Security

This section explains the enhancements made to SQL Anywhere to improve security.

  • RSA now included with SQL Anywhere   You no longer have to purchase a separate license to use RSA encryption. See Separately licensed components.

  • Enhancements to FIPS support   The following FIPS-related changes have been made to the database server:

    • The FIPS DLL has been renamed from dbrsa10f.dll to dbfips10.dll.

    • The HASH function now accepts two new algorithms: SHA1_FIPS and SHA256_FIPS. These are the same as the SHA1 and SHA256 algorithms, but are the FIPS-validated Certicom versions.

    • If the -fips server option is specified and a non-FIPS algorithm is given to the HASH function, the database server uses SHA1_FIPS instead of SHA1, SHA256_FIPS instead of SHA256, and returns an error if MD5 is used (MD5 is not a FIPS algorithm).

    • If the -fips option is specified, the database server uses SHA256_FIPS for password hashing.

    Also, the -fips option and FIPS functionality are now available on more platforms. To see the list of platforms on which the -fips option is supported, see Supported platforms.

  • Kerberos authentication   SQL Anywhere now supports Kerberos authentication. Kerberos authentication lets you use your Kerberos credentials to connect to the database without specifying a user ID or password. See Kerberos authentication.

  • New authorities added   The following authorities have been added:

    • BACKUP authority   You can assign BACKUP authority to a user so that they can perform backups, instead of granting the user DBA authority. See BACKUP authority.

    • VALIDATE authority   A new authority for validation operations, VALIDATE, has been added. VALIDATE authority is required to perform the operations executed by the different VALIDATE statements, such as database, table, index, and checksum validation. See VALIDATE authority.

  • Securing features for a database server   The -sf database server option lets you specify features, or groups of features, that are secured (disabled) for databases running on the database server. See -sf server option.

    The -sk server option lets you specify a key that can be used to enable disabled features when used with the secure_feature_key database option. You can also change the set of disabled features using the sa_server_option system procedure SecureFeatures property. See -sk server option.