-ec iqsrv15 server option

Uses transport-layer security or simple encryption to encrypt all command sequence communication protocol packets (such as DBLib and ODBC) transmitted to and from all clients. TDS packets aren't encrypted.

Syntax

iqsrv15 -ec encryption-options ...

encryption-options :

{ NONE |
   SIMPLE |
   TLS ( TLS_TYPE=algorithm;
   [ FIPS={ Y | N }; ]
   IDENTITY=server-identity-filename;
   IDENTITY_PASSWORD=password ) }, ...

Allowed values

Applies to

NONE and SIMPLE apply to all servers and operating systems.

TLS applies to all servers and operating systems.

Remarks

You can use this option to secure communication packets between client applications and the database server using transport-layer security.
Note: Separately licensed component required.

FIPS-certified encryption requires a separate license. All strong encryption technologies are subject to export regulations.

The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. You must specify at least one of the supported parameters in a comma-separated list. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted and are never encrypted, regardless of the usage of the -ec option. Setting the TDS protocol option to NO disallows these unencrypted TDS connections.

By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally.

If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.

Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (RSA and RSA FIPS-certified encryption) fail, and connections requesting no encryption use simple encryption.

The dbrsa12.dll file contains the RSA code used for encryption and decryption. The file dbfips12.dll contains the code for the FIPS-certified RSA algorithm. When you connect to the database server, if the appropriate file cannot befound, or if an error occurs, a message appears in the database server messages window. The server doesn't start if the specified types of encryption cannot be initiated.

The client's and the server's encryption settings must match or the connection fails except in the following cases:
  • If -ec SIMPLE is specified on the database server, but -ec NONE is not, then connections that do not request encryption can connect and automatically use simple encryption.
  • If the database server specifies RSA and the client specifies FIPS-certified encryption, or vice versa, the connection succeeds. In these cases, the Encryption connection property returns the value specified by the database server.

Example

The following example specifies that connections with no encryption and simple encryption are allowed.

iqsrv15 -ec NONE,SIMPLE -x tcpip c:\mydemo.db

The following example starts a database server that uses the RSA server certificate rsaserver.id.

iqsrv15 -ec TLS(TLS_TYPE=RSA;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.id.

iqsrv15 -ec TLS(TLS_TYPE=RSA;FIPS=Y;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db
Parent topic: start_iq Server Options