Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 17 » SQL Anywhere Server - Database Administration » Database connections » Authentication mechanisms

Security: Use login modes to secure the database

There are several measures you can take to secure your database.

Setting the value of the login_mode option for a given database to allow a combination of Standard, Integrated, Kerberos, LDAPUA, and PAMUA logins by using the SET OPTION statement permanently enables the specified types of logins for that database. When you enable Integrated, Kerberos, LDAPUA, or PAMUA logins for your database, you rely on the security model of the operating system or network. For example, the following statement permanently enables Standard and Integrated logins:

SET OPTION PUBLIC.login_mode = 'Standard,Integrated';

If the database is shut down and restarted, the option value remains the same and Integrated logins remain enabled.

Setting the login_mode option using SET TEMPORARY OPTION still allows user access via Integrated logins, but only until the database is shut down. The following statement changes the option value temporarily:

SET TEMPORARY OPTION PUBLIC.login_mode = 'Standard,Integrated';

If the permanent option value is Standard, the database will revert to that value when it is shut down.

Setting temporary public options can provide additional security for your database. If the database file is copied to another computer, then Integrated, Kerberos, LDAPUA, and PAMUA logins will not be enabled by default.

If a database contains sensitive information, the computer where the database files are stored should be protected from unauthorized access. Otherwise, the database files could be copied and unauthorized access to the data could be obtained on another computer.

To increase database security:

  • Make passwords complex and difficult to guess.

  • Strongly encrypt the database file using the AES encryption features of SQL Anywhere. The encryption key should be complex and difficult to guess.

  • Set the permanent PUBLIC.login_mode database option to Standard. To enable Integrated or Kerberos logins, only the temporary public option should be changed each time the server is started. This ensures that only Standard logins are allowed if the database is copied.