Firebird Documentation Index → Firebird 3.0.6 Release Notes → Configuration Additions and Changes → New Parameters |
![]() |
![]() |
![]() ![]() ![]() ![]() |
New parameters added to firebird.conf
are:
Defines the name and location of the security database that stores login user
names and passwords used by the server to validate remote connections. By default, in
firebird.conf
, it is $(root)/security3.fdb
.
It can be overridden for a specific database by a configuration in
databases.conf
.
Two parameters that determine what authentication methods can be used by the network server and the client redirector. The enabled methods are listed as string symbols separated by commas, semicolons or spaces.
Secure remote passwords (Srp), using the plug-in is the default, using the
OS-appropriate plug-in (libSrp.s0 | Srp.dll | Srp.dylib
)
On Windows, the Security Support Provider Interface (Sspi) is used when no login credentials are supplied
Client applications can use legacy authentication (Legacy_Auth) to talk to old servers.
For AuthServer, Srp and Win_Sspi are listed; for AuthClient, Srp, Win_Sspi and Legacy_Auth.
To disable a method, erase the comment marker (#) and remove the unwanted method from the list.
Both parameters can be used in databases.conf
. They can
both be used in the DPB or the SPB for a connection-specific configuration.
Sets whether the network connection should be encrypted. It has three possible values: Required | Enabled | Disabled. The default is set such that encryption is Required for connections coming in to the server and Enabled for connections outgoing to a server.
To access a server using an older client library and, thus, no encryption, WireCrypt in the server configuration file should be set to Enabled or Disabled to avert the default Required.
The rules are simple: if one side has WireCrypt = Required
and
the other sets the parameter to Disabled, side with WireCrypt=Required rejects
the connection and it is not established.
A missing WireCrypt plug-in or encryption key in cases where the channel must be encrypted also thwarts a connection.
In all other cases, connection is established without encryption if at least
one side has WireCrypt = Disabled
. In other cases, the encrypted
connection is established.
Sets the plug-in that will operate on the security database. It can be a list with blanks, commas or semicolons as separators: the first plug-in from the list is used.
The default plug-in is Srp
(libSrp.s0 | Srp.dll | Srp.dylib)
.
The UserManager parameter can be used in databases.conf
for
a database-specific override.
Specifies the plug-in used by Firebird's Trace facility to send trace data to the client app or audit data to the log file.
The default plug-in is fbtrace
(libfbtrace.s0 | fbtrace.dll | fbtrace.dylib)
.
A wire-crypt plug-in is used to encrypt and decrypt data transferred over the network.
The installation default Arc4 implies use of an Alleged RC4 plug-in. The configured plug-in, which requires a key generated by the configured authentication plug-in, can be overridden in the API for a specific connection via the DPB or the SPB.
For information about configuring plug-ins, see Configuring Plug-ins in the Engine chapter.
This parameter would represent some form of temporary storage for database encryption
keys. Nothing is implemented as a default plug-in but a sample Linux plug-in named
libCryptKeyHolder_example.so
can be found
in /plugins/
.
List of allowed transports for accessing databases, discussed in the Engine chapter.
Determines the execution mode of the server (“server model”). Discussed in the Engine chapter.
Parameter in firebird.conf
and databases.conf
provides an efficient, configurable replacement for hard-coded rules limiting access to
security3.fdb
. It can also be used to configure limited remote
access to any other database, including non-default security databases.
By default RemoteAccess is enabled for all databases except the security database.
If you intend using more than one dedicated security database, then disabling remote
access to it (or them) via databases.conf
is recommended.
For stricter security, server-wide, you can set RemoteAccess to
false in firebird.conf
and use entries in database.conf
to re-enable it for specific databases.
RemoteAccess is a Boolean. It can be expressed with either true/false, 1/0 or Yes/No.
Parameter in firebird.conf
or
databases.conf
, enabling or disabling compression of data
over the wire at global or individual database level.
The default setting is disabled (= False). Settings and environment must be correct at both server and client for WireCompression to take effect:
To enable it at the server side, in firebird.conf
and/or databases.conf
, change the setting to True
To activate Wirecompression from the client side, pass the appropriate tag in the config item of the DPB or SPB call:
isc_dbp_config/isc_sbp_config <string-length> "WireCompression=true"
Both server and client versions must be Firebird 3 or greater (protocol >=13)
See Tracker item CORE-733.
Parameter in firebird.conf
only. (TCP ports
are created before any connection is established.)
Firebird 3 supports IPv6 connections, on both client and server sides.
By default, the Firebird server listens on the zero IPv6 address (::) and accepts all incoming connections, whether IPv4 or IPv6, and IPv6V6Only is set to false (=0). If it is set to true, the server, still listening implicitly or explicitly on the zero IPv6 address, will accept only IPv6 connections.
A different listening address, either IPv4 or IPv6, can be set using the RemoteBindAddress parameter. If an IPv4 address or a non-zero IPv6 address is used, the IPv6V6Only directive has no effect.
On POSIX platforms, in Classic mode, the parameters RemoteBindAddress,
RemoteServicePort and RemoteServiceName are ignored by
fbserver
, since the listening socket is set up by (x)inetd
.
The listening address and/or port need to be set in the (x)inetd
.
IPv6V6Only is a Boolean. It can be expressed with either true/false, 1/0 or Yes/No.
The standard text form of an IPv6 address uses the colon character to separate the four groups of digits. In the connection string, the IPv6 address must be enclosed in square brackets, to resolve the ambiguity with the use of the colon as the separator between the host IP address and the database path. For example:
connect '[2014:1234::5]:test'; connect '[2014:1234::5]/3049:/srv/firebird/test.fdb';
For consistency, square brackets can be optionally used around an IPv4 address or a domain name.
If a domain name is used in connection string, all addresses (IPv4 and IPv6) are tried in the order returned by resolver until a connection is established. If all attempts fail, the client fails to connect.
![]() ![]() ![]() ![]() |
Firebird Documentation Index → Firebird 3.0.6 Release Notes → Configuration Additions and Changes → New Parameters |