Enterprise Replication and High-Availability Data Replication Connection Security Option

Home | Previous Page | Next Page The Database Server > Security >

Enterprise Replication and High-Availability Data Replication Connection Security Option

You can increase security for Enterprise Replication and High-Availability Data Replication (HDR) connections with a new configuration option in the INFORMIXSQLHOSTS file.

Add s=6 to the options (fifth) field in the INFORMIXSQLHOSTS files to indicate that the corresponding port accepts only Enterprise Replication or HDR connection requests. Any other type of connection request will be rejected with error number -25539, invalid connection type.

Here is an outline of a INFORMIXSQLHOSTS file entry:

dbservername   nettype   hostname   servicename   s=6

For example:

  ifxer1  oltlitcp  mc001  er_port  s=6,Other_ER_Parameters

When you set s=6, the Enterprise Replication (ER) or HDR connection requests are authenticated using a new mechanism. The system administrator should create a file hosts.equiv file in the $INFORMIXDIR/etc directory and add the names of the participating Enterprise Replication and HDR nodes (host names, as would be found in the third column of the INFORMIXSQLHOSTS file) in that file, one per line. The format of the file is similar to the UNIX /etc/hosts.equiv file. The file should be owned by user informix, belong to group informix, and the permissions should be restricted so that at most user informix can modify the file (using octal permissions, one of the values 644, 640, 444, or 440 is appropriate).

If the configuration is such that the replicating servers are on the same machine, then the $INFORMIXDIR/etc/hosts.equiv file is not needed.

The following restrictions apply to this security option:

For Enterprise Replication or HDR-only ports, s=6 should be the only security option present. No other security option (s=0,1,2,3,4) should be used when s=6 is used.
This option is specific to the database server environment for Enterprise Replication and HDR, so it should not be used in the client environment. Clients will return an error if this option is set in SQLHOSTS file and the client attempts to use the associated server name.

Recommendation: Dedicate the database server name or a database server alias for administering the secure connectivity. For example, if you are using HDR, execute the onmode -d primary secondary_servername command with INFORMIXSERVER set to the secure database server or alias name. Then execute the ontape or onbar restore commands (for example, ontape -p) that are part of HDR initialization using a different, non-secure INFORMIXSERVER setting. Likewise, use a different, non-secure INFORMIXSERVER for other client applications, such as DB-Access.

For information on HDR, see High-Availability Data Replication (Enterprise/Workgroup Editions). For information on Enterprise Replication, see IBM Informix Dynamic Server Enterprise Replication Guide.