Configuring the SSL Windows client  Configuring the SSL UNIX client

Chapter 5: Setting up SSL on the DirectConnect Server

Setting up SSL on the UNIX server

NoteThe following procedure to provide SSL encryption and to authenticate clients is not valid for the ECDA Option for Oracle. Refer to the Enterprise Connect Data Access Option for Oracle Server Administration and Users Guide.

SSL provides encryption of data sent over the network and authenticates clients and their passwords using digital certificates. To setup SSL on a UNIX DirectConnect server, you need:

NoteECDA 15.0 does not support transfer to and transfer from on the SSL-enabled Adaptive Server servers.

StepsTo create the certificate of authority files

  1. Set up the Sybase environment variables:

    Source /<install_dir>/DC-15_0/DC_SYBASE.csh (or .sh)

    NoteIf you have previously created or obtained the certificate of authority files, skip steps 2-5.

  2. Change to the Sybase Open Client/Server™ bin directory to run the SSL utilities:

    cd /<install_dir>/DC-15_0/bin

  3. Create the Certificate of Authority (CA) CA.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:

    vi CA.in
req_certtype=Server
req_keytype=RSA
req_keylength=512
req_country=US
req_state=CO
req_locality=Boulder
req_organization=Sybase
req_orgunit=Security
req_commonname=CA

  4. Create a private key file and a certificate request file for the CA certificate:

    prompt% certreq -F CA.in -R CA_req.txt 
-K CA_pkey.txt -P yourcapassword

    The following message appears:

    Generating key pair (please wait)...

  5. Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:

    prompt% certauth -r -C CA_req.txt -Q CA_req.txt 
-K CA_pkey.txt -P yourcapassword -T 365 -O trusted.txt

    -- Sybase Test Certificate Authority Utility -- -- Certificate Validity:
      startDate = Thu Mar 02 09:56:43 2008
      endDate = Fri Mar 20 09:58:10 2009
Setting serial number Ox1w7d236819a91a32
Could not sign certificate using signature type 20, error ‘No error string returned.’ (3000).
Could not sign certificate using signature type 22, error ‘No error string returned.’ (3000) 
CA sign certificate SUCCEED using signature type 2, return ‘SSLNoErr’ (0).

StepsTo create the certificate of authority files specific to the DirectConnect server and service

NoteIn UNIX, the name of the server and service must be the same.

  1. Input parameters for the CA. (For the parameters, refer to the ASE utilities documentation for certreq.)

    prompt%

    vi DC.in

    req_certtype=Server
req_keytype=RSA
req_keylength=512
req_country=US
req_state=CO
req_locality=Boulder
req_organization=Sybase
req_orgunit=Database
req_commonname=servicename

  2. Create private key and certificate request files for the service:

    prompt% certreq -F DC.in -R servicename_req.txt 
-K servicename_pkey.txt -P yourdcpassword

  3. Create a public key file <servicename>.crt using the <servicename>_req.txt file with the CA private key file to sign the public key file:

    prompt% certauth -C trusted.txt 
-Q servicename_req.txt -K CA_pkey.txt 
-P yourcapassword
-T 180 -O servicename.crt

    The following appears:

    -- Sybase SSL Certificate Authority Utility --
Certificate Validity:
      startDate = Wed May 28 11:51:53 2008
      endDate = Mon Nov 24 10:51:53 2008
setting serial number 0xffff940cffff8cb11ab
Could not sign certificate using signature type 20, error 'No error string returned.' (3000).
Could not sign certificate using signature type 22, error 'No error string returned.' (3000).
CA sign certificate SUCCEED using signature type 2, return 'SSLNoErr' (0).

  4. Append the service name private key file to the signed service name public key file:

    prompt% cat servicename_pkey.txt >> servicename.crt

  5. Verify that the private key file is appended and is similar to the following by entering:

    prompt% cat servicename.crt

  6. Copy the trusted.txt file to the <servicename>.txt file:

    prompt% cp trusted.txt servicename.txt

  7. Using the pwdcrypt utility, create and enter an encrypted password to establish an SSL connection:

    prompt% pwdcrypt

    Enter your password that is to be encrypted, which will be similar to the following example:

    NoteThe password you enter will not be visible. This is your yourcapassword.

    Enter password again:
The encrypted password:
0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c

  8. Insert the encrypted password from the previous step into a file:

    prompt% vi servicename.pwd

  9. Copy the trusted.txt file to the srvname.txt file:

    cp trusted.txt srvname.txt

  10. From the list of files, verify that all the following files are present:

    prompt% ls

    CA.in
CA_pkey.txt
CA_req.txt

    servicename.crt
servicename.pwd
servicename.txt
servicename_pkey.txt
servicename_req.txt
srvname.txt
trusted.txt

StepsTo create the certificates directory, enable SSL, and verify the ECDA log files

NoteIn the following steps, the DirectConnect server name and service name must be the same.

  1. Create a directory to hold the certificates:

    mkdir /<install_dir>/DC-15_0/servers/<server name> /certificates

  2. Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new certificates directory created in the previous step:

    cp <install_dir>/DC-15_0/bin/servicename.*
/<install_dir>/DC-15_0/servers/<srvname> /certificates/.

    cp <install_dir>/DC-15_0/bin/srvname.txt
/<install_dir>/DC-15_0/servers/<srvname> /certificates/.

    cp <install_dir>/DC-15_0/bin/trusted.txt
/<install_dir>/DC-15_0/servers/<srvname> /certificates/.

  3. Verify that the files are copied by listing the contents of the certificates directory:

    <prompt>% cd /<install_dir>/DC-15_0
/<srvname>/certificates

    prompt% ls

    servicename.crt
servicename.pwd
servicename.txt

    srvname.txt
trusted.txt

  4. Edit the server.cfg file to enable the SSL service:

    • Enter the name of the service in the SSLServices property that is going to use SSL.

    • Enter yes in the SSLEnabled property to enable the SSL feature:

    cd /<install_dir>/DC-15_0/servers/<srvname>/cfg

    vi server.cfg

    {Client Interaction}
SSLServices=servicename
SSLEnabled=yes

  5. From the many properties displayed, verify that the logging properties are set correctly and match the following:

    prompt% cat server.cfg

    {Logging}
LogWrap=yes
LogToScreen=yes
LogOCOSMessages=1
LogFlush=yes
LogFileSize=500000
LogFileName=
LogClientMessages=1
LogClientLogin=yes

  6. Append “ssl” to the master and query entries in the interfaces file:

    cd <install_dir>
vi interfaces

    server name

    master tcp ether machine name 12510 ssl
query tcp ether machine name 12510 ssl

  7. Start ECDA by entering the following:

    cd /<install_dir>/DC-15_0/bin
prompt% DCStart -S<srvname>

  8. Verify that the following log file entries are in the /<install_dir> /DC-15_0/servers/<server name>/log /<server name>.log file:

    LogHeader	...SSL: Checking for servicename.txt...
LogHeader	...SSL: Using trusted CA file...
LogHeader	...SSL: Checking for servicename.crt...
LogHeader	...SSL: Using certificate file...
LogHeader	...SSL: Checking for servicename.pwd...
LogHeader	...SSL: Using certificate password file...



Copyright © 2008. Sybase Inc. All rights reserved. Configuring the SSL UNIX client