Enabling the encrypted user ID
Derby Server and Administration Guide
32
· Strong password substitution
(org.apache.derby.jdbc.ClientDataSource.STRONG_PASSWORD_SUBSTITUTE_SECURITY)
When using this mechanism, a strong password substitute is generated and used to
authenticate the user with the network server. The original password is never sent
in any form across the network.
The user's name that is specified upon connection is the default schema for the
connection, if a schema with that name exists. See the Derby Developer's Guide for more
information on schema and user names.
If you specify any other security mechanism, you will receive an exception.
To change the default, you can specify another security mechanism either as a property
or on the URL (using the
securityMechanism=value
attribute) when making the
connection. For details, see
and "securityMechanism=value
attribute" in the Derby Reference Manual.
Whether the security mechanism you specify for the client actually takes effect depends
upon the setting of the
derby.drda.securityMechanism
property for the Network
Server. If the
derby.drda.securityMechanism
property is set, the Network Server
accepts only connections that use the security mechanism specified by the property
setting. If the
derby.drda.securityMechanism
property is not set, clients can use
any valid security mechanism. For details, see
.
Security mechanism options when user authentication is enabled on the
Network Server:
When user authentication is enabled in Derby, you can use any of the following security
mechanisms:
· Clear text user name and password security, the default
· Strong password substitute security
· Encrypted user name and password security
Security mechanism options when user authentication is disabled on the
Network Server:
When user authentication is turned off in Derby, you can use any of the security
mechanism options.
You must provide a user and password for all security mechanisms except
USER_ONLY_SECURITY. However, because user authentication is disabled in the
Derby server, the user name and password that you supply does not have to be one
recognized as valid by Derby.
Enabling the encrypted user ID and password security mechanism:
To use the encrypted user ID and password security mechanism, you need a
Java environment with a JCE (Java Cryptography Extension) which supports the
Diffie-Hellman algorithm with a public prime of 256 bits. The Sun Java Platform,
Standard Edition, Version 1.4 (J2SE) and later requires a public prime of 512 bits
or more. An alternative mechanism if the 256 bit public prime is not supported, is
STRONG_PASSWORD_SUBSTITUTE_SECURITY.
To use the encrypted user id and password security mechanism during JDBC connection
using the network client, specify the
securityMechanism
in the connection property.
Note: If an encrypted database is booted in the Network Server, users can connect to
the database without giving the
bootPassword
. The first connection to the database
must provide the
bootPassword
, but all subsequent connections do not need to supply
it. To remove access from the encrypted database, use the
shutdown=true
option to
shut down the database.
