WARNING! Only one SSL-enabled access service can run on a DirectConnect server. This is due to restrictions of Open Server, which allows only one SSL certificate in a program. Open Client requires the name in the certificate to match the name to which Open Client requested a connection.
Although you can configure ECDA or Mainframe Connect to accept SSL and non-SSL connections (for example, use non-SSL access services and one SSL access service in the same ECDA or Mainframe Connect), Sybase recommends using only one SSL access service. This prevents a user from using a secured port to access data over an unsecured transport medium.
To set up SSL to provide encryption of data sent over the network, and to authenticate clients and their passwords using digital certificates, the following tasks are required:
To create the certificate of authority files for the specific DirectConnect server and service
To create a certificates directory, enable SSL, and verify the log files
ECDA or Mainframe Connect 15.0 does not support “transfer
to” and “transfer from” SSL-enabled ASE
servers.
In the procedures that follow, substitute the variables as follows:
servicename is your service’s name.
srvname is your server’s name.
yourcapassword is the password you created.
In addition, the C drive will be used as the installation drive in these examples.
To create the certificate
of authority files
Set the environment by issuing this command from a command window:
cd C:\<install_dir>\DC-15_0\DC_SYBASE.bat
where install_dir is the directory for your installation. For example:
cd C:\sybase\DC-15_0\DC_SYBASE.bat
Create the Certificate Authority (CA) CA.in file. (Refer to the ASE Utilities Guide document for certreq parameters.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:
Enter the following, on one line:
cd C:\<install_dir>\DC-15_0\bin
Using a text editor such as Notepad, create a file called CA.in and enter:
req_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Security req_commonname=CA
Save the file.
Create the private key file and a certificate request file for the CA certificate:
C:\<install_dir>\DC-15_0\bin>certreq -F CA.in -R CA_req.txt -K CA_pkey.txt -P mycapassword
This message appears:
Generating key pair (please wait)...
Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:
>certauth -r -C CA_req.txt -Q CA_req.txt -K CA_pkey.txt -P yourcapassword -T 365 -O trusted.txt
Following is an example of the expected output:
-- Sybase Test Certificate Authority Utility -- -- Certificate Validity: startDate = Thu Mar 02 09:56:43 2008 endDate = Fri Mar 20 09:58:10 2009 Setting serial number Ox1w7d236819a91a32 Could not sign certificate using signature type 20, error ‘No error string returned.’ (3000). Could not sign certificate using signature type 22, error ‘No error string returned.’ (3000) CA sign certificate SUCCEED using signature type 2, return ‘SSLNoErr’ (0).
To create the certificate
of authority files for the specific DirectConnect server and service
Enable SSL and identify the name of the access service using the SSLEnabled and SSLServices properties.
From C:\<install_dir>\DC-15_0\bin, use a text editor to create the DC.in file. (Refer to the ASE Utilities Guide document for certreq parameters.)
notepad DC.inreq_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Database req_commonname=servicename
Save the file.
Create private key and certificate request files for the service by entering the following, on one line:
certreq -F DC.in -R servicename_req.txt -K servicename_pkey.txt -P yourdcpassword
Create a public key file (<servicename>.crt) using the <servicename>_req .txt file with the CA private key file to sign the public key file. Enter the following on one line:
>certauth -C trusted.txt -Q servicename_req.txt -K CA_pkey.txt -P yourcapassword -T180 -O servicename.crt
Here is an example of the expected result:
Setting environment variables for this install....
Using DC_SYBASE.bat Environment file from: C:\Sybase\DC-15_0\bin...
1 file(s) copied.
-- Sybase SSL Certificate Authority Utility -- Certificate Validity: startDate = Thu Mar 20 10:21:41 2008 endDate = Tue Sep 16 11:21:41 2008 Setting serial number 0x31ab52626efa122f Could not sign certificate using signature type 20, error ‘No error string returned.’ (3000). Could not sign certificate using signature type 22, error ‘No error string returned.’ (3000) CA sign certificate SUCCEED using signature type 2, return ‘SSLNoErr’ (0).
Append the signed service name private key file to the signed <servicename> public key file:
type servicename_pkey.txt >> servicename.crt
Copy the trusted.txt file to the <servicename>.txt file:
copy trusted.txt servicename.txt
Using the pwdcrypt utility, create and enter an encrypted password to establish an SSL connection:
pwdcrypt
The password you enter will not be visible. This is
your yourcapassword.
pwdcrypt Enter password please: Enter password again: The encrypted password: 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c
From the bin directory, insert the encrypted password by copying from the previous step. Enter this on one line:
ECHO encrypted_password>servicename.pwd
WARNING! For the previous command line entry, do not insert a space between encrypted_password, the pipe symbol “>” and servicename.pwd file name to ensure that the servicename.pwd contains a valid password.
Copy the trusted.txt file to the srvname.txt file:
copy trusted.txt srvname.txt
Verify that the following files are present in the C:\<install_dir>\DC-15_0\bin directory:
CA_pkey.txt CA_req.txt servicename.txt servicename_pkey.txt servicename_req.txt srvname.txt trusted.txt DC.in servicename.crt servicename.pwd
To create a certificates
directory, enable SSL, and verify the log files
Create a directory to hold the certificates:
C:\<install_dir>\DC-15_0\servers \<srvname>\certificates
Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new certificates directory created in step 1:
copy C:\<install_dir>\DC-15_0\bin\servicename.* C:\<install_dir>\DC-15_0\servers\<srvname>\certificates copy C:\<install_dir>\DC-15_0\bin\srvname.txt C:\<install_dir>\DC-15_0\servers\<srvname>\certificates
Verify that the files are copied by listing the contents of the certificates directory:
cd C:\<install_dir>\DC-15_0\servers \<server_name>\certificates
If successful, the following is displayed:
servicename.crt servicename.pwd servicename.txt srvname.txt
Change directory to C:\<install_dir>\DC-15_0\servers\server.css.cfg.
Using a text editor like Notepad, edit the server.cfg file to enable the SSL service:
Set the SSLTrustedCertificateFile property to the SSLTrustedCertificateFile path, for example:
SSLTrustedCertificateFile=C:\Sybase\DC-15_0\servers\dkxpsrv\certificates
Enter the name of the service in the SSLServices property that is going to use SSL:
{Client Interaction}SSLServices=servicename
Enter yes in the SSLEnabled property to enable the SSL feature:
SSLEnabled=yes
Verify that the logging properties are set correctly and match the following:
(Logging) LogWrap=yes LogToScreen=yes LogOCOSMessages=1 LogFlush=yes LogFileSize=500000 LogFileName= LogClientMessages=1 LogClientLogin=yes
Save the server.cfg file.
Append “ssl” to the master and query entries in the sql.ini file using a text editor, for example:
cd C:\<install_dir>\ini
notepad sql.ini [srvname]
MASTER = NLWNSCK, machine name, port, ssl Query = NLWNSCK, machine name, port, ssl
Save the sql.ini file.
Start the server:
C:\<install_dir>\DC-15_0\bin\DCStart -Ssrvname
Verify that the following log entries are in the C:\<install_dir>\DC-15_0 \servers\<srvname>\log\<srvname>.log file:
LogHeader ...SSL:Checking for servicename.txt... LogHeader ...SSL:Using trusted CA file... LogHeader ...SSL:Checking for servicename.crt... LogHeader ...SSL:Using certificate file... LogHeader ...SSL:Checking for servicename.pwd... LogHeader ...SSL:Using certificate password file...
| Copyright © 2008. Sybase Inc. All rights reserved. |
|
|