To administer SSL and certificates in Adaptive Server, use sp_ssladmin. sso_role is required to execute the stored procedure.
The sp_ssladmin is used to:
Add local server certificates. You can add certificates and specify the password used to encrypt private keys, or require input of the password at the command line during start-up.
Delete local server certificates.
List server certificates.
The syntax for sp_ssladmin is:
sp_ssladmin {[addcert, certificate_path [, password|NULL]]
[dropcert, certificate_path]
[lscert]
[help]}
For example:
sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt",
"mypassword"
This adds an entry for the local server, Server1.crt, in the certificates file in the absolute path to /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows). The private key is encrypted with the password “mypassword”. The password should be the one specified when you created the private key.
Before accepting the certificate, sp_ssladmin verifies that:
The private key can be decrypted using the provided password (except when NULL is specified).
The private key and public key in the certificate match.
The certificate chain, from root CA to the server certificate, is valid.
The common name in the certificate matches the common name in the interfaces file.
If the common names do not match, sp_ssladmin issues a warning. If the other criteria fails, the certificate is not added to the certificates file.
WARNING! Adaptive Server limits passwords to 64 characters. In addition, certain platforms restrict the length of valid passwords when creating server certificates. Select a password within these limits:
Sun Solaris – both 32- and 64-bit platforms, maximum 256 characters.
Linux – 128 characters.
IBM – both 32- and 64-bit platforms, 32 characters.
HP – both 32- and 64-bit platforms, 8 characters.
Digital UNIX – 80 characters.
Windows NT – 256 characters.
The use of NULL as the password is intended to protect passwords during the initial configuration of SSL, before the SSL encrypted session begins. Since you have not yet configured SSL, the password travels unencrypted over the connection. You can avoid this by specifying the password as NULL during the first log in.
When NULL is the password, you must start dataserver with a -y flag, which prompts the administrator for the private-key password at the command line.
After restarting Adaptive Server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by Adaptive Server. Any subsequent starts of Adaptive Server from the command line use the encrypted password; you do not have to specify the password on the command line during start-up.
An alternative to using a NULL password during the first login, is to avoid a remote connection to Adaptive Server via isql. You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.
