Security Recommendations

Recommendations for Replication Server security issues such as for performimg administrative tasks, SSL, encryption, permissions and roles, and the configuration file..

As a best practice, perform administration tasks only on the local Replication Server host.
By default, Replication Server does not prevent an administrator who knows the Replication Server host name and port number, from accessing and administering the Replication Server remotely.
Wait for a master database transaction such as creating a new user or changing a password, to replicate successfully to all replicate Adaptive Servers before executing a user database transaction such as creating a table, that depends on the master database transaction.
Replication Server maintains the transaction commit order for transactions executed within a single Adaptive Server database. However, Replication Server does not maintain such an order for transactions executed across multiple Adaptive Server databases. For example, at the primary Adaptive Server:
- To create a master database transaction such as creating the mylogin user , use the sa user to enter:
```
sp_addlogin 'mylogin', 'password'
go
use mydb
go
sp_adduser
'mylogin'
go
```
- To create a user database transaction such as creating the mytab table with the mylogin user ID, enter:
```
use mydb
go
create table mytab (mycol int)
go
```
It is possible for Replication Server to replicate the create table command before sp_addlogin procedure which causes the create table to fail on the replicate Adaptive Server because the mylogin user does not yet exist at the replicate database.
Replication Server can use Secure Sockets Layer (SSL) to provide session-based security. SSL uses certificates issued by certificate authorities (CAs) to establish and verify identities.

If a SSL certificate is compromised, you must request for a new certificate from the CA with a new Replication Server name and certificate number.
The administrator should control permissions on the Replication Server log to provide monitor-only access to auditors. By default, any user that you create in Replication Server, who has not been granted any roles, has monitor-only access to RSSD tables sufficient for a support role.
Consider disk-level encryption for sensitive data in stable queues.

Even with connectivity based on SSL between the primary and replicate databases and Replication Server, Replication Server must persist data temporarily in the stable queues, and this persisted data is not encrypted.
Sybase recommends that you use SSL for connections or routes that transmit sensitive data. The Replication Server Secure Sockets Layer (SSL) Advanced Security option provides session-based security.
Replication Server stores initial configuration properties such as host name, port, user name, and password, in a file with the .res suffix that the rs_init utility uses. Set the appropriate umask permissions in UNIX or directory permission in Windows for the .res file, or delete the file if you do not require it.

Although rs_init does not require the .res file after the initial configuration, Replication Server stores the file in the operating system file system protected only by the operating system permissions.