WARNING! Only one SSL-enabled access service can run on a DirectConnect server. This is due to the restrictions of Open Server, which allows only one SSL certificate in a program. Open Client requires the name in the certificate to match the name to which Open Client requested a connection.
Although you can configure DirectConnect to accept SSL and non-SSL connections (for example, use non-SSL access services and one SSL access service in the same DirectConnect), Sybase recommends using only one SSL access service. This prevents a user from using an unsecured port to access data over an unsecured transport medium.
To set up DirectConnect (except DirectConnect for Oracle) for SSL to provide encryption of data sent over the network, and to authenticate clients and their passwords using digital certificates, perform the following tasks:
To create the certificate of authority files for the specific DirectConnect server and service
To create DirectConnect certificates directory, enable SSL, and verify the log files
DirectConnect 12.6 does not support “transfer
to” and “transfer from”
SSL-enabled Adaptive Server servers.
To create the certificate
of authority files
Add the following to the path of the environment variable in %SYBASE%\SYBASE.bat file:
%SYBASE%\OCS-12_5\lib3p
Set the environment by running the following from a command window:
%SYBASE%\SYBASE.bat
Enter the following to go to the certreq directory:
cd %SYBASE%\OCS-12_5\bin
Execute the setsslreq utility, one time only, on Windows to set SSL registry key information for Open Server.
If you have previously created or obtained a certificate
of authority, skip steps 2-8.
Create the Certificate Authority (CA) CA.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:
C:\sybase\OCS-12_5\bin>type CA.in req_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Security req_commonname=CA
Create the private key file and a certificate request file for the CA certificate:
C:\sybase\OCS-12_5\bin>certreq -F CA.in -R CA_req.txt -K CA_pkey.txt -Pmycapassword
The following message appears:
Generating key pair (please wait)...
Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:
C:\sybase\OCS-12_5\bin>certauth -r -C CA_req.txt -Q CA_req.txt -K CA_pkey.txt -P mycapassword -T 365 -O trusted.txt
-- Sybase Test Certificate Authority certauth\12.6.0.1\SWR 9988 IR\P\NT (IX86)\OS 4.0 \rel12501 \1773/32-bit\OPT\Sat Feb 16 07:18:45 2002 -- Certificate Validity:
startDate = Mon Apr 22 17:58:10 2002
endDate = Tue Apr 22 17:58:10 2003
CA sign certificate SUCCEED
(0)
To create the certificate
of authority files for the specific DirectConnect server and service
Enable SSL and identify the name of the access service using the SSLEnabled and SSLServices properties. For a description of these properties and their use, refer to the ECDA and Mainframe Connect Server Administration Guide for DirectConnect.
Use a text editor to create the DC.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.)
notepad DC.inreq_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Database req_commonname=servicename
Create private key and certificate request files for the DirectConnect service:
C:\sybase\OCS-12_5\bin>certreq -F DC.in -R servicename_req.txt -K servicename_pkey.txt -P mydcpassword
Create a DirectConnect public key file <servicename>.crt using the <servicename>_req .txt file with the CA private key file to sign the DirectConnect public key file:
C:\sybase\OCS-12_5\bin>certauth -C trusted.txt -Q servicename_req.txt -K CA_pkey.txt -P mycapassword -T180 -O servicename.crt
-- Sybase Test Certificate Authority certauth\12.6.0.1\SWR 9988 IR\P\NT (IX86)\OS 4.0 \rel12501\1773\32-bit\OPT\Sat Feb 6 07:18:45 2002--Certificate Validity:startDate = Mon Apr 22 18:18:41 2002endDate = Sat Oct 19 18:18:41 2002CA sign certificate SUCCEED (0).
Append the signed service name private key file to the signed <server name> public key file:
C:\sybase\OCS-12_5\bin>type servicename_pkey.txt >> servicename.crt
Copy the trusted.txt file to the DirectConnect <servicename>.txt file:
C:\sybase\OCS-12_5\bin> copy trusted.txt servicename.txt
Using the pwdcrypt utility, create and enter an encrypted password for DirectConnect to establish an SSL connection:
C:\sybase\OCS-12_5\bin>pwdcrypt
Enter your password that will be encrypted. Your encrypted password will be similar to the following example:
The password you enter will not be visible. This is
the same password (mydcpassword) used in step 3.
C:\sybase\OCS-12_5\bin>pwdcrypt Enter password please: Enter password again: The encrypted password: 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c
Insert the encrypted password by copying from the previous step:
C:\sybase\OCS-12_5\bin>ECHO 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c >servicename.pwd
When created, an extra space is appended to the password.
You must remove the extra space to have a valid password.
Copy the trusted.txt file to the DirectConnect srvname.txt file:
C:\sybase\OCS-12_5\bin> copy trusted.txt srvname.txt
From the list of files displayed, verify that the following files are present:
C:\sybase\OCS-12_5\bin>dir
CA_pkey.txt CA_req.txt DC.in servicename.crt servicename.pwd servicename.txt servicename_pkey.txt servicename_req.txt srvname.txt trusted.txt
To create DirectConnect
certificates directory, enable SSL, and verify the log files
Create a DirectConnect directory to hold the certificates:
md %SYBASE%\%SYBASE_ECON%\ <server_name>\certificates
Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new DirectConnect certificates directory created in the previous step:
copy %SYBASE%\%SYBASE_OCS%\bin\servicename.* %SYBASE%\%SYBASE_ECON%\server name\certificates copy %SYBASE%\%SYBASE_OCS%\bin\srvname.txt %SYBASE%\%SYBASE_ECON%\server name\certificates
Verify that the files are copied by listing the contents of the DirectConnect certificates directory:
cd %SYBASE%\%SYBASE_ECON%\ <server_name>\certificates
If successful, the following is displayed:
servicename.crt servicename.pwd servicename.txt srvname.txt
Edit the server.cfg file to enable the SSL service:
Enter the name of the DirectConnect service in the SSLServices property that is going to use SSL.
Enter yes in the SSLEnabled property to enable the SSL feature:
notepad server.cfg
{Client Interaction}SSLServices=servicename
SSLEnabled=yes
From all the properties displayed, verify that the logging properties are set correctly and match the following:
cd %SYBASE%\%SYBASE_ECON%\server name\cfg type server.cfg
If successful, the following is displayed:
(Logging) LogWrap=yes LogToScreen=yes LogOCOSMessages=1 LogFlush=yes LogFileSize=500000 LogFileName= LogClientMessages=1 LogClientLogin=yes
Append “ssl” to the master and query entries in the sql.ini file using a text editor:
cd %SYBASE%\ini
notepad sql.ini server name
MASTER = NLWNSCK, machine name, port, ssl Query = NLWNSCK, machine name, port, ssl
Execute the following script to start DirectConnect:
C:\sybase>DC-12_6\DCStart -Sservername
Verify that the following log entries are in the %SYBASE%\%SYBASE_ECON%\<server name>\log \ <server name>.log file:
LogHeader ...SSL:Checking for servicename.txt... LogHeader ...SSL:Using trusted CA file... LogHeader ...SSL:Checking for servicename.crt... LogHeader ...SSL:Using certificate file... LogHeader ...SSL:Checking for servicename.pwd... LogHeader ...SSL:Using certificate password file...
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
