Setting up transport-layer security

The following steps provide an overview of the tasks required to set up transport-layer security.

Obtain digital certificates.

You need identity files and certificate files. The server identity file contains the server's private key and should be stored securely with the database. You distribute the server certificate file to your clients.

You can buy certificates from a certificate authority or you can use the Certificate creation utility (createcert). SAP Sybase IQ also provides functionality to create certificates, which is especially useful for development and testing.
If you are setting up transport-layer security for SAP Sybase IQ client/server applications:
- Start the SAP Sybase IQ database server with transport-layer security – Use the -ec database server option to specify the type of security, the server identity file name, and the password to protect the server's private key.
  If you also want to allow unencrypted connections over shared memory, specify the -es option.
  
  TDS connections do not use the TLS protocol. To prevent unencrypted connections from using the TDS protocol, specify the tcpip option -x tcpip(TDS=NO).
- Configure client applications to use transport-layer security – Specify the path and file name of trusted certificates using the Encryption connection parameter [ENC].
If you are setting up transport-layer security for SAP Sybase IQ web services:
- Start the SAP Sybase IQ database server with transport-layer security – Use the -xs database server option to specify the type of security, the server identity file name, and the password to protect the server's private key.
- Configure browsers or other web clients to trust certificates – Encrypt SAP Sybase IQ web services.
If you are setting up an SAP Sybase IQ multiplex database server:
- INC and MIPC connections determine which TLS connection parameters to use from the contents of the -ec server option.
- Set the TRUSTED_CERTIFICATES_FILE option to the appropriate Certificate Authority.