The SSL protocol requires server authentication via a server certificate to enable an encrypted session. Likewise, when Adaptive Server is functioning as a client during RPCs there must be a repository of trusted CAs that a client connection can access to validate the server certificate.
Each Adaptive Server must have its own server certificate file that is loaded at start-up. The following is the default location for the certificates file, where servername is the name of the Adaptive Server as specified on the command line during start-up with the -s flag, or from the environment variable $DSLISTEN:
UNIX $SYBASE/$SYBASE_ASE/certificates/servername.crt
NT %SYBASE%\%SYBASE_ASE%\certificates\servername.crt
The server certificate file consists of encoded data, including the server’s certificate and the encrypted private key for the server certificate.
Alternatively, you can specify the location of the server certificate file when using sp_ssladmin.
To make a successful client connection, the common name in the certificate must match the Adaptive Server name in the interfaces file.
The list of trusted CAs is loaded by Adaptive Server at start-up from the trusted roots file. The trusted roots file is similar in format to a certificate file, except that it contains certificates for CAs known to Adaptive Server. A trusted roots file is accessible by the local Adaptive Server in the following, where servername is the name of the server:
UNIX – $SYBASE/$SYBASE_ASE/certificates/servername.txt
NT – %SYBASE%\%SYBASE_ASE\certificates\servername.txt
The trusted roots file is only used by Adaptive Server when it is functioning as a client, such as when performing (RPC) calls or Component Integration Services (CIS) connections.
The System Security Officer adds and deletes CAs that are to be accepted by Adaptive Server, using a standard ASCII-text editor.
WARNING! Use the System Security Officer role (sso_role) within Adaptive Server to restrict access and execution on security-sensitive objects.
Adaptive Server provides tools to generate a certificate request and to authorize certificates. See “Using Adaptive Server tools to request and authorize certificates”.