WARNING! Only one SSL-enabled access service can run on a DirectConnect server. This is due to the restrictions of Open Server, which allows only one SSL certificate in a program. Open Client requires the name in the certificate to match the name to which Open Client requested a connection.
Although you can configure ECDA to accept SSL and non-SSL connections (for example, use non-SSL access services and one SSL access service in the same ECDA), Sybase recommends using only one SSL access service. This prevents a user from using a secured port to access data over an unsecured transport medium.
To set up the ECDA Option for ODBC for SSL to provide encryption of data sent over the network, and to authenticate clients and their passwords using digital certificates, perform the following tasks:
To create the certificate of authority files for the specific DirectConnect server and service
To create ECDA certificates directory, enable SSL, and verify the log files
ECDA 15.0 does not support “transfer to” and “transfer
from”
SSL-enabled ASE servers.
To create the certificate
of authority files
Add the following to the path of the environment variable in C:\<install_dir>\DC-15_0\DC_SYBASE.bat file:
C:\<install_dir>\DC-15_0\OCS-15_0\lib3p
If you have previously created or obtained a certificate
of authority, skip steps 2-7.
Set the environment by running the following from a command window:
C:\<install_dir>\DC-15_0\DC_SYBASE.bat
Enter the following to go to the certreq directory:
cd C:\<install_dir>\DC-15_0\bin
Execute the setsslreq utility, one time only, on Windows only to set SSL registry key information for Open Server.
Create the Certificate Authority (CA) CA.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:
C:\<install_dir>\DC-15_0\connectivity\OCS-15_0\bin> type CA.in req_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Security req_commonname=CA
Create the private key file and a certificate request file for the CA certificate:
C:\<install_dir>\DC-15_0\bin>certreq -F CA.in -R CA_req.txt -K CA_pkey.txt -P mycapassword
The following message appears:
Generating key pair (please wait)...
Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:
C:\<install_dir>\DC-15_0\bin>certauth -r -C CA_req.txt -Q CA_req.txt -K CA_pkey.txt -P mycapassword -T 365 -O trusted.txt
-- Sybase Test Certificate Authority certauth\15.0.0.1\SWR 9988 IR\P\NT (IX86)\OS 4.0 \rel12501 \1773/32-bit\OPT\Sat Feb 16 07:18:45 2002 -- Certificate Validity:
startDate = Mon Apr 22 17:58:10 2002
endDate = Tue Apr 22 17:58:10 2003
CA sign certificate SUCCEED
(0)
To create the certificate
of authority files for the specific DirectConnect server and service
Enable SSL and identify the name of the access service using the SSLEnabled and SSLServices properties. For a description of these properties and their use, see Chapter 4, “Configuring the Server.”
Use a text editor to create the DC.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.)
notepad DC.inreq_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Database req_commonname=servicename
Create private key and certificate request files for the service:
C:\<install_dir>\DC-15_0\bin>certreq -F DC.in -R servicename_req.txt -K servicename_pkey.txt -P mydcpassword
Create a ECDA public key file <servicename>.crt using the <servicename>_req .txt file with the CA private key file to sign the ECDA public key file:
C:\<install_dir>\DC-15_0\bin>certauth -C trusted.txt -Q servicename_req.txt -K CA_pkey.txt -P mycapassword -T180 -O servicename.crt
-- Sybase Test Certificate Authority certauth\15.0.0.1\SWR 9988 IR\P\NT (IX86)\OS 4.0 \rel12501\1773\32-bit\OPT\Sat Feb 6 07:18:45 2002--Certificate Validity:startDate = Mon Apr 22 18:18:41 2002endDate = Sat Oct 19 18:18:41 2002CA sign certificate SUCCEED (0).
Append the signed service name private key file to the signed <server name> public key file:
C:\<install_dir>\DC-15_0\bin> type servicename_pkey.txt >> servicename.crt
Copy the trusted.txt file to the ECDA <servicename>.txt file:
C:\<install_dir>\DC-15_0\bin> copy trusted.txt servicename.txt
Using the pwdcrypt utility, create and enter an encrypted password for ECDA to establish an SSL connection:
C:\<install_dir>\DC-15_0\bin>pwdcrypt
Enter your password that will be encrypted. Your encrypted password will be similar to the following example:
The password you enter will not be visible. This is
the same password (mydcpassword) used in step 3.
C:\<install_dir>\DC-15_0\bin>pwdcrypt Enter password please: Enter password again: The encrypted password: 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c
Insert the encrypted password by copying from the previous step:
C:\<install_dir>\DC-15_0\bin>ECHO 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c >servicename.pwd
When created, an extra space is appended to the password.
You must remove the extra space to have a valid password.
Copy the trusted.txt file to the ECDA srvname.txt file:
C:\<install_dir>\DC-15_0\bin> copy trusted.txt srvname.txt
From the list of files displayed, verify that the following files are present:
C:\<install_dir>\DC-15_0\bin>dir
CA_pkey.txt CA_req.txt DC.in servicename.crt servicename.pwd servicename.txt servicename_pkey.txt servicename_req.txt srvname.txt trusted.txt
To create ECDA certificates
directory, enable SSL, and verify the log files
Create a ECDA directory to hold the certificates:
C:\<install_dir>\DC-15_0\servers \<server_name>\certificates
Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new ECDA certificates directory created in the previous step:
copy C:\<install_dir>\DC-15_0\bin\servicename.* C:\<install_dir>\DC-15_0\servers\<server name>\certificates copy C:\<install_dir>\DC-15_0\bin\srvname.txt C:\<install_dir>\DC-15_0\servers\<server name>\certificates
Verify that the files are copied by listing the contents of the ECDA certificates directory:
cd C:\<install_dir>\DC-15_0\servers \<server_name>\certificates
If successful, the following is displayed:
servicename.crt servicename.pwd servicename.txt srvname.txt
Edit the server.cfg file to enable the SSL service:
Enter the name of the service in the SSLServices property that is going to use SSL.
Enter yes in the SSLEnabled property to enable the SSL feature:
notepad server.cfg
{Client Interaction}SSLServices=servicename
SSLEnabled=yes
From all the properties displayed, verify that the logging properties are set correctly and match the following:
cd C:\<install_dir>\DC-15_0\servers\<server name>\cfg type server.cfg
If successful, the following is displayed:
(Logging) LogWrap=yes LogToScreen=yes LogOCOSMessages=1 LogFlush=yes LogFileSize=500000 LogFileName= LogClientMessages=1 LogClientLogin=yes
Append “ssl” to the master and query entries in the sql.ini file using a text editor:
cd C:\<install_dir>\DC-15_0\connectivity\ini
notepad sql.ini server name
MASTER = NLWNSCK, machine name, port, ssl Query = NLWNSCK, machine name, port, ssl
Execute the following script to start ECDA:
C:\<install_dir>\DC-15_0\bin\DCStart -Sservername
Verify that the following log entries are in the C:\<install_dir>\DC-15_0 \servers\<server name>\log\<server name>.log file:
LogHeader ...SSL:Checking for servicename.txt... LogHeader ...SSL:Using trusted CA file... LogHeader ...SSL:Checking for servicename.crt... LogHeader ...SSL:Using certificate file... LogHeader ...SSL:Checking for servicename.pwd... LogHeader ...SSL:Using certificate password file...
