IBM PureData System for Analytics, Version 7.1

Encrypted passwords

Database user accounts must be authenticated during access requests to the IBM® Netezza® database. For user accounts that use local authentication, Netezza stores the password in encrypted form in the system catalog. For more information about encrypting passwords on the host and the client, see the IBM Netezza Advanced Security Administrator's Guide.

Local authentication requires a password for every account. If you use LDAP authentication, a password is optional. During LDAP authentication, Netezza uses the services of an LDAP server in your environment to validate and verify Netezza database users.

When you are using the Netezza CLI commands, the clear-text password must be entered on the command line. You can set the environment variable NZ_PASSWORD to avoid typing the password on the command line, but the variable is stored in clear text with the other environment variables.
To avoid displaying the password on the command line, in scripts, or in the environment variables, you can use the nzpassword command to create a locally stored encrypted password.

You cannot use stored passwords with ODBC or JDBC.

The nzpassword command syntax is:

nzpassword add -u user -pw password -host hostname

Where:

The user name is the Netezza database user name in the Netezza system catalog. If you do not specify the user name on the command line, the nzpassword command uses the environment variable NZ_USER.
The password is the Netezza database user password in the Netezza system catalog or the password that is specified in the environment variable NZ_PASSWORD. If you do not supply a password on the command line or in the environment variable, the system prompts you for a password.
The host name is the Netezza host. If you do not specify the host name on the command line, the nzpassword command uses the environment variable NZ_HOST. You can create encrypted passwords for any number of user name/host pairs.

When you use the nzpassword add command to cache the password, quotation marks are not required around the user name or password values. You must only qualify the user name or password with a surrounding set of single quotation mark, double quotation mark pairs (for example, '"Bob"') if the value is case-sensitive. If you specify quoted or unquoted names or passwords in nzpassword or other nz commands, you must use the same quoting style in all cases.

If you qualify a user name that is not case-sensitive with quotation marks (for example '"netezza"'), the command might still complete successfully, but it might not work in all command cases.

After you type the nzpassword command, the system sends the encrypted password to the Netezza host where it is compared against the user name/password in the system catalog.

If the information matches, the Netezza stores the encrypted information in a local password cache, and displays no additional message.
- On Linux and Solaris, the password cache is the file .nzpassword in the user home directory. The system creates this file without access permissions to other users, and refuses to accept a password cache whose permission allows other users access.
- On Windows, the password cache is stored in the registry.
If the information does not match, Netezza displays a message that indicates that the authentication request failed. Netezza also logs all verification attempts.
If the database administrator changed a user password in the system catalog, the existing nzpasswords are invalid.