When a user enters an invalid password, certification of that user fails and the user is not connected to HiRDB. If user certification fails more than a certain number of times in succession (permitted number of consecutive certification failures), HiRDB can be set to deny connection rights to HiRDB to that user.

For example, if the permitted number of consecutive certification failures is set to 3, a user who fails user certification four times in a row as a result of entering an invalid password is placed in consecutive certification failure account lock state. A user who is placed in this status no longer has the right to connect to HiRDB.

Reference note

You cannot specify separate limits on the permitted number of consecutive certification failures for different users. The specified limit will apply to all HiRDB users (including users with the DBA privilege and the auditor).

You can also specify the period during which a user is to be kept in consecutive certification failure account lock state; this is called the account lock period. For example, if the account lock period is set to 1 (hour), a consecutive certification failure account lock state remains in effect for a user for one hour. When the hour has passed, the consecutive certification failure account lock state is canceled and the user is again permitted to attempt to connect to HiRDB.

Reference note

• You can also set the account lock period to be permanent (to not expire automatically).
• You can cancel a consecutive certification failure account lock state before the account lock period has expired. For details about the cancellation procedure, see 25.11 Releasing consecutive certification failure account lock state.

Only entry of up to 30 bytes of an invalid password is counted as a failure. The following situations do not constitute a failure:

• Entry of an invalid authorization identifier (specifying a non-existent authorization identifier).
• Entry of more than 30 bytes for a password.
  

  Reference note

  • The count of consecutive certification failures is not reset to 0 even if the user waits for a while. For example, if a user fails once, then fails again after waiting for an hour, the count of consecutive certification failures increments to 2.
  • The count of consecutive certification failures is not reset to 0 even when HiRDB terminates.
  • The count of consecutive certification failures remains valid even if the user attempts to connect from a different client machine. For example, if a user fails once from machine A and then fails from machine B, the count of consecutive certification failures increments to 2.
  • The count of consecutive certification failures remains valid even if the user tries to connect from a different front-end server. For example, if a user fails once from front-end server A and then fails from front-end server B, the count of consecutive certification failures increments to 2.
  • Command and utility executions are also counted.
  • When the consecutive certification failure account lock state is canceled, the count of consecutive certification failures is reset to 0.

You use CREATE CONNECTION SECURITY to set the limit on the number of consecutive certification failures. For details of the setting procedure, see 25.9 Setting and canceling the limit on number of consecutive certification failures.

For details about how to use the limit on the number of consecutive certification failures, see 25.9 through 25.12.

When this facility is used, the system-defined ADD_INTERVAL scalar function is used to check for the consecutive certification failure account lock state. For this reason, a data dictionary LOB RDAREA is required; if no data dictionary LOB RDAREA is available, you must create one.