Database user accounts must be authenticated during access requests
to the IBM® Netezza® database. For user accounts that use local authentication, Netezza stores the password in encrypted form in the system catalog. For
more information about encrypting passwords on the host and the client,
see the IBM Netezza Advanced Security Administrator's
Guide.
Local authentication requires a password for every account. If
you use LDAP authentication, a password is optional. During LDAP authentication, Netezza uses the services of an LDAP server in your environment to validate
and verify Netezza database users.
- When you are using the Netezza CLI commands, the clear-text password must be entered on the command
line. You can set the environment variable NZ_PASSWORD to avoid typing the password on the command line, but the variable
is stored in clear text with the other environment variables.
- To avoid displaying the password on the command line, in scripts,
or in the environment variables, you can use the nzpassword command to create a locally stored encrypted password.
You cannot use stored passwords with ODBC or JDBC.
The
nzpassword command syntax is:
nzpassword add -u user -pw password -host hostname
Where:
- The user name is the Netezza database user name in the Netezza system catalog. If you do not specify the user name on the command
line, the nzpassword command uses the environment
variable NZ_USER.
- The password is the Netezza database user password in the Netezza system catalog or the password that is specified in the environment
variable NZ_PASSWORD. If you do not supply a
password on the command line or in the environment variable, the system
prompts you for a password.
- The host name is the Netezza host. If you do not specify the host name on the command line, the nzpassword command uses the environment variable NZ_HOST. You can create encrypted passwords for any number
of user name/host pairs.
When you use the nzpassword add command to cache
the password, quotation marks are not required around the user name
or password values. You must only qualify the user name or password
with a surrounding set of single quotation mark, double quotation
mark pairs (for example, '"Bob"') if the value is case-sensitive.
If you specify quoted or unquoted names or passwords in nzpassword or other nz commands, you must use the same quoting
style in all cases.
If you qualify a user name that is not case-sensitive with quotation
marks (for example '"netezza"'), the command might still complete
successfully, but it might not work in all command cases.
After you type the nzpassword command, the system
sends the encrypted password to the Netezza host where it is compared against the user name/password in the
system catalog.
- If the information matches, the Netezza stores the encrypted information in a local password cache, and
displays no additional message.
- On Linux and Solaris, the
password cache is the file .nzpassword in the
user home directory. The system creates this file without access permissions
to other users, and refuses to accept a password cache whose permission
allows other users access.
- On Windows, the password
cache is stored in the registry.
- If the information does not match, Netezza displays a message that indicates that the authentication request
failed. Netezza also logs all verification attempts.
- If the database administrator changed a user password in the system
catalog, the existing nzpasswords are invalid.