Close menu

Encrypted Passwords

SQL/R A.03.00 supports storing database and user passwords in encrypted form.

Encrypted passwords are maintained with the sqlrpasswd utility and kept in the odbc.pswd configuration file. The PassKey DSN and user configuration items are used to refer to encrypted passwords stored in the odbc.pswd file.

Please note: while passwords in the odbc.pswd file are encrypted with the 256-bit AES encryption algorithm so they are protected against accidential disclosure, a fixed internal encryption key is currently used which cannot be changed by the user.

The sqlrpasswd utility

usage: sqlrpasswd [options] passkey

options:
 -help        - show usage (this list)
 -a           - add new passkey entry
 -d           - delete passkey entry
 -f pswdfile  - encrypted passwords file name
                (default is configured in odbc.cfg file)
The -a option is used to add a new passkey/password combination. The passkey is specified on the command line and the sqlrpasswd utility then prompts for the associated password.

The -d option is used to delete a passkey.

When neither the -a nor the -d option is present, the password for the specified passkey is updated. The sqlrpasswd utility then prompts for the associated password.

Encrypted passwords are maintained in a file specified in the odbc.cfg config file (by default odbc.pswd). To add a passkey, change a password or delete a passkey, write access to the password file is required. At runtime, the password file is also read by the sqlrodbcd process.

The -f option instructs sqlrpasswd to use the specified password file instead of the default odbc.pswd file.

For example:

$ /opt/sqlr2/bin/sqlrpasswd -a test
Adding new password entry for 'test'.
New password:
Reenter new password:
Password entry added.
This adds the encrypted password to the password file, associated with the specified passkey "test".
$ /opt/sqlr2/bin/sqlrpasswd test
Changing password entry for 'test'.
New password:
Reenter new password:
Password entry changed.
This changes the password associated with the passkey "test".

Configuration directives

The PassKey config item may be specified as an alternative to the Password config item in the ODBC user and DSN configuration. The PassKey item, if present, takes precendence over the Password item.

The PassKey item specifies an entry in the password file so that the associated password is used.

The example below defines a DSN with the database "sample" that uses a passkey to define the database password.

[PasskeyDSN]
Database = sample
Login = test
passkey = test

Platform dependencies

HP-UX

The OpenSSL software is used on HP-UX for cryptographic functions. It must be installed to use encrypted communication.

To use encryption, the server process or the driver dynamically loads the libcrypto.sl (PA-RISC) or libcrypto.so (Itanium) library.

The SQL/R specific lib directory has precedence in locating the library. The SHLIB_PATH and LD_LIBRARY_PATH environment variables may be used to select a specific library to be loaded. Otherwise the system default is used.

The HP-UX HP OpenSSL software may be obtained from the HP Software Depot web site.
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

For HP-UX 11i v1 it is recommended to install the KRNG kernel support for strong random numbers in addition. It is available from the HP Software Depot web site.
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

Linux

The OpenSSL software is used on Linux for cryptographic functions. It must be installed to use encrypted communication. The OpenSSL 0.9.7 or 0.9.8 package must be installed.

To use encryption, the server process dynamically loads a libcrypto.so library. The SQL/R specific lib directory has precedence in locating the library. The LD_LIBRARY_PATH environment variable may be used to select a specific library to be loaded. Otherwise the system default is used.

Windows

The builtin cryptographic functionality is used. No additional software needs to be installed.