Single sign-on authentication

Single sign-on is an authentication feature that bypasses the requirement to provide user name and password after a user logs into the client computer's operating system.

IBM® Informix® delivers support for single sign-on (SSO) in the Generic Security Services Communications Support Module (GSSCSM) and uses the Kerberos 5 security protocol.

With SSO, authentication for the DBMS and other SSO-enabled services happens when a user first logs into the client computer (or domain, in the case of Windows). The Kerberos implementation validates the user credentials. Kerberos authentication generates a system of secret keys that store login credentials. When a user action tries to access the Informix database, an exchange of ticket-granting tickets (TKTs) allows database access without a login prompt.

Single sign-on authentication uses both of the following open computing standards:

SSO also includes support for confidentiality and integrity services, so an SSO environment is not required to have other Informix CSMs. With confidentiality enabled in GSSCSM, the data transmitted to and from the SSO-authenticated user is encrypted and can be viewed only by the user logged in with the authorized credentials. Integrity service ensures that data sent between user and the DBMS is not altered during transmission.

GSSCSM does not function with the simple password and encryption modules (SPWDCSM and ENCCSM). SSO implemented with GSSCSM supports PAM and LDAP, but does not support mutual authentication.

  1. Kerberos authentication protocol
    For single sign-on, the user login process and authentication must employ a Kerberos 5 network infrastructure, including a dedicated Key Distribution Center computer.
  2. Setting up an SSO authentication environment
    Establishing SSO authentication for Informix involves configuration of a secured Key Distribution Center computer and connectivity files, along with generation of client and server service principals.
  3. Clients supporting SSO
    Client programs that are available in the IBM Informix Client Software Development Kit (Client SDK) can connect to Informix with SSO.
  4. Preparing the Informix DBMS for Kerberos authentication
    Configure your login process and user authentication to function with a Kerberos 5 mechanism before you set up Informix for single sign-on.
  5. Configuring the IBM Informix instance for SSO
    Complete the following tasks for the server side of your system to enable SSO functionality with IBM Informix:
  6. Configuring ESQL/C and ODBC drivers for SSO
    The steps for preparing the SQLHOSTS information and the Generic Security Services (GSS) CSM configuration file for ESQL/C and ODBC and a client computer are similar to the corresponding server-side setup procedures.
  7. Configuring JDBC Driver for SSO
    When JDBC Driver is the client for SSO, use the DriverManager.getConnection() method, with an SSO connection property set to the Informix service principal.
Parent topic: Connection security
Previous topic: Simple password encryption
Next topic: Securing local connections to a host
Copyright© 2020 HCL Technologies Limited