Securing the database server

There are several security features you can set either when starting the database server or during server operation, including:

  • Starting and stopping databases   When using a personal database server, by default any user can start an extra database on a running server. By default, network database servers require DBA authority to start another database on a running database server. The -gd option allows you to limit access to this option to users with a certain level of permission in the database to which they are already connected. The allowed values are DBA, all, or none. See -gd dbeng12/dbsrv12 server option.

  • Creating and deleting databases   When running a personal database server, by default any user can use the CREATE DATABASE statement to create a database file. By default, network database servers required DBA authority to create databases. The -gu option allows you to limit access to this option to users with a certain level of permission in the database to which they are connected. The permissible values are DBA, all, none, or utility_db. See -gu dbeng12/dbsrv12 server option.

  • Stopping the server   The dbstop utility stops a database server. It is useful in batch files, or in other cases where stopping the server interactively (by clicking Shut Down on the database server messages window) is impractical. By default on personal database servers, any user can run dbstop to shut down a server. On network database servers, the default setting requires DBA authority to stop a database server. The -gk option allows you to limit access to this option to users with a certain level of permission in the database. The permissible values are DBA, all, or none. See -gk dbeng12/dbsrv12 server option.

  • Loading and unloading data   The LOAD TABLE, UNLOAD TABLE, and UNLOAD statements all access the file system on the database server computer. The default setting is all for personal database servers on non-Unix operating systems, and DBA for the network database server and the Unix personal server. If you are running the personal database server, you already have access to the file system and this is not a security issue. If you are running the network database server, unwarranted file system access may be a security issue. The -gl option allows you to control the database permissions required to perform loading and unloading of data. The permissible values are DBA, all, or none. See -gl dbeng12/dbsrv12 server option.

  • Using transport-layer security to encrypt client/server communications   For greater security of network packets, you can use transport-layer security to authenticate communications between client applications and the database server. Transport-layer security uses elliptic-curve or RSA encryption technology. See Transport-layer security.

  • Disabling database features   The -sf server option specifies a list of features that are disabled for databases running on the database server so they are not available to client applications or stored procedures, triggers, or events defined within the databases. This can be useful when you are starting a database that is not your own that may contain unwanted actions, such as a virus or trojan. See -sf dbeng12/dbsrv12 server option.

 See also