Try OpenEdge Now
skip to main content
Database Administration
Protecting Your Data : Auditing : Auditing impact on database utilities : Identifying the privileged user : Local operating system login
 
Local operating system login
If the _User table is not used in the database, the local operating system login (effective process user-id) identifies the privileged user. This user must be granted at least the Audit Administrator role. Once the appropriate roles are granted to the user, no further action is required. The utilities are to trust the operating system user verification, and the user can run the utilities without specifying any additional command-line parameters.
Optionally, a local operating system user-id can be specified on the utility command line by adding the -userid username qualifier. The consequence of adding -userid is that it requires a password. The password can be specified with the -password qualifier. If the -password qualifier is not specified, the utility will prompt for the password to be entered. For the local operating system user, the password for the enhanced utilities is not the operating system login password. The utilities require the encrypted database MAC key (DB Pass key) for the password. The database MAC key is stored in the _db-detail table of the database in the _db-mac-key field, and is set through the Data Administration tool. For details on setting the DB Pass Key, see OpenEdge Getting Started: Core Business Services - Security and Auditing or the Data Administration online Help. For details on specifying encrypted passwords, see Specifyingencrypted passwords.
If your operating system login is "sysdba", and you have not established the _User table, and you have assigned "sysdba" the Audit Data Archiver role for the database auditexampledb, then executing the protected PROUTIL AUDITARCHIVE utility for the database would use one of the following formats:
*Trust the operating system authentication:
$ proutil auditexampledb -C auditarchive
*Require DB Pass Key on command line:
$ genpassword -password ultra_secret_password
253e3b35331a203633202a330d3532202325203536
.
.
.
proutil auditexampledb -C auditarchive -userid sysdba
      -password oech1::253e3b35331a203633202a330d3532202325203536
For this example, assume that the DB Pass Key is "utlra_secret_password". First, you must encrypt the DB Pass Key using genpassword. Then, when you run the AUDITARCHIVE utility (presumably at a later time), specify the encrypted DB Pass Key in the command.
*Prompt for DB Pass Key:
$ proutil auditexampledb -C auditarchive -userid sysdba
OpenEdge Release 10.1A as of Sat Dec 17 09:56:25 EST 2005
password: *********************
At the password prompt, the DB Pass Key must be typed before the AUDITARCHIVE runs. The password value is obfuscated as it is typed, and can be either the clear text value, or the encrypted value, provided it has the proper encryption prefix.