zestril lisinopril espanol what is doxycycline black and orange capsule for buy maxalt no prescription vendita kamagra jelly paypal can i take ibuprofen while taking flagyl forte metronidazole use without injection tube does rizatriptan benzoate contain aspirin cytotec abortion harganya valsartan harga nya berapa premarin 1.25mg tablets does it help for libo paroxetine sustained release tablets drug interaction ic baclofen oxycontin diflucan 800 mg colcrys discount coupon nortriptyline hydrochloride can b taken in herpes ivermectin 6 mg tab metronidazole suspension paraque siven las pastillasmetoprolol de 25mg azithromycin for sale online powder for suspension can you take dhea with celexa orkzbar.nl buy accutane no generic arimidex india whrye i can buy. kamagra orall jelhly in philippines nzjetski.co.nz viagra cialis levitra online tadalafil citrate how long before it works montelukast sodium fear ultius.com cheap soft cialis nizoral otc holidayhome.rbu.ac.in has anyone taken propranolol can fluconazole tablet cure candidiasis infection. 0.50 micogrammes dexamethasone barneptun.pl how much mexican amoxicillin do i take is there a colchicine for gout in the philippines does doxycycline prolonged qt interval buy metformin tablets uk nameai.com cialis price for daily use trazodone 150 with champagne side effects donde consigo cytotec en arequipa can estradiol delay my period 8weeks on accutane 10mg can lexapro cause vaginal itching and burning price of minipress 5mg at kolkata barneptun.pl how much does gabapentin go for on streets amoxil 12h plm celexa and hydroxyzine high cardizem cd 240 mg qd can i use two 50mg clomid together or seperate time desloratadine and montelukast year old augmentin 875 mg for strep throat 2 year old nurofen and phenergan how long do flagyl rashes last sertraline personality change metronidazole buy from asda dose of nifedipine sublingual capsule cytotec apteka online flagyl pill forms cordarone 100 side effects travelbllgr.com cymbalta 120 mg ketoconazole ear cream po iv lasix doxycycline and yasmin to stop impanon bleeding what dose of doxycycline is used for sinusitis orkzbar.nl bactrim side effects wear off stopped taking metformin and feet swell alternatives to zoloft and lexapro rzltt.com best priceerectile dysfunction tablets ultius.com green viagra 3800 mg prednisone for poison ivy can i stop can cetirizineallegra and montelukast be taken together zyprexa asthma side effects of trazodone taken with nortriptyline is metronidazole a sulfa based drug can u take erythromycin with flagyl transgender dutasteride dosage rbu.ac.in levofloxacin 500 mg for sinus infection diltiazem cream in india bactrim ds prescription for jock itch side effects of ciprofloxacin 250 mg in dogs taking lisinopril at night terbinafine hydrochloride untuk celexa 80 mg dose can i split valsartan watson generic price flagyl 250mg quetiapine sandoz 25 mg side effects finasteride and babies purchase cytotec no prescription bieropholie.com bactrim for cystitis premarin 1.25 mg po qd ordering viagra online safe pestoff.co.nz headache when tapering off prednisone decadron salep buspar and wellbutrin xl togeather for social anxiety lamisil online no prescription price for lexapro australia metoprolol mechanism of action wiki amoxicillin 500mg used for strep throat lexapro stealing bactrim ds uses orlistat online australia cyproheptadine syrup brand name augmentin side effects in adults levonorgestrel y estradiol inyectada nombre comercial obat piroxicam 10 untuk apa celebrex iron nausea over the counter cialis philippines injecting quetiapine nizoral 2 cream boots can u snort olanzapine obat cytotec tablet 200mg what type of antidepressant is celexa price and review of medroxyprogesterone zofran methamphetamine bupropion lactose augmentin400 cosa serve can u take melatonin drug interactions with levaquin augmentin bugiardino pdf fluconazole tablet course can you shoot up mirtazapine atenolol 25 mg price in india can you buy cytotec dublin difference entre femara et nolvadex cost prometrium 100mg doxycycline inus infection kegunaan dexamethasone 1 gr bupropion hcl can it cause a hormonal imbalance propecia online forum thyroxine pills for sale can you get high off of periactin provera por 5 dias sertraline 6 weeks zyvoxid 600 cena how long for finasteride to leave your system cytotec 3 meses costo how much does lisinopril 20 mg cost cipla ketoconazole shampoo reviews lipitor 30 mg phenergan 5mg albuterol tablets for sale strattera launch date zithromax do u need a prescription for south africa one month on metformin for diabetes difference between kremers and dr. reddys lipitor size topamax mg buy ivermectin liquid in canada does bactrim cause joint pain how much melatonin can i take with seroquel xr 150 mg types of bupropion generic clozapine manufacturers does gabapentin react with taurine buy voltaren emulgel uk irbesartan 300 mg grapefruit azithromycin 500 mg in third trimester pregnancy montelukast 10 mg and pregnancy order micardis is diltiazem 120 er an 120cd the same canada viagra no prescription amlodipine and omega 3 side effect rzltt.com flagyl oval otc cystitis antibiotic netherland is sore throat a side effect of bactrim how long does prednisone stay in your blood sem ibuprofen 800 and meloxicam does metformin cause thrush side effects going off prednisone metformin denk effets indesirable priligy 30mg turkey prednisone 20 mg can treat elbow pain order online antibiotics testicle levaquin for uti colchicine 100 mg best place to get flagyl for pigeons uk cost brand premarin 0.45 mg ape itu t.ciprofloxacin 500mg sandoz gabapentin for post surgical pain au alendronate sodium tablets usp 35 mg is meloxicam 7.5 mg tablet same as zandex or narco api used in proventil hfa purchase raloxifene generic plavix hits the shelves temporarily nameai.com does zofran help kids with appendicitis dr oz what is bupropion hcl xl online viagra from india augmentin 1 g during pregnancy its safe bieropholie.com plavix hair loss buy anastrozole generic amoxicillin 500mg for dogs efectos secundarios de amitriptyline hcl 25 mg ivermectin 50ml voltaren gel no prescription 10 mg prednisone for sciatica isoptin 40 cena barneptun.pl plavix online canada torsemide tablets explain about this use can you take diazepam with viagra augmentin pwede bang gamot sa tulo can i get flu shot while on prednisone wellbutrin xl class drug metformin yasmin ivf safety of apotex generic lipitor is sertraline a controlled substance in uk escitalopram breast growth men augmentin is excellent ciprofloxacin ophthalmic solution 0.3 shelf life nzjetski.co.nz ubicinc.com buy lisinopril 2.5 mg augmentin in semen tract infections cipralex e augmentin doxycycline hyclate ta 100mg alcohol escitalopram 10mg street name nexium off label uses zoloft start up side effects amoxicillin 500mg capsules for a five year old augmentin lg bd will a pregnancy test work if on citalopram buy nexium singapore naproxen 375 mg dr tablets buy augmentin 625 14 tab disulfiram dosis prednisone taper adrenal fatigue nzjetski.co.nz ubicinc.com can you snort naproxen sodium is lamisil cream effective for toenail fungus nameai.com can metronidazole treat uti in dogs order doxycycline no prescription it.rbu.ac.in bactrim tablete dejstvo stomach pain nortriptyline discount viagra soft tabs differences between singulair and the generic famciclovir antiviral for cats side effects xenical uk diet plan voltaren 600 mg can you buy phenergan in canada prednisone 10 mg tab cad lexapro price 10 mg seroquel 200 get you high buy tetracycline for dogs viagra india ubicinc.com montelukast plus fexofenadine dr reddy brand in market rbu.ac.in order viagra online cheap does finasteride stop hairline receding metronidazole for dogs no prescription albuterol legal uk is alcohol permitted while taking amlodipine bestylate augmentin 156 mg dose nitroglycerin ointment in sri lanka wellbutrin cost walgreens plavix patent expiry uk amoxylin austell ciprofloxacin rbu.ac.in propranolol effect which nervous system how can you tell if viagra is fake prezzo augmentin compresse 1.2 provera medroxyprogesteron fugsi can i get viagra over the counter in south africa ubicinc.com tamoxifen post expiry date diflucan six month dose manfaat voltaren emulgel natrium diklofenak peeing more after quitting metformin zestril 5 mg compresse metronidazole bv discharge still clomid in gauteng azithromycin 500mg dosage for chlamydia how long will lexapro increase anxiety do cvs sell misoprostol pills obat cyproheptadine 4mg will metformin denk 500 make me get pregnant can a dog be given flagyl tablet linezolid klebsiella 20 mg zestril v 40 mg zestril advantages of taking paxil zoloft weight gain citalopram 10mg high valacyclovir hcl on best on empty or full stomach taking 37.5 mg sertraline for 2 weeks which is better , micardis plus or micardis only can you take nyquil while taking antibiotics can you take celexa and clonidine together avodart after 6 months misoprostol como tomarse travelbllgr.com senovital montelukast ic paroxetine hcl 30 mg cost 1 pill can you snort neurontin 600 mg order thyroxine kamagra jelly distributor in banglore how long can dogs take metronidazole can you buy azithromycin over the counter in texas zyprexa generic us accutane 10 mg dose yohimbe viagra combination can metronidazole cure uti in kids utbhogta adalat nzjetski.co.nz standard olanzapine abilify genesis finasteride usp hair does tramadol and zoloft cause confusion in pregnancy pityriasis nizoral france cytotec tunja comprar voltarene emulgel scaduta ketoconazole lotion india cheapest flagyl vag suppository price in philippines generic revatio cost finasteride causing bloating stomach hemorrhagic stroke from lipitor ligitation nizoral shampoo 7 oz nolvadex after anadrol 50 tab.amoxil 500 mg is 5 mg prednisone a high dose augmentin 250 mg dose montelukast10 mg fexofenadine 120 mg tablet brand name buspar and ocd best way take cialis 150 mg for erection maxalt containdicated west nile lawsuits concerning metformin hcl 500mg ketoconazole in infants hair chloramphenicol online pharmacy buy generic finasteride 5mg nzjetski.co.nz ginkgo biloba citalopram interaction cytotec in riyadh augmentin duo 1000 mg dosage erythromycin dose rate dogs cheap viagra online ireland can you buy nizoral in ireland comprar lioresal online finasteride hair loss results how to make rash from lipitor go away using clomid and the labia swelled misoprostol cada cuanto vale en farmacias similares orkzbar.nl price of nitroglycerin tablets anafranil 10 mg fiyat?± montelukast vs fexofenadine ultius.com dexamethasone 75mg informacion en espanol buy avapro 150 mg nameai.com can we give zofran for stomach pain neurontin high overdose can augmentin drop cause.anaphylactic shock tetracycline 50 cipro denk is it the right medicin for urin infection bieropholie.com clomiphene no prescription cheap amoxil 2gm nexium 24 heures generic viagra 100 cytotec pastillas para abortar como se usan medication side effect itchy cymbalta uses and side effect of amoxicillin bp i need to take zoloft but i already take imitrex avodart minoxidil results carvedilol hexal 50 mg nebenwirkungen half inderal la 80 mg anxiety metronidazole side effects mnemonic prices for amoxicillin and nystatin gabapentina wikipedia clozapine 100 mg price does azithromycin cause seizures orkzbar.nl online medications viagra where can i hide my viagra can clomid reverse depo provera ubicinc.com metronidazole europe over the counter can codine be takem with duloxetine generic colchicine removed from market ringworm treatment with diflucan how many days precio diovan 80 mg en walgreen bactrim directions for uti buy flagyl diarrhea off label use of synthroid valtrex hhv 6 rzltt.com prednisone regimen for allergic reaction to plant empiresafety.com ubicinc.com red cialis viagra can you take viagra with charley buy dostinex australia diflucan rash sandoz antibiotic in philippines walgreens atorvastatin price pestoff.co.nz buy propecia from canada 7th day on lexapro buy prozac from canada pestoff.co.nz augmentin suspension 457 mg clonazepam 0.5 mg and escitalopram oxalate 10mg azithromycin for jock itch revista 4000 generic medicine for glucophage can i take a biotech ciprofloxa when i breastfeed metronidazole with hepatitis b product development rational for indocin gel purchase ivax hydrochlorothiazide can clonidine cause blood clots empiresafety.com cipro 500mg used for bieropholie.com riteaid atorvastatin pricefor i month supply azithromycin tablets ppt topamax 10mg travelbllgr.com alternativa plavix what is dosag of cyproheptadine for the elderly buy amoxicillin without a rx metformin for pcos double dose help with pregnancy at which boots store can i buy viagra can you buy viagra in greece buy xenical uk online inyeraccion entre valsartan y talis erectile dysfunction viagra free trials how many days fluconazole capsule 150 dosage what to do if dog takes amlodipine besylate 5 mg amoxicillin 93 3109 capsule dosage bupropion and lyrica combination benefit metformin er hot flashes can i eat ice cream with ciprofloxacin hcl 500 mg nzjetski.co.nz rbu.ac.in prednisone withdraw el side effects micardis 80 25 price clomipramine online phenergan antidote metoclopramide buy propecia bosley can you take paracetamol with lisinopril 10mg trazodone 100 mg sleep aid khasiat ondansetron 8 mg dapoxetine uk pharmacy para que sirve el medicamento allegra can metronidazole cause brownish reddish discharge medicon deutschland lamisil salbe preise holidayhome.rbu.ac.in ubicinc.com costo prometrium 200 propecia russell brand baclofen and trazodone rape escitalopram and epival which is good with triptans metronidazole gel perscription vs over the counter how long does sildenafil citrate take to work no presription viagra pharmacy reviews tamoxifen citrate. soins infirmier.com ivermectin 3 mg .de ciprofloxacin 1000 mg dose how many prednisone can you take for poison ivy diltiazem 2 ointment compound cymbalta 90 mg daily for anxiety ciprofloxacin salep atorvastatin calcium trihydrate trong duoc dien rbu.ac.in price lisinopril strongest dose of levitra valacyclovir hcl m123 shelf life for bactrim pills escitalopram reviews for anxiety how long between each gabapentin 300mg capsule for dog finasteride 0.5mg how to tell if lisinopril causes angioedema klonopin made in u.s. with no prescription overnight escitalopram increased apetite non prescription viagra effects atorvastatin api price in india generic viagra online from india barneptun.pl buy ciprofloxacin 5mg zyprexa weight gain flagyl 200 how to give the flowerhorn fish buy accutane online overseas holidayhome.rbu.ac.in can amoxicillin make you sweat at nights azithromycin 500mg dosage for chlamydia ketoconazole cream and acne lamisil 250 ron

previous  next  Title  Contents  Index


14. Databases & Transaction Monitors


Transaction monitors

X/Open DTP

The X/Open DTP (Distributed Transaction Processing) standard is based on USLs TUXEDO and is an open standard for OLTP (Online Transaction Processing). Transaction processing is an application programming system which defines and co-ordinates interactions between multiple users and multiple databases or other shared resources. DTP extends transaction processing to include multiple resources and networked machines. On-line transaction processing is that part of DTP which manages the logging and execution of individual transactions.

DTP can be described as middleware which allows a (possibly transaction oriented) application to be distributed across numerous machines in a heterogeneous environment.
DTP is comprised of 3 modules:

1. AP = Application
2. TM = Transaction Manager
3. RM = Resource Manager (often a front end to a database). The RM must be capable of doing two phase commit (2PC) and support the XA protocol.


The following protocols are defined in the DTP standard:

XATMI is a subset of Tuxedo's ATMI - there are no transaction, authorisation, queueing or forwarding functions. XATMI defines buffertypes X_OCTET (equivalent to Tuxedo CARRAY), X_C_TYPE (equivalent to Tuxedo VIEW) and X_COMMON (similar to X_C_TYPE but used for both COBOL and C). The Tuxedo FML buffer type is not part of the standard.

TxRPC is a modified RPC: to support transactions, both restrictions and new features (transactional RPC) have been added. There are two types: one with full DCE implementation and IDL only (no DCE runtime). Transarc's Encina uses TxRPC.

Other notes:

Stored messages: a facility whereby request messages are written to stable storage for later processing. Provides greater recoverability and reliability (each request is guaranteed to be executed exactly once) and is more "mainframe like". Four queue types exist: request, reply, failure and error queues. TMS_QM is the TM server for stored messages, TMQUEUE is the server which manages the queue and TMQFORWARD allows forwarding of requests to another service.

CPI-C is the X/Open interface to LU6.2.

Peer-to-peer: allows half duplex communication between APs.

OSI TP: Provides transaction semantics to the OSI protocol and services.

XAP: is an API for connection to services in the presentation layer of the OSI protocol stack. It provides for portability of OSI applications such as X.400, FTAM, Directory Services, Network Management, VPT.

XAP-TP is an interface to the OSI TP service element and to the presentation layer. It is an extension of the XAP protocol.

Documentation

Unisys Open/OLTP 4.2.2 = IMC TUXEDO 4.2.2 (for UNIXNT/PC)

Open/OLTP is Unisys's implementation of the X/Open DTP standard. IML are the actual developers of UNIX and PC versions of Open/OLTP, hence Open/OLTP = IML Tuxedo.
Illustration:


Apparently global transactions with IMS Hosts are not yet possible as no interface to LU6.2 (syncpoint level 2) exists.

General

Characteristics
Compatibility
Documentation

Refer to the original USL Tuxedo documentation. The author used "U6000 Series TransIT Open/OLTP Transaction Manager - Administration Guide" from Unisys (7844 9709-000), November 1994 (this is version 4.2.1).

Transaction Integrity

Transaction integrity is guaranteed if the RM implements the two phase commit (2PC) XA protocol, the client correctly uses the ATMI 2PC function calls (e.g. tpcommit()) and the services controlling the RM correctly use the XA 2PC function calls (e.g. xa_precom(), xa_commit() ). The client and the service can abort their respective transactions and be sure that rollback occurs.

The 2PC protocol used by XA requires the use of a transaction log (TLOG) for the second phase of the 2PC. TM uses TLOG for recovery of current distributed transactions. There is one TLOG per OLTP server. The TLOG can either be a raw device or a file.

Accountability

User identification / authorisation

See also the section Secure data exchange: peer entity authentication.

Audit Trail

Access Control

*RESOURCES

PERM 0600 [bulletin board & request queues: IPC permissions]
SYSTEM_ACCESS FASTPATH [Unisys say PROTECTED is not usable in production]

*MACHINES

PERM as RESOURCES/PERM

*SERVICES

RQPERM as RESOURCES/PERM
RPPERM as RESOURCES/PERM
SYSTEM_ACCESS as RESOURCES/SYSTEM_ACCESS

Object Reuse

Reuse of objects for covert data transfer should be prevented by the measures above for UNIX login, filesystem and shared memory.

Secure Data Exchange

The client can use the ATMI function tpchkauth() to check the level of security required for an application. Then the client fills the TPINIT buffer with the required security information and sends it to the server via tpinit().

Peer entity authentication

OLTP offers very little security as standard, however it provides an open framework in which an application can implement strict security functionality. Three authentication methods are offered: service based, client based and customised.

=> Server based access (OLTP "Level 2" security)

=> Client based authentication (OLTP "Level 3")

=> Customised authentication/authorisation

=> Secure naming services such as NIS+ or Kerberos (and hence DCE) can be used for authentication, if a front end is written to OLTP and installed as an AUTHSVC service. Special authentication services can also be used (Unisys have already implemented an authentication server ZKM for the Schweizerische Aussenministerium).

Integrity

The integrity of data transferred between OLTP client and server is guaranteed by TCP sockets. No additional measures (such as checksums) are implemented.

Confidentiality

The password information in the TPINIT buffer is bit mask encrypted before being sent over the network. This is not enough for sensitive applications, therefore application password and authentication code should be encrypted before being written into the TPINIT buffer. The encryption mechanism should be such that playback is not possible and should not be easily decrypted by brute force. Public key algorithms for generating an unique session key depending on time / user names / IP address / host names are recommended.

System and application messages can be compressed (Tuxedo 4.2.1 or later) with the environment variable TMCMPLIMIT. Especially useful for low speed networks and reducing application boot time. Compression strength can be set for local and remote messages separately. By setting remote compression, but no local compression, data does not appear in clear text during network communications. This offers very simple confidentiality against casual network sniffers. To implement this functionality, set TMCMPLIMIT=0,MAXLONG.

Recommendation: use both local and remote compression.

Data origin authentication

Data origin is known, if "OLTP level 3" security is used. It should be noted that TCP/IP has very definite weaknesses in the area of authentication (IP spoofing).

Non repudiation of origin/receipt

Digital signatures are not defined in OLTP, however they may be implemented on the application level.

Availability

Load Balancing
Service Redundancy
Master Redundancy
WSH (Workstation Handler) Redundancy

DOS/Windows PCs do not have a full OLTP implementation. TDWIN (the OLTP client) requires access to a UNIX machine with a WSH process. There is no way of specifying a backup WSH server in the OLTP protocol. To provide redundancy, the following are possible:

From V4.2.2. there is a time-out on the server side, so if a PC client hangs up, the server will close open connections to this PC after a certain time-out.


OLTP Interface to Oracle 7

Oracle 7.0.12 is XA compliant. The XA interface allow OLTP client to access an OLTP server (the Oracle RM) which can pass on requests (SQL) to an Oracle server. The Oracle RM runs under one user (specified in UBBCONFIG), so multiple OLTP servers must be running under separate users, if db access under different usernames is required.

HIT (Host Integration Toolkit) 1.0

Unisys's HIT tool is not a TM, but is mentioned here because it uses Open/OLTP. HIT interfaces to classical mainframe applications by telnet or 3270. It translates terminal oriented information into transactions. This conversion takes place on an Open/OLTP server. Clients normally access HIT server services via OLTP, but a direct connection via the SThandler protocol is also possible (though it is not discussed here).

General

Installation
Transaction Integrity

Depends on how scripts & client software are written. No implicit transaction integrity is offered by HIT.

Accountability

User identification / authorisation

See the section Secure data exchange: peer entity authentication.

Audit Trail

Access control

UNIX Login security

Different UNIX users are required when running HIT:

  1. "Installation user": The HIT application should be installed as a dedicated user(s) e.g. hit1-0. If possible this account should be locked. It's home directory should be the directory where all HIT binaries (e.g. /opt/hit-1.0) are found.
  2. "Application manager": This user controls the OLTP system application and must belong to the ST group. It's home directory is $PROJDIR.
  3. "Domain manager": HIT servers run under a special user, e.g. hit_domain whose home directory is $DOMAINHOME, where server configuration files (e.g. UBBCONFIG) are found. This user must be a member of the ST group and is primarily for administration.
  4. "HIT user": Client requests run under this user, e.g. hit_client, whose home directory is $DOMAINHOME. If possible this account should be locked. This user must be a member of the ST group.
    - It is possible that the above users 2,3 and 4 be one user with home directory $DOMAINHOME for simple installations.

The umask must be set for these users to 077, to ensure that files created by HIT have permissions rwx------ . (TBD, perhaps 027 is necessary rwxr-x--- ?)

File System

File and directory permissions must be set restrictively for the application and server directories.

chmod 750 $PROJDIR
chmod -R w-rwx,g-w $PROJDIR/* /etc/domainname.map /etc/stconfig
chown -R hit.ST $PROJDIR/* /etc/domainname.map /etc/stconfig
chmod 750 $DOMAINHOME
chmod -R w-rwx,g-w $DOMAINHOME/*
chown -R hit_domain.ST $DOMAINHOME/*

If $SPOOLDIR is set to a directory only used by HIT, then logs should be protected by use of umask (see above) and the directory should also be protected:

chmod 770 $SPOOLDIR
chown hit.ST $SPOOLDIR

Object Reuse

Reuse of objects should be protected by the measures above for UNIX login and filesystem. Shared memory must also be protected (see OLTP chapter).

Secure Data Exchange

Peer Entity authentication

Since the HIT servers are started from inetd, it should be possible to restrict client access by IP address if the tcp wrappers are used and DHCP is not used.

HIT has it's own authentication server (AUTHserver), which uses two (ASCII) password files in $DOMAINHOME, one for host accounts (serv_passwd, managed by stpasswd -s) and one for client access (trans_passwd, managed by stpasswd -t). The host password file lists accounts and passwords on the host access via telnet/3270.

AUTHserver offers three services:

  1. The AUTH service is called by SThandler on transaction #1 and verifies username/password against the trans_passwd file. If all is OK contact is made with the OLTP TM and subsequent transactions are allowed.
  2. The transPSW service is called after the AUTH service above is called. It checks password aging (PASSREQ, MAXDAYS) and passes additional parameters ${PSW[0-0]} are passed back to the transaction script.
  3. The servPSW reads $USER and $PASSWD and $PSW[0-9] from serv_passwd on the basis of server name and id and returns these values.

Weaknesses:

Integrity
Confidentiality
Non repudiation of origin / receipt

Digital signatures are not defined in HIT or OLTP, however they may be implemented at the application level.

Availability

Service Redundancy

HIT offers no additional redundancy to that offered by OLTP.


Databases

General guidelines for (relational) Databases

General

TCSEC Evaluated Databases

Consider using a TCSEC evaluated database. The following table lists the databases evaluated by the NSA in Spring 1996 [nsa1]. See Appendix C for a more detailed discussion of TCSEC. C2 is the TCSEC level aimed for by most commercial systems.

Even if a system is evaluated to a certain level (e.g. TCSEC C2), it still requires careful configuration, monitoring and organisation processes for it to be considered "secure" in a real production environment. Don't attach too much importance to the "label" C2 for it's own sake. It is often used as a sales pitch without real substance. E.g. a system may offer "C2 auditing", but that doesn't mean that the audit logs are useful, or that tools for high level analysis of these logs are included in the system, or that anyone actually reads the logs!

Database Level Cert. date Notes
Informix Online/Secure 5.0 B1 15.11.94  
Trusted Oracle 7 B1 5.4.94  
Secure SQL Server, V11.0 B1 18.5.95 Sybase
       
SQL Server, V11.0.6 C2 13.10.95 Sybase
Informix Online/Secure 5.0 C2 15.11.94  
Oracle 7 C2 5.4.94  

Transaction Integrity

Accountability

User Identification / authorisation

See also the "Policy" chapter for general rules.

Audit trail

Access Control

UNIX Login security
File System
Views and stored procedures

Views and SPs can serve as security mechanisms. A user can be granted permissions on a view or stored procedure, even if he/she has no permissions on objects that the view or procedure accesses. Through a view, users can query and modify only data they can see. The rest of the database is neither visible, nor accessible.

Object Reuse

Objects used by a subject must be reinitialised before being used by another subject.

Communication / Secure Data exchange

Peer Entity authentication

A user enters a password to access an application database via an application. The application encrypts this password to form a second password. This second password is the actual password used by the database access routines. The database knows only the second password, while the user knows only the first password - therefore the user cannot access the database directly (even if he has the tools available) since he has no valid password. It is important that the encryption algorithm used by the application not become known. This method can be applied to any database.

Integrity

Guaranteed by the transport protocol used (e.g. TCP sockets, Named pipes...).

Confidentiality

Are passwords and usernames passed in clear text over the network between the SQL client and database?

Data origin authentication

Guaranteed by the transport protocol used (e.g. TCP sockets, Named pipes...), plus the challenge response method used on initial connection.

Non repudiation of origin / receipt

Digital signatures are not normally offered by databases, they can be implemented on the application level.

Availability

Backups

Basically a full backup of all databases and transaction logs would be nice each day. However it is rarely possible due to performance (dumping a 50GB database can take a while...), costs (disk space, jukeboxes) or time (the night is not long enough for updating, checking and backing up) reasons.

Prevention of resource abuse

Quotas, CPU, memory limits etc. per user are available with some databases.

Replication

Certain databases offer replication of data between servers. This feature can be used to improve availability.

Redundancy

Sybase

See also general database recommendations.

4.9.x

4.9.x is very similar to Microsoft's SQL V4 (because MS bought 4.9 for OS2 & NT from Sybase!). Refer to the MS-SQL section until this section is complete, for recommendations.

Known security problems

dd if=/dev/rdsk/c?d?t?s? | strings | egrep "mastersa|masterMYUSERNAME"

System 10, System 11

Microsoft SQL server

See also general database recommendations.

General

Accountability

Identification / authorisation
Overview

The hierarchy of users is sa (system administrator), dbo (database administrator), doo (database object owner) and users. The sa is a superuser who works outside the permissions system, so it is very important to protect this account from unauthorised access.

SQL logon can be configured for standard, integrated or mixed modes.

  1. Integrated: The NT login validation system is used by SQL server. User accounts defined in NT which are assigned user level privileges in SQL server can directly access the database without entering any additional username or password. Only trusted connections are allowed into SQL server. NT users who have Administrator privilege are logged into SQL server as sa.
  2. Standard: SQL server manages it's own login validation (i.e. usernames and passwords) independently from the operating system. This is the default.
  3. Mixed: Logins are first treated as in integrated mode the as in standard mode. This is useful where not all users connect via named pipes or are not logged onto an NT domain.

Even if a user has an SQL login, he does not have automatic access to databases. The database owner must add the user to each database (sp_adduser).

Tools: xp_loginconfig displays the current login setup. xp_logininfo shows accounts and their login configuration.

Recommendations

sp_password null,NEW_PASSWORD,sa

Audit trail

When installing SQL server, the following options are recommended:

The NT event log can be sorted by application, date and priority. It should be monitored regularly for unusual activity. NT alerts should be used to notify the administrator of critical conditions.

Access Control

Views and stored procedures

Views and SPs can serve as security mechanisms. A user can be granted permissions on a view or stored procedure, even if he/she has no permissions on objects that the view or procedure accesses. Through a view, users can query and modify only data they can see. The rest of the database is neither visible, nor accessible.

Filesystem
Object Permissions

sp_helpprotect can be used to display an object's permissions. Permissions may be set on objects and statements.

Object Reuse

no relevant features.

Communication / Secure data exchange

Peer Entity authentication

SQL server can communicate with clients via sockets and named pipes. It is preferable to use named pipes, as SQL server can directly use the NT user account database (integrated logon), so user accounts on the SQL server do not need to be managed separately from NT.

Remote server access: A local server may directly access a remote server without having to logon (sp_addserver,sp_configure 'remote access' 1). The remote server is effectively controlled by the local server. The mapping of local users to remote usernames may be achieved by:

The commands sp_addremotelogin, sp_helpremotelogin can be used to configure/examine remote users.

Trusts: The remote server can trust the local server (no password exchange is necessary) or he can consider the connection as not to be trusted. Trust can be used between servers of equal security classification and administrated by the same persons.

To ensure that user authorisation takes place, the option trusted should be set to FALSE in SQLadmin -> remotes -> manage -> remote logins -> set login ID -> manage -> remote login options (or via sp_remoteoption).

Confidentiality

Communication via named pipes guarantees (weak) encryption of username/password, whereas sockets do not, so named pipes are preferable.

Availability

See also General database availability guidelines.

Backup / Recovery

See also General database availability guidelines.

Recovery

Set the recovery interval to control maximum time to recover databases after a crash. This has the effect of setting the time between checkpoints.

Consistency Checking
Organisation

net send /users "SQL is going down in 30 minutes, please disconnect"

Redundancy
Monitoring
Replication

Only available in V6. TBD.

Mirroring

Mirroring, can prevent continuous operation in the event of disk failure. In addition to SQL Server mirroring, NT server offers filesystem level mirroring and RAID 5. Mirroring/RAID may also be implemented at the hardware level. Mirroring affects performance as well as availability.

SQL Server V6.0

A new version is available since summer 1995: SQL Server 6.0. This version offers enhanced security features over the previous version (V4.21):

TBD: specific recommendations for V6

Oracle 7.1 or later

General

Dangers
Documentation

See "Oracle7 Server Documentation: Addendum Release 7.1", "Oracle7 Server Concepts Manual" delivered with the Oracle product.

Accountability

Identification / authorisation

Oracle allows user authentication to be carried out by either:

  1. the OS (usernames must still exist in the database).
  2. or by Oracle itself. In this case a password is stored for each user (in encrypted form) in the database.

Both methods may be used within the same database.

Privileged user, prior to V7.1:

Privileged users, V7.1 and later:

A privileged user can connect via CONNECT user_name/server@my.domain AS SYSDBA. To check which users have these privileges, use the view V$PWFILE_USERS .

Audit Trail

Access Control

Discretionary Access Control

Oracle provides fine-grained access control through the use of schemas, privileges, roles, views and table security.

A user's access rights are controlled by the settings in the user's security domain. The security domain consists of:

The privileges and roles which provide the user with access to objects.

Each Oracle database has a list of schemas. Each schema is a collection of schema objects, such as tables, views, clusters, procedures and packages. Each database also has a list of valid users and to access a database, the user must identify himself and be authorised (via a personal password). When the database user is created, a corresponding schema is also created which govern access to objects in that database. A user can only connect with a schema of the same name.

A privilege is a right to execute a particular SQL statement (system privileges) or access a particular object (object privileges). Privileges can be directly granted to a user or a role (see below). System privileges are attributed via the SQL commands GRANT/REVOKE or SQL*DBA (Grant system privileges/Roles dialog box). Only users with the system privilege ADMIN OPTION or GRANT ANY PRIVILEGE can grant/revoke system privileges to/from users/roles of the database.
Object privileges are also attributed via the SQL commands GRANT/REVOKE. Object privileges can be granted/revoked by the owner of the schema, or by a user who has been granted the GRANT OPTION on that schema.

A role is a named group of privileges which can be attributed to users or other roles. For example, an application can be split up into the following roles: db Administrator (full privileges), db Operator (backup privileges), Application Owner (for each db application) and Application User.
Roles offer the advantages of:

Roles can be subdivided into application and user roles.

Within a database each role name must be unique and cannot be the same as a username. Each role has it's own security domain. Each user has the privileges associated with his security domain, plus the privileges of roles granted to the user (that are currently enabled).
Recommendation: attribute privileges to specific roles, not users.

Predefined roles in V7: CONNECT, RESOURCE, DBA, EXP_FULL_DATABASE and IMP_FULL_DATABASE. These roles may be modified.

Each database contains a user group called PUBLIC (to which all users belong). Member of PUBLIC may see all data dictionary tables prefixed with USER and ALL. Privileges (system, object privilege or role) can be granted to PUBLIC. Restrictions: tablespace quotas cannot be assigned PUBLIC. The only objects which can be created as PUBLIC are links and synonyms (CREATE PUBLIC DATABASE LINK/SYNONYM).
Recommendation: only grant privileges to PUBLIC which are really necessary for ALL users.

Table security is provided for in two ways:

Views: To use a view, a user requires only the privilege for the view (not for the underlying tables/data). This improves security by providing access to only certain rows/columns in a table. It may be easier (and less error prone) to manage view access than privileges to the underlying data/columns.
A view can be created if a user has the privilege CREATE (ANY) VIEW and SELECT, INSERT, UPDATE/DELETE on the underlying base objects. To grant access to this view to other users, the GRANT OPTION or ADMIN OPTION is needed.
Recommendation: use views for access control.

Packages: can be used to group together procedures. A role/user can be granted EXECUTE privilege on a package, effectively allowing use of all procedures and public variables in that package (assuming also that the user has sufficient privileges to access the data manipulated by the package). Specific EXECUTE privileges cannot be attributed for a package's constructs.
Note that the system privilege EXECUTE ANY PROCEDURE allows a user to execute any procedure in the database.

Secure system startup

See general database recommendations.

Secure data exchange / communications

Remote Links:
Remote databases communicate with each other via links. A link is a path to a remote database and has two components: a database string and a remote account (username & password). Two types of links exist: Private and (created for the group PUBLIC. Any user can use this link, there is no way to restrict access). When a user accesses a remote database via a link, he/she may do so either using the same username/password as locally, or by using a "central" account for access to the remote database e.g.

CREATE PUBLIC DATABASE LINK remote_db_name
CONNECT TO remote_user_name IDENTIFIED BY remote_user_password
USING `some_db_string';

If the CONNECT TO phase is ommitted, individual accounts are used.

Recommendation: Use individual links for class databases.

Peer entity authentication
Data integrity

Depends on the communications protocol used by SQL*net, e.g. TCP/IP, DECnet, SNA (LU6.2), Appletalk, OSI4, IPX, Named Pipes....

Data confidentiality
Non repudiation of origin/receipt

Not supported by SQLnet or the protocols it uses.

Access control

Standard SQL access control.

Availability

Prevention of Resource Abuse

On large multiuser systems, it is important to be able to set restrictions on the system resources used by a user. However monitoring of resources normally results in a slight degradation in performance. It also requires extra sysadmin's time.

A profile is a set of resource limits which can be assigned to a user. Each of these resources can be managed per session (a session is created each time a user connects to a database) or per SQL call (each time an SQL statement is executed). When the limits are reached, the current statement is stopped and the user can either roll back, commit or disconnect. Resource limits:

Define a minimum number of different profiles and attribute them to users. The more profiles, the more time it takes to manage them. The best way to estimate limits is to look at statistics on a live system.

Quotas: Tablespace quotas per user can be use for disk space management. If the quota for a tablespace is set to zero, a user cannot use any new space, but the existing space occupied by him remains.

Backup and restore

Recommendations:

  1. Operate the database in ARCHIVELOG mode, it provides:
  2. If possible, shutdown Oracle before doing backups.
Redundancy

See also General database recommendations.
Oracle does not offer Mirroring, it must be achieved on the OS, disk or filesystem level.

Replication

Replication can increase performance (by reducing remote queries) and availability (replicated copies are still available if the master dies). The source server contains the master data and the target server contains a read-only copy of the master data (called a snapshot).Oracle provides two methods or replicating data from one server to another:

The snapshot can be refreshed via a complete refresh (i.e. all data in the snapshot is transferred from the master), or a fast refresh (only changed rows are transmitted). Fast refreshes are only possible on simple snapshots (i.e. each row in the snapshot corresponds exactly to a row in a single remote table, no subqueries, joins etc. are allowed) used with a snapshot log (i.e. a table in the master database which tracks rows changed in the master table).


[1] See "Application Development & Administration, Tuxedo Release 4.2 ETP" from USL, page TA2-7.
[2] Note that orapwd expects the password for INTERNAL or SYS on the command line. The command line is visible to other users on a UNIX system (via ps) when orapwd is running.


previous  next  Title  Contents  Index  IT Security Cookbook, 21 July, 2000