Any ASE ADO.NET Data Provider client connection to an SSL-enabled server requires that the server have a certificate file, which consists of the server’s certificate and an encrypted private key. The certificate must also be digitally signed by a signing/certification authority (CA). ASE ADO.NET Data Provider client applications establish a socket connection to Adaptive Server the same way that existing client connections are established. Before any user data is transmitted, an SSL handshake occurs on the socket when the network transport-level connect call completes on the client side and the accept call completes on the server side.
To make a successful connection to an SSL-enabled server, the following must occur:
The SSL-enabled server must present its certificate when the client application makes a connection request.
The client application must recognize the CA that signed the certificate. A list of all “trusted” CAs is in the trusted roots file, described next.
For more information, see the Open Client Client Library C Reference Manual.
The list of known and trusted CAs is maintained in the trusted roots file. The trusted roots file is similar in format to a certificate file, except that it contains certificates for CAs known to the entity (client applications, servers, network resources, and so on). The System Security Officer adds and deletes trusted CAs using a standard ASCII-text editor.
The application program specifies the location of the trusted roots file using the TrustedFile=trusted file path property in the ConnectString. A trusted roots file with most widely-used CAs (Thawte, Entrust, Baltimore, VeriSign and RSA) is located in %SYBASE%\ini\trusted.txt.
