Neoview User Management and Security Administration Guide (R2.5)
• HP.VTS
• SAP.USER
Roles that always require you to provide both your password and the role password are:
• SUPER.SERVICES
• HP.SDI
The format for providing multiple passwords at login varies from client to client. For example,
NCI, ODBC, and JDBC use the format mypassword/rolepassword.
Specifying the Certificate Location
Certain clients, for example ODBC and JDBC, provide means for specifying, at login, the location
of the certificate used to encrypt the password. Some Neoview clients, such as HPDM, also let
you specify this information, which is passed to the ODBC driver in the connection string. In
most cases, however, the certificate location has been specified in advance as part of the driver
installation.
Specifying the Certificate File Location in ODBC
The Neoview security infrastructure requires that a certificate be installed on each workstation
that connects to a Neoview platform. A system security policy, under the control of your Security
Manager, determines how the certificate is deployed to workstations:
• In configurations that permit automatic download, the ODBC driver automatically downloads
a certificate to the workstation when it first connects to a Neoview platform. Because the
same workstation can connect to multiple Neoview platforms, the driver downloads a unique
certificate for every Neoview platform to which the workstation connects.
• In configurations that do not permit automatic download, the certificate is deployed to your
workstation in accordance with your own corporate security procedures.
In either case, three ODBC connection attributes specify the location of the certificate file:
• SQL_ATTR_CERTIFICATE_DIR specifies the directory where the certificate resides. If you
do not specify this attribute, the home directory applies by default.
• SQL_ATTR_CERTIFICATE_FILE specifies the file where a new certificate is deployed. This
is the location to which a new certificate must be deployed if automatic download is
prohibited. By default, the filename is SYSTEM_NAME.cer, where SYSTEM_NAME consists
of the first five characters of the Neoview platform name.
• SQL_ATTR_CERTIFICATE_FILE_ACTIVE specifies the filename of the certificate used for
connection. This is the location to which a certificate is automatically downloaded if automatic
download is permitted by the security policy. By default, the filename is
SYSTEM_NAMEActive.cer, where SYSTEM_NAME consists of the first five characters of
the Neoview platform name.
The maximum length of each of these attributes is 128 characters.
You can specify the certificate location in the connection string, using the CERTIFICATEDIR,
CERTIFICATEFILE, and CERTIFICATEFILE_ACTIVE attributes, as in the following example:
"DSN=QRK0101;UID=REGEAST\USER1;PWD=pass1234;ROLENAME=ROLE.MGR;
CERTIFICATEDIR=C:\Security\MyCertificateDir;CERTIFICATEFILE=SEC01.cer;CERTIFICATEFILE_ACTIVE=SEC01Active.cer"
Depending on whether you run the driver on Windows or UNIX, there is one additional way to
specify the certificate directory. On Windows, you can specify it during installation: the Windows
Installer lets you type in a value or browse to a location on your desktop. To specify a value
when installing from an MSI file in a non-interactive mode, invoke the Windows installer with
the following syntax:
msiexec /qn /i "HP ODBC 2.0.msi" CERTIFICATEDIR="directory"
On a UNIX environment, you can specify the directory as the value of the NeoviewCertificateDir
entry in the MXODSN or odbc.ini file, as in the following example:
ODBC] << --- ODBC section
TraceFlags = DEBUG
TraceStart = 0
TraceFile = TRLOG
NeoviewCertificateDir = /h/bwell/certdir
146 Secure Login and Role Selection for Neoview Users