Info | ||
---|---|---|
| ||
This page is obsolete. It has been replaced with: http://trafodion.apache.org/enable-secure-trafodion.html |
Redirect | ||
---|---|---|
|
NOTE: Starting in Trafodion Release 1.1, during the installation of Trafodion, you will be prompted to enable security. If you wish to enable security manually or would like to understand how security in Trafodion works, please continue reading.
If you do not enable security in Trafodion, a client interface to Trafodion may request a username and password, but Trafodion ignores the username and password entered in the client interface, and the session runs as the database root user, DB__ROOT, without restrictions. If you want to restrict users, restrict access only to certain users, or restrict access to an object or operation, you must enable security, which enforces authentication and authorization. You can enable security during installation by answering the installer's prompts or after installation by running the traf_authentication_setup
script, which enables both authentication and authorization. For more information, seesee Running the Authentication Setup Script.
...
Once authentication and authorization are enabled, Trafodion allows users to be registered in the database and allows privileges on objects to be granted to users and roles (which are granted to users). Trafodion also supports component-level (or system-level) privileges, such as MANAGE_USERS, which can be granted to users and roles. See Managing Users.
Configuring LDAP Servers
To specify the LDAP server(s) to be used for authentication, you need to configure the text file .traf_authentication_config
, located (by default) in $MY_SQROOT/sql/scripts
. This file is a flat file, organized as a series of attribute/value pairs. Details on all the attributes and values accepted in the authentication configuration file and how to configure alternate locations can be found in .traf_authentication_config details.
...
ldapcheck --username=realuser@company.com –-password=StrongPassword Authentication successful
Generating a Trafodion Server Certificate
Trafodion clients such as trafci will encrypt the password before sending it to Trafodion. A self-signed certificate is used to encrypt the password. The certificate and key should be generated when the sqgen
script is invoked. By default, the files server.key
and server.crt
will be located in $HOME/sqcert
. If those files are not present, since Trafodion clients will not send unencrypted passwords, you will need to manually generate those files. To do so, run the script sqcertgen
located in $MY_SQROOT/sql/scripts
. The script runs openssl
to generate the certificate and key.
...
Both the public (server.crt
) and private (server.key
) files should be placed in the directory $HOME/sqcert
. If you do not want to use the HOME directory or if you want to use different names for the private and/or public key files, see Alternate Trafodion Certificate Locations.
Alternate Trafodion Certificate Locations
By default, the private and public key files/certificate used to connect to Trafodion are located in $HOME/sqcert
and names server.key
and server.crt
. If you want to store the files in a different location and/or use different filenames, Trafodion supports environment variables to specific the alternate locations or names.
...
If the filename environment variable is not set and the directory environment variable is not set, Trafodion uses the default location ($HOME/sqcert
) and the default filename.
Running the Authentication Setup Script
The final step to enable security is to change the value of the environment variable TRAFODION_ENABLE_AUTHENTICATION from NO to YES and turn on authorization. This is achieved by invoking the traf_authentication_setup
script, which is located in $MY_SQROOT/sql/scripts
.
...
To restart DCS, run the scripts stop-dcs.sh
and start-dcs.sh
, located in $MY_SQROOT/dcs-<x>.<y>.<z>/bin
.
Managing Users
Users are registered in the Trafodion database and are used to enforce authorization. If security is disabled, any user can register any user at any time. However, once security is enabled, user administration is considered a secure operation, and registration of users is restricted to DB__ROOT or any user granted the MANAGE_USERS component privilege. To initially register a user, connect to Trafodion with the external user mapped to DB__ROOT (also known as the Trafodion ID).
...