SAP Sybase IQ includes OpenSSL encryption libraries that provide strong encryption for LinuxAMD64 Server, LinuxAMD32 Client, and Windows32 Client. Certicom encryption libraries are no longer supplied on these platforms. Encryption providers have not changed for jConnect, Open Client, and SAP Control Center components.
OpenSSL FIPS supports AES encryption for the private key of an identity file (.id). New servers using the OpenSSL FIPS encryption module will not start when using an identity file that has its private key encrypted with 3DES.
viewcert -p -o new-file-name.id -op new-password -ip old-password old-file-name.idThe new and old passwords can be the same.
In sample server identity file rsaserver.id, and client identity file rsaclient.id, private keys are encrypted using AES rather than 3DES.
Versions of the database server that use the Certicom encryption module will not start when using an identity file that has its private key encrypted using AES. Trusted root certificate files specified using trusted_certificates do not need to be modified.
Self-signed certificates must now have the Certificate Signing attribute set when using the identity encryption HTTPS option (-xs start_iq option). To determine if a certificate has the Certificate Signing attribute set, use the viewcert utility and look for Certificate Signing in the Key Usage portion of the output. If the Certificate Signing attribute is not set, regenerate the certificates.
The Create Certificate utility (createcert) and View Certificate utility (viewcert) now use AES rather than 3DES encryption. In createcert, use the -3des option to create a 3DES-encrypted server identity file that can be used by both new and old database servers. New database servers running in FIPS mode cannot start using 3DES-encrypted certificates; however, if you are not running in FIPS mode, you can use 3DES-encrypted certificates. In the View Certificate utility, to use AES rather than 3DES encryption, specify the -p option to PEM-encode the output, and specify the -ip and -op options to set the password. In viewcert, use the -3des option to encrypt output and passwords using 3DES instead of AES.
Previously, the 32-bit Windows database server loaded the FIPS driver file, dbfips16.dll, only when needed. Now, the 32-bit Windows database server loads dbfips16.dll at startup, and keeps it loaded for the life of the server. If loading dbfips16.dll fails, an error is returned only when an attempt is made to use FIPS encryption.
Platform | Libraries |
---|---|
Windows 64-bit | libeay32.dll, ssleay32.dll, msvcr100.dll |
Windows 32-bit | libeay32.dll, ssleay32.dll, msvcr90.dll |
Linux | libcrypto.so, libssl.so |
On Windows, you must use the 64-bit libraries on a 64-bit system.
See Deprecated Features in this document.