Providing an Identity for Outbound Connections

For outgoing replication connections, AMPS may need to provide an identity and credentials to the replication destination. AMPS uses a module type called an authenticator to provide those credentials and handle any challenge/response protocol required by the authentication module in the remote system.

AMPS provides a default authenticator module, amps-default-authenticator-module, that is automatically configured as the Authenticator for the instance if no other instance Authenticator is provided. This module provides a user name with no password. To determine the user provided to AMPS, the module uses the value of the User option to the module if one is provided. Otherwise, the module uses the current user of the AMPS process. If the current user cannot be determined by the system, the module falls back to the value of the USER environment variable.

The amps-default-authenticator-module provides the ability to send a specific password (available in version 5.3.0.0 and higher). To provide a specific password, use one of the following options:

The Authenticator used for a replication Destination must provide credentials that are accepted by the Transport of the remote instance that the Destination is connecting to. See the AMPS Configuration Guide for information on configuring the Authenticator for a Destination.

If an installation uses Kerberos for replication security, the AMPS server must be able to provide a Kerberos token to authenticate itself to a downstream instance. For this situation, the AMPS distribution includes an authenticator that can provide Kerberos tokens, as described in the section on the Multimethod Authenticator Module. The multi-authenticator also provides the ability to provide credentials to an LDAP server, with functionality similar to the amps-default-authenticator-module.