Encryption Support Changes

SAP Sybase IQ includes OpenSSL encryption libraries that provide strong encryption for LinuxAMD64 Server, LinuxAMD32 Client, and Windows32 Client. Certicom encryption libraries are no longer supplied on these platforms. Encryption providers have not changed for jConnect, Open Client, and SAP Control Center components.

Identity Files

OpenSSL FIPS supports AES encryption for the private key of an identity file (.id). New servers using the OpenSSL FIPS encryption module will not start when using an identity file that has its private key encrypted with 3DES.

You must reencrypt the identity file using AES. For example, to use an upgraded viewcert utility, enter:
viewcert -p -o new-file-name.id -op new-password -ip old-password old-file-name.id
The new and old passwords can be the same.

In sample server identity file rsaserver.id, and client identity file rsaclient.id, private keys are encrypted using AES rather than 3DES.

Versions of the database server that use the Certicom encryption module will not start when using an identity file that has its private key encrypted using AES. Trusted root certificate files specified using trusted_certificates do not need to be modified.

Self-Signed Certificates

Self-signed certificates must now have the Certificate Signing attribute set when using the identity encryption HTTPS option (-xs start_iq option). To determine if a certificate has the Certificate Signing attribute set, use the viewcert utility and look for Certificate Signing in the Key Usage portion of the output. If the Certificate Signing attribute is not set, regenerate the certificates.

The Create Certificate utility (createcert) and View Certificate utility (viewcert) now use AES rather than 3DES encryption. In createcert, use the -3des option to create a 3DES-encrypted server identity file that can be used by both new and old database servers. New database servers running in FIPS mode cannot start using 3DES-encrypted certificates; however, if you are not running in FIPS mode, you can use 3DES-encrypted certificates. In the View Certificate utility, to use AES rather than 3DES encryption, specify the -p option to PEM-encode the output, and specify the -ip and -op options to set the password. In viewcert, use the -3des option to encrypt output and passwords using 3DES instead of AES.

FIPS Driver File

Previously, the 32-bit Windows database server loaded the FIPS driver file, dbfips16.dll, only when needed. Now, the 32-bit Windows database server loads dbfips16.dll at startup, and keeps it loaded for the life of the server. If loading dbfips16.dll fails, an error is returned only when an attempt is made to use FIPS encryption.

Libraries

Shared libraries sbgse2.dll and libsbgse2.so are no longer installed. SAP Sybase IQ software includes new shared libraries to deploy for FIPS encryption:
Platform Libraries
Windows 64-bit libeay32.dll, ssleay32.dll, msvcr100.dll
Windows 32-bit libeay32.dll, ssleay32.dll, msvcr90.dll
Linux libcrypto.so, libssl.so

On Windows, you must use the 64-bit libraries on a 64-bit system.

See Deprecated Features in this document.

See these topics in the SAP Sybase IQ 16.0 documentation:
  • FIPS-certified encryption technology and FIPS Support in SAP Sybase IQ in Administration: User Management and Security
  • @data iqsrv16 Server Option in Utility Guide
Parent topic: Behavior Changes in SP2
Related concepts
Read This First: Helpful Hints Before You Start Using SAP Sybase IQ 16
Deprecated Features