Firebird Documentation IndexFirebird 3.0.6 Release NotesConfiguration Additions and Changes → New Parameters
Firebird Home Firebird Home Prev: “Per-database” ConfigurationFirebird Documentation IndexUp: Configuration Additions and ChangesNext: Parameters Changed or Enhanced

New Parameters

SecurityDatabase
AuthServer and AuthClient
WireCrypt
UserManager
TracePlugin
WireCryptPlugin
KeyHolderPlugin
Providers
ServerMode
RemoteAccess
WireCompression
IPv6V6Only

New parameters added to firebird.conf are:

SecurityDatabase

Defines the name and location of the security database that stores login user names and passwords used by the server to validate remote connections. By default, in firebird.conf, it is $(root)/security3.fdb. It can be overridden for a specific database by a configuration in databases.conf.

AuthServer and AuthClient

Two parameters that determine what authentication methods can be used by the network server and the client redirector. The enabled methods are listed as string symbols separated by commas, semicolons or spaces.

  • Secure remote passwords (Srp), using the plug-in is the default, using the OS-appropriate plug-in (libSrp.s0 | Srp.dll | Srp.dylib)

  • On Windows, the Security Support Provider Interface (Sspi) is used when no login credentials are supplied

  • Client applications can use legacy authentication (Legacy_Auth) to talk to old servers.

For AuthServer, Srp and Win_Sspi are listed;  for AuthClient, Srp, Win_Sspi and Legacy_Auth.

To disable a method, erase the comment marker (#) and remove the unwanted method from the list.

Both parameters can be used in databases.conf. They can both be used in the DPB or the SPB for a connection-specific configuration.

WireCrypt

Sets whether the network connection should be encrypted. It has three possible values: Required | Enabled | Disabled. The default is set such that encryption is Required for connections coming in to the server and Enabled for connections outgoing to a server.

To access a server using an older client library and, thus, no encryption, WireCrypt in the server configuration file should be set to Enabled or Disabled to avert the default Required.

The rules are simple: if one side has WireCrypt = Required and the other sets the parameter to Disabled, side with WireCrypt=Required rejects the connection and it is not established.

A missing WireCrypt plug-in or encryption key in cases where the channel must be encrypted also thwarts a connection.

In all other cases, connection is established without encryption if at least one side has WireCrypt = Disabled. In other cases, the encrypted connection is established.

UserManager

Sets the plug-in that will operate on the security database. It can be a list with blanks, commas or semicolons as separators: the first plug-in from the list is used.

The default plug-in is Srp (libSrp.s0 | Srp.dll | Srp.dylib).

The UserManager parameter can be used in databases.conf for a database-specific override.

TracePlugin

Specifies the plug-in used by Firebird's Trace facility to send trace data to the client app or audit data to the log file.

The default plug-in is fbtrace (libfbtrace.s0 | fbtrace.dll | fbtrace.dylib).

WireCryptPlugin

A wire-crypt plug-in is used to encrypt and decrypt data transferred over the network.

The installation default Arc4 implies use of an Alleged RC4 plug-in. The configured plug-in, which requires a key generated by the configured authentication plug-in, can be overridden in the API for a specific connection via the DPB or the SPB.

Tip

For information about configuring plug-ins, see Configuring Plug-ins in the Engine chapter.

KeyHolderPlugin

This parameter would represent some form of temporary storage for database encryption keys. Nothing is implemented as a default plug-in but a sample Linux plug-in named libCryptKeyHolder_example.so can be found in /plugins/.

Providers

List of allowed transports for accessing databases, discussed in the Engine chapter.

ServerMode

Determines the execution mode of the server (server model). Discussed in the Engine chapter.

RemoteAccess

Parameter in firebird.conf and databases.conf provides an efficient, configurable replacement for hard-coded rules limiting access to security3.fdb. It can also be used to configure limited remote access to any other database, including non-default security databases.

By default RemoteAccess is enabled for all databases except the security database. If you intend using more than one dedicated security database, then disabling remote access to it (or them) via databases.conf is recommended.

For stricter security, server-wide, you can set RemoteAccess to false in firebird.conf and use entries in database.conf to re-enable it for specific databases.

RemoteAccess is a Boolean. It can be expressed with either true/false, 1/0 or Yes/No.

WireCompression

Alex Peshkov

Parameter in firebird.conf or databases.conf, enabling or disabling compression of data over the wire at global or individual database level.

The default setting is disabled (= False). Settings and environment must be correct at both server and client for WireCompression to take effect:

  • To enable it at the server side, in firebird.conf and/or databases.conf, change the setting to True

  • To activate Wirecompression from the client side, pass the appropriate tag in the config item of the DPB or SPB call: 

      isc_dbp_config/isc_sbp_config <string-length> "WireCompression=true"

  • Both server and client versions must be Firebird 3 or greater (protocol >=13)

See Tracker item CORE-733.

IPv6V6Only

Michael Kubecek

Parameter in firebird.conf only. (TCP ports are created before any connection is established.)

Firebird 3 supports IPv6 connections, on both client and server sides.

Server

By default, the Firebird server listens on the zero IPv6 address (::) and accepts all incoming connections, whether IPv4 or IPv6, and IPv6V6Only is set to false (=0). If it is set to true, the server, still listening implicitly or explicitly on the zero IPv6 address, will accept only IPv6 connections.

Note

A different listening address, either IPv4 or IPv6, can be set using the RemoteBindAddress parameter. If an IPv4 address or a non-zero IPv6 address is used, the IPv6V6Only directive has no effect.

On POSIX platforms, in Classic mode, the parameters RemoteBindAddress, RemoteServicePort and RemoteServiceName are ignored by fbserver, since the listening socket is set up by (x)inetd. The listening address and/or port need to be set in the (x)inetd.

IPv6V6Only is a Boolean. It can be expressed with either true/false, 1/0 or Yes/No.

Client

The standard text form of an IPv6 address uses the colon character to separate the four groups of digits. In the connection string, the IPv6 address must be enclosed in square brackets, to resolve the ambiguity with the use of the colon as the separator between the host IP address and the database path. For example: 

  connect '[2014:1234::5]:test';
  connect '[2014:1234::5]/3049:/srv/firebird/test.fdb';

Notes

For consistency, square brackets can be optionally used around an IPv4 address or a domain name.

If a domain name is used in connection string, all addresses (IPv4 and IPv6) are tried in the order returned by resolver until a connection is established. If all attempts fail, the client fails to connect.

Prev: “Per-database” ConfigurationFirebird Documentation IndexUp: Configuration Additions and ChangesNext: Parameters Changed or Enhanced
Firebird Documentation IndexFirebird 3.0.6 Release NotesConfiguration Additions and Changes → New Parameters