security best practices for informix

© 2015 IBM Corporation

Security Best Practices for Informix 2050A

Jonathan Leffler

[email protected]

mailto:[email protected]

• IBM‘s statements regarding its plans, directions, and intent are subject to change or withdrawal

without notice at IBM‘s sole discretion.

• Information regarding potential future products is intended to outline our general product direction

and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or

legal obligation to deliver any material, code or functionality. Information about potential future

products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our

products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a

controlled environment. The actual throughput or performance that any user will experience will vary

depending upon many factors, including considerations such as the amount of multiprogramming in the

user‘s job stream, the I/O configuration, the storage configuration, and the workload processed.

Therefore, no assurance can be given that an individual user will achieve results similar to those stated

here.

Please Note:

2

2

Agenda

• Server Administration

• Access to Server Files

• Connection Security

• Access to Server Data

• Audit

• Server Log

3

Users root and informix

• The root user can ultimately do anything

Who knows the root password?

How do users become root?

• The informix user is omnipotent on the IDS server

Who knows the informix password?

How do administrators become informix?

• sudo

• Use Role Separation as an alternative

4

Role Separation

• Alternative to all administrators using user informix

• Do not add users to group informix

• DBSA depends on group of INFORMIXDIR/etc

• DBSSO group depends on group of INFORMIXDIR/dbssodir

• AAO group depends on group of INFORMIXDIR/aaodir

• Backup and Recovery group — bargroup

5

How to Enable Role Separation

• On Windows, role separation is enabled during install

Re-install IDS if necessary

No other supported way of doing it

• On Unix, role separation can be set during install

Choose the option (AAO and DBSSO only)

6

How to Enable Role Separation

• On Unix, role separation can be changed after install

DBSA etc

AAO aaodir

DBSSO dbssodir

Change group that owns relevant directory

• Set SGID bit on directory

• Restart IDS

Fix permissions on oninit for the DBSA group

• chmod o+x $INFORMIXDIR/bin/oninit

Fix group permissions on $ONCONFIG (dbsa group)

Fix group permissions on aaodir/adtcfg (aao group)

7

Server File Access

• IDS depends on several files

Server installation

Configuration files

Data files — chunks

• Required owner, group, mode

World access – NO

• onsecurity utility

8

Server Installation and Setup

• Isolate the Data Server

Place the data server on its own machine

• Use appropriate controls on who can access the server machine

• Use firewalls as appropriate

• Don‘t let arbitrary users on arbitrary machines access the server ports

Separate the data server from application servers

• Especially web servers

When not possible to use separate hardware

• Split client INFORMIXDIR from server

9

Insulate Servers from Change

• Always install new versions in a new directory

This limits downtime

And provides safe backout strategy

• Make sure INFORMIXDIR is a symbolic link

• Standardize the ONCONFIG file

• If you have multiple instances on a single machine

Keep each one in a separate INFORMIXDIR

• Always deny public write access

• Usually deny public read access

10


• Keep things that stay constant out of INFORMIXDIR

Device files

Log files

• Think of INFORMIXDIR as ‗long-term temporary‘

It will be removed after next upgrade

11


• DUMPDIR should not point to /tmp

• DUMPDIR big enough for 2 shared memory dumps

• Use standard names and locations for chunks

Always use symbolic links to the actual chunks

• Ensure security of sub-directories of $INFORMIXDIR

Also security of directories to device (chunk) directory

• Use a separate directory for user informix‘s home

Do not use $INFORMIXDIR

12

The onsecurity Utility (UNIX and Linux)

• onsecurity utility checks the security of a file, directory, or path

• Troubleshoots security problems if any are detected

• Use the onsecurity command to:

Check the security of the path leading to a directory or a file

Generate diagnostic output to explain the security problems

Generate a script that can be run by root to fix the problems

• You can use the script as generated

• Or modify it to your environment‘s security needs

13

The onsecurity Utility (UNIX and Linux)

• For special circumstances only:

• Specify that particular users, groups, or directories can be trusted:

Add the information to files in the /etc/informix directory

• trusted.users

• trusted.groups

• trusted.insecure.directories

• Normally, you will be told that the path is secure

• If the path is secure, you do not need to do anything more

14

An example of onsecurity at work

$ onsecurity /work/informix/ids-11

# !!! SECURITY PROBLEM !!!

# /work/informix/ids-11 (path is not trusted)

# Analysis:

# User Group Mode Type Secure Name

# 0 root 0 root 0755 DIR YES /

# 0 root 0 root 0755 DIR YES /work

# 203 unknown 8714 ccusers 0777 DIR NO /work/informix

# 200 informix 102 informix 0755 DIR NO /work/informix/ids-11

# Name: /work/informix

# Problem: owner <unknown> (uid 203) is not trusted

# Problem: group ccusers (gid 8714) is not trusted but can modify the directory

# Problem: the permissions 0777 include public write access

• The informix directory of the path /work/informix has problems:

the owner of this directory is not a trusted user

the group that controls the directory is not trusted

the directory has public write access

• Possible fixes:

Change the owner to root or informix

Change the group to a system group or informix

Remove public write access

• Or grant exemptions

Dangerous, in general!

The onsecurity Utility example

15

16

• At server startup, oninit checks the security of key directories:

Subdirectory Owner Group Permissions

INFORMIXDIR informix informix 755

bin informix informix 755

lib informix informix 755

gls informix informix 755

msg informix informix 755

etc informix DBSA 775

aaodir informix AAO 775

dbssodir informix DBSSO 775

tmp informix informix 770

Security checking at server startup

17

INFORMIXDIR permissions

• Many Informix utilities check file permissions at startup

• Errors detected at this point will be reported

And the program will exit

• Run onsecurity with appropriate options

• Refer to Chapter 1, IBM Informix Security Guide

18

Backup and Restore (BAR)

• Members of bargroup are allowed to do backup and restore

bargroup is a Unix group with a fixed name

• Backup is just as sensitive as live data

Data has been compromised by loss of backup media

Protect the backup copy

19

Connection Security

• Control who can connect to the server

by default anyone with login access to machine

or a ―trusted‖ machine (hosts.equiv, .rhosts)

• Think about using PAM

even for UNIX type access

can be used to deny access to certain accounts

• e.g. Linux pam_access.so

• Encrypted connections to server

Without encryption, passwords are sent in plain text.

ENCCSM

SPWDCSM

SSL

• Avoid using the old r-command configuration files

• Use new configuration parameters

REMOTE_SERVER_CONFIG

• Which remote machines should be trusted

REMOTE_USERS_CONFIG

• Which remote users should be trusted

• Instead of /etc/hosts.equiv and ~/.rhosts

Connection Security

20

21

Enabling Encrypted Communications

• Create or modify server entry in sqlhosts file

server_1_enc olsoctcp host 9089 csm=(s1_enc)

• Create or modify concsm.cfg file

s1_enc("/usr/informix/lib/csm/libixenc.so", "cipher[aes:cbc],timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]”)

• Add new server alias to ONCONFIG

• Restart IDS

22

Enabling Encrypted Communications

• ODBC can use ENCCSM

• JDBC can use an equivalent of ENCCSM

String Url = "jdbc:informix-

sqli://host:9089/sysmaster:informixserver=serve

r_1_enc;user=bob;password=bobpass;csm=(classnam

e=com.informix.jdbc.Crypto,config=concsm.cfg";

• For more details, see Informix Security Guide

23

JCC and JDBC

• Java Common Client (JCC) provides encryption

Using GSKit and SSL

• http://tinyurl.com/467gpr

• http://tinyurl.com/4jr4yu

• Legacy JDBC type IV driver provides encryption

Password encryption

• SPWDCSM

Full encryption

• ENCCSM

http://tinyurl.com/467gpr

http://tinyurl.com/467gpr

http://tinyurl.com/4jr4yu

http://tinyurl.com/4jr4yu

• New communication protocol

drsocssl — SSL for DRDA clients

olsocssl — SSL for SQLI client

• Also supported for server to server communications

• I-Star, HDR, ER, RSS, SDS

• Example sqlhosts file entries

horus_31_ol_ssl olsocssl horus horus_ol_ssl

horus_31_dr_ssl drsocssl horus horus_dr_ssl

Setting up SSL — sqlhosts

24

• SSL_KEYSTORE_LABEL

Specifies label of server digital certificate in keystore

• If not specified in ONCONFIG, uses default label in keystore

• But default label is officially deprecated — be explicit

• SSL_KEYSTORE_LABEL ids_ssl_label

• Extra options for NETTYPE

NETTYPE protocol, poll threads, connections, VP class

• Specify the protocol as iiippp

• Where:

– iii=[ipc||soc|tlli]

– ppp=[shm|str|tcp|spx|ssl]

• NETTYPE socssl, 3, 50, NET

Setting up SSL — onconfig

25

• All encryption/decryption options performed on encrypt VPs

• Encrypt VPs configured via VPCLASS

VPCLASS encrypt,num=5

• Support encrypted and non-encrypted connections

DBSERVERNAME horus_31

DBSERVERALIASES horus_31_ol_ssl,horus_31_dr_ssl

Setting up SSL — onconfig

26

• IBM‘s Global Security Kit, GSKit, is installed with Informix

Server

ClientSDK and Connect

• GSKit contains gsk8capicmd_64 utility

Used to create keystores and manage digital certificates

Needed for SSL communication

• More information on gsk8capicmd_64 at

http://www-01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IBMDS.doc/admin_gd174.htm

Keystores and Digital Certificates

27





• The keystore for server is password protected

• Password is stored encrypted in stash file

Also created by gsk8capicmd_64 utility

• One keystore per server instance.

It stores server‘s digital certificate

And root CA certificates of other servers it connects to

• As in I-STAR, HDR, ER, SDS, RSS


28

• The location and name of the files are fixed

Server keystore

• $INFORMIXDIR/ssl/server.kdb

Server password stash

• $INFORMIXDIR/ssl/server.sth

Based on value of DBSERVERNAME

• Ownership and permissions must be correct

User informix, group informix, 660


29

• Client keystore stores root CA certificates

For all servers the client connects to

• SQLI and DRDA clients can share same keystore

• Password is optional for client keystore

• Location and name of client keystore and its password stash file can be configured via new configuration file:

$INFORMIXDIR/etc/conssl.cfg

• Note you need to set the permissions on client files correctly

Setting up SSL — Client

30

• Configuration parameters in conssl.cfg

SSL_KEYSTORE_FILE

• Absolute path name for client keystore file

SSL_KEYSTORE_STH

• Absolute path name for client stash file

• If conssl.cfg does not exist, defaults to

$INFORMIXDIR/etc/client.kdb

$INFORMIXDIR/etc/client.sth

• Permissions on these files should be:

User informix, group informix, permissions 664

Setting up SSL — Client

31

32

Access to Data

• Who creates databases?

DBCREATE_PERMISSION

Add a DBCREATE_PERMISSION entry

• For each user who needs to create databases

• Discretionary Access Control

Users should be granted appropriate level of access to databases and database objects.

Use roles for ease of administration

• GRANT privilege to role

• GRANT role to user

• GRANT default role

Privileges can be granted at DATABASE and TABLE level

33

Other ONCONFIG parameters

• IFX_EXTEND_ROLE

Controls whether administrators can use the EXTEND role to specify which users can register external routines.

• 0 Any user can register external routines

• 1 Only users granted the EXTEND role can register external routines (Default)

• DB_LIBRARY_PATH

Specifies the locations from which Informix can use UDR or UDT shared libraries.

34


• SECURITY_LOCALCONNECTION

Specifies whether IDS performs security checking for local connections.

• 0 Off

• 1 Validate userid

• 2 Validate userid and port

• UNSECURE_ONSTAT

Controls whether non-DBSA users are allowed to run all onstat commands.

• 0 Disabled (Default)

• 1 Enabled

35


• ADMIN_USER_MODE_WITH_DBSA

Controls who can connect to IDS in administrative mode

• 0 Only informix user (Default)

• 1 DBSAs, users specified by ADMIN_MODE_USERS, and user informix

• ADMIN_MODE_USERS

Specifies the user names who can connect to IDS in administrative mode,

• SSL_KEYSTORE_LABEL

The label, up to 512 characters, of the IDS certificate used in Secure Sockets Layer (SSL) protocol communications.

36

Column Level Encryption (CLE)

• Column-level encryption stores sensitive data as encrypted strings

• Use it to selectively encrypt sensitive data

Such as credit card numbers

• Only users who can provide the password can decrypt the data

• Use the ENCRYPT_AES() and ENCRYPT_TDES() functions to encrypt data in columns

• You can sometimes use SET ENCRYPTION PASSWORD

To set an encryption password for a session

• INSERT INTO tab1(ssn) VALUES

(ENCRYPT_AES("111-22-3333", "password"));

• SELECT DECRYPT(ssn, "password") from tab1;

37

Label Based Access Control – LBAC

• Label-based access control (LBAC)

Enterprise Edition only

An implementation of multi-level security (MLS)

You control who has read access and who has write access

• To individual rows and columns of data

• MLS systems process information with different security levels

Permit simultaneous access by users with different security clearances

Allow users access only to information for which they have authorization

38

Label Based Access Control – LBAC

• Create Security Policy and attach it to a table

• Create Security Labels and attach labels to data

• Grant labels to users

• Users can only access data with labels that ―match‖ theirs

39

Audit

• Audit allows you to keep a log of important server events

• You should enable IDS auditing

Decide which events need to be audited

Decide which users need to be audited

• Audit the DBSA

Setup Appropriate Audit Masks

• Examine the audit logs for unexpected events

onshowaudit

• Save the audit logs

Easily compressible

Event generated when change to next audit log file

• Protect the audit logs carefully

40

IDS Server Log

• Lots of valuable information is written to the server log

Failed login attempts

Audit Mode changes

Audit log file changes

• But you have to look!

Be sure to monitor its contents

41

IBM Data Server Security Blueprint

42

IDS Security Guide

• Read and follow the IDS Security Guide


Questions?

Best Security Practices for Informix

43

We Value Your Feedback!

Don‘t forget to submit your Insight session and speaker

feedback! Your feedback is very important to us – we use it

to continually improve the conference.

Access the Insight Conference Connect tool at

insight2015survey.com to quickly submit your surveys from

your smartphone, laptop or conference kiosk.

44

http://insight2015survey.com/

45

Notices and Disclaimers

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form

without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for

accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to

update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO

EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO,

LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted

according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as

illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other

results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services

available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the

views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or

other guidance or advice to any individual participant or their specific situation.

It is the customer‘s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the

identification and interpretation of any relevant laws and regulatory requirements that may affect the customer‘s business and any actions the

customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will

ensure that the customer is in compliance with any law.

46

Notices and Disclaimers (con‘t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly

available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,

compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to

interoperate with IBM‘s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,

trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document

Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM

SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,

OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,

pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ,

Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of

International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be

trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at:

www.ibm.com/legal/copytrade.shtml.

http://www.ibm.com/legal/copytrade.shtml


Thank You