Uses transport-layer security or simple encryption to encrypt all command sequence communication protocol packets (such as DBLib and ODBC) transmitted to and from all clients. TDS packets aren't encrypted.
iqsrv16 -ec encryption-options ...
encryption-options :
{ NONE |
SIMPLE |
TLS ( [ FIPS={ Y | N }; ]
IDENTITY=server-identity-filename;
IDENTITY_PASSWORD=password ) }, ...
For a list of FIPS-certified components, see http://www.sybase.com/detail?id=1061806.
The algorithm must match the encryption used to create your certificates.
NONE and SIMPLE apply to all servers and operating systems.
TLS applies to all servers and operating systems.
For information about supporting FIPS-certified encryption, see http://www.sybase.com/detail?id=1061806.
You can use this option to secure communication packets between client applications and the database server using transport-layer security.
The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. You must specify at least one of the supported parameters in a comma-separated list. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted and are never encrypted, regardless of the usage of the -ec option. Setting the TDS protocol option to NO disallows these unencrypted TDS connections.
By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally.
If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.
Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (RSA and RSA FIPS-certified encryption) fail, and connections requesting no encryption use simple encryption.
If you want the database server to accept encrypted connections over TCP/IP, but also want to be able to connect to the database from the local computer over shared memory, you can specify the -es option with the -ec option when starting the database server.
The dbrsa16.dll file contains the RSA code used for encryption and decryption. The file dbfips16.dll contains the code for the FIPS-certified RSA algorithm. When you connect to the database server, if the appropriate file cannot be found, or if an error occurs, a message appears in the database server messages window. The server doesn't start if the specified types of encryption cannot be initiated.
The client's and the server's encryption settings must match or the connection fails except in the following cases:
If -ec SIMPLE is specified on the database server, but -ec NONE is not, then connections that do not request encryption can connect and automatically use simple encryption.
If the database server specifies RSA and the client specifies FIPS-certified encryption, or vice versa, the connection succeeds. In these cases, the Encryption connection property returns the value specified by the database server.
FIPS-certified encryption requires a separate license. All strong encryption technologies are subject to export regulations.
The following example specifies that connections with no encryption and simple encryption are allowed.
iqsrv16 -ec NONE,SIMPLE -x tcpip c:\mydemo.db
The following example starts a database server that uses the RSA server certificate rsaserver.id.
iqsrv16 -ec TLS(IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db
The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.id.
iqsrv16 -ec TLS(FIPS=Y;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db