDM), 34 HP.SDI role, 19 best practices for managing, 37 privileges of, 22 HP.
management, best practices for, 37 managing, 104 names, 20 password, 25 Platform user name, 20 Platform user password quality rules, 44 Policy, security changes requiring NDCS restart, 39 encryption and certificate handling, 41 logging, 46 managing, 39 password quality and control, 44 power role management, 48 Port attribute including standard port numbers, 79 Post-installation tasks, 33 Power role management policy, 39, 48 Power user database, 36 management, best practices for, 37 Primary role, 23 Private
privileges of, 22 SUPER.
