Database User Authentication Options

The method that authenticates database users is the login procedure. Several options are available and choosing the right one for your installation is an important decision. The available login procedures are described in more detail below. When you run the ssoconfig utility to create a database service, specify the login procedure.

USE_CFG_FILE

This database authentication method has the following characteristics:

  • It allows a single privileged user to log into the database.

  • The privileged user name/password (for example, dblawson/dblawson) is stored in clear text in the database driver configuration file (also known as the capital or CAP file) as the login name and password.

  • It is the default login procedure, because it enables you to be up and running with the least amount of configuration.

The USE_CFG_FILE login procedure is the default because it does not require any initial setup. A database service is not a requirement for this configuration.

Lawson installers might use this method of authentication, for example, to perform smoke tests before installation is complete. Customers might also choose to run in this configuration if they have no need for database auditing or password encryption. If you choose to use this method, make sure you secure the database driver configuration file through file permissions.

If you use this method, no SSO configuration is required. All additional information in this document related to setting up a database service and creating identities does not apply to you. Refer to the Lawson documentation for the RDBMS system that you use for instructions about how to configure the database driver configuration file for a privileged user name and password.

USE_PRIVILEGED_ID

This database authentication method is the same as USE_CFG_FILE except that the privileged user and password are stored in Resource Management (LDAP repository) and the password is encrypted. To implement this method, create a database service.

USE_USER_ID

This database authentication method has the following characteristics:

  • Users log into the database using their specified database login names and passwords.

  • The user names and passwords are stored in Resource Management (LDAP repository). Passwords are encrypted.

  • Each user must have an "identity" on the database service. (Typically, you create this identity when you add the user to the system.)

  • To implement this authentication method, create a database service.

USE_USER_AND_PRIVILEGED_ID (Oracle and IBM DB2 only)

(Oracle) This database authentication method supports the Oracle proxy authentication feature to attach to the database as a single (privileged) user and then switch to another user on the connection. If you need more information about how this feature works, consult your Oracle documentation. From the Lawson perspective, the method has the following characteristics:

(IBM DB2) This database authentication method supports the IBM DB2 v9.5 or higher Trusted Context connections feature, to attach to the database as a single (privileged) user and then switch to another user on the connection. If you need more information about how this feature works, consult your IBM DB2 documentation, Create Trusted Context, in the Security section of the DB2 Information Center.

  • Each individual user must have an identity on the Lawson database service. Typically, you create this identity when you add the user to the Lawson system.

  • Individual users log in to Lawson using their user names which are linked to the Lawson privileged user.

  • For IBM DB2, each user name must be defined as part of the IBM DB2 trusted context.

    The Lawson privileged user (known as the trusted user in IBM DB2) is used to establish the trusted context connection.

  • For Oracle, the privileged user is connected to the database at all times.

For IBM DB2, to implement this authentication method, create a Lawson database service and a trusted context in DB2.

For Oracle, to implement this authentication method, create a Lawson database service.

The privileged and unique user IDs and passwords are stored in Resource Management (the LDAP directory). Passwords are encrypted.

Diagram: Lawson user and IBM DB2 trusted context configuration