Database User Authentication Options

The method that authenticates database users is the login procedure. Several options are available and choosing the right one for your installation is an important decision. The available login procedures are described in more detail below. When you run the ssoconfig utility to create a database service, specify the login procedure.

USE_CFG_FILE

This database authentication method has the following characteristics:

  • It allows a single privileged user to log into the database.

  • The privileged user name/password (for example, dblawson/dblawson) is stored in clear text in the database driver configuration file (also known as the capital or CAP file) as the login name and password.

  • It is the default login procedure, because it enables you to be up and running with the least amount of configuration.

The USE_CFG_FILE login procedure is the default because it does not require any initial setup. A database service is not a requirement for this configuration.

Lawson installers might use this method of authentication, for example, to perform smoke tests before installation is complete. Customers might also choose to run in this configuration if they have no need for database auditing or password encryption. If you choose to use this method, make sure you secure the database driver configuration file through file permissions.

If you use this method, no SSO configuration is required. All additional information in this document related to setting up a database service and creating identities does not apply to you. Refer to the Lawson documentation for the RDBMS system that you use for instructions about how to configure the database driver configuration file for a privileged user name and password.

USE_PRIVILEGED_ID

This database authentication method is the same as USE_CFG_FILE except that the privileged user and password are stored in Resource Management (LDAP repository) and the password is encrypted. To implement this method, create a database service.

USE_USER_ID

This database authentication method has the following characteristics:

  • Users log into the database using their specified database login names and passwords.

  • The user names and passwords are stored in Resource Management (LDAP repository). Passwords are encrypted.

  • Each user must have an "identity" on the database service. (Typically, you create this identity when you add the user to the system.)

  • To implement this authentication method, create a database service.

USE_USER_AND_PRIVILEGED_ID

This database authentication method supports the Oracle proxy authentication feature to attach to the database as a single (privileged) user and then switch to another user on the connection. If you need more information about how this feature works, consult your Oracle documentation. From the Lawson perspective, the method has the following characteristics:

  • Each individual user must have an identity on the Lawson database service. Typically, you create this identity when you add the user to the Lawson system.

  • Individual users log in to Lawson using their user names which are linked to the Lawson privileged user.

  • The privileged user is connected to the database at all times.

To implement this authentication method, create a Lawson database service.

The privileged and unique user IDs and passwords are stored in Resource Management (the LDAP directory). Passwords are encrypted.