To administer SSL and certificates in Adaptive Server, use sp_ssladmin. sso_role is required to execute the stored procedure.
sp_ssladmin is used to:
Add local server certificates. You can add certificates and specify the password used to encrypt private keys, or require input of the password at the command line during start-up.
Delete local server certificates.
List server certificates.
The syntax for sp_ssladmin is:
sp_ssladmin {[addcert, certificate_path [, password|NULL]]
[dropcert, certificate_path]
[lscert]
[help]}
[lsciphers]
[setciphers, {"FIPS" | "Strong" | "Weak" | "All"
| quoted_list_of_ciphersuites}]
For example:
sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt",
"mypassword"
This adds an entry for the local server, Server1.crt, in the certificates file in the absolute path to /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows). The private key is encrypted with the password “mypassword”. The password should be the one specified when you created the private key.
Before accepting the certificate, sp_ssladmin verifies that:
The private key can be decrypted using the provided password (except when NULL is specified).
The private key and public key in the certificate match.
The certificate chain, from root CA to the server certificate, is valid.
The common name in the certificate matches the common name in the interfaces file.
If the common names do not match, sp_ssladmin issues a warning. If the other criteria fails, the certificate is not added to the certificates file.
WARNING! Adaptive Server limits passwords to 64 characters. In addition, certain platforms restrict the length of valid passwords when creating server certificates. Select a password within these limits:
Sun Solaris – both 32- and 64-bit platforms, 256 characters.
Linux – 128 characters.
IBM – both 32- and 64-bit platforms, 32 characters.
HP – both 32- and 64-bit platforms, 8 characters.
Windows – 256 characters.
The use of NULL as the password is intended to protect passwords during the initial configuration of SSL, before the SSL-encrypted session begins. Since you have not yet configured SSL, the password travels unencrypted over the connection. You can avoid this by specifying the password as NULL during the first login.
When NULL is the password, you must start dataserver with a -y flag, which prompts the administrator for the private-key password at the command line.
After restarting Adaptive Server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by Adaptive Server. Any subsequent starts of Adaptive Server from the command line use the encrypted password; you do not have to specify the password on the command line during start-up.
An alternative to using a NULL password during the first login is to avoid a remote connection to Adaptive Server via isql. You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.
Adaptive Server has sufficient memory in its network
memory pool to allow sp_ssladmin addcert to
set the certificate and private key password with its default memory
allocations. However, if another network memory consumer has already
allocated the default network memory, sp_ssladmin may fail
and display this error to the client:
Msg 12823, Level 16, State 1: Server 'servername', Procedure 'sp_ssladmin', Line 72: Command 'addcert' failed to add certificate path /work/REL125/ASE-12_5/certificates/servername.crt, system error: ErrMemory. (return status = 1)
Or the following message may appear in the error log:
... ssl_alloc: Cannot allocate using ubfalloc(rnetmempool, 131072)
As a workaround, you can increase the additional network memory configuration parameter. Adaptive Server needs about 500K bytes of memory for sp_ssladmin addcert to succeed, so increasing additional network memory by this amount may allow it to succeed. This memory is reused by the network memory pool when needed, or you can return additional network memory to its previous value after sp_ssladmin has successfully completed.
