The following procedure to provide SSL encryption and
to authenticate clients is not valid for the Enterprise Connect
Data Access Option for Oracle. Refer to the Enterprise Connect Data
Access Option for Oracle Server Administration and User’s
Guide.
SSL provides encryption of data sent over the network and authenticates clients and their passwords using digital certificates. To setup SSL on a UNIX DirectConnect server, you need:
To create the certificate of authority files specific to the DirectConnect server and service
To create the ECDA certificates directory, enable SSL, and verify the ECDA log files
ECDA 15.0 does not support transfer to and transfer
from on the SSL-enabled Adaptive Server servers.
To create the certificate
of authority files
Set up the Sybase environment variables:
Source \<install_dir>\DC-15_0/DC_SYBASE.csh (or .sh)
If you have previously created or obtained the certificate
of authority files, skip steps 2-5.
Change to the Sybase Open Client/Server bin directory to run the SSL utilities:
prompt% cd <install_dir>/OCS-15_0/bin
Create the Certificate of Authority (CA) CA.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:
vi CA.in req_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Security req_commonname=CA
Create a private key file and a certificate request file for the CA certificate:
prompt% certreq -F CA.in -R CA_req.txt -K CA_pkey.txt -P mycapassword
The following message appears:
Generating key pair (please wait)...
Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:
prompt% certauth -r -C CA_req.txt -Q CA_req.txt -K CA_pkey.txt -P mycapassword -T 365 -O trusted.txt
-- Sybase Test Certificate Authority certauth/15.0/SWR 9609 GA/P/Sun_svr4/OS 5.8/main/1647/32-bit/OPT/Fri Jun 1 17:19:08 2001
--Certificate Validity: startDate = Tue Apr 23 15:01:40 2002 endDate = Wed Apr 23 15:01:40 2003 CA sign certificate SUCCEED (0).
To create the certificate
of authority files specific to the DirectConnect server and service
Input ECDA parameters for the CA. (For the parameters, refer to the ASE utilities documentation for certreq.)
prompt%
vi DC.in
req_certtype=Server req_keytype=RSA req_keylength=512 req_country=US req_state=CO req_locality=Boulder req_organization=Sybase req_orgunit=Database req_commonname=servicename
Create private key and certificate request files for the service:
prompt% certreq -F DC.in -R servicename_req.txt -K servicename_pkey.txt -P mydcpassword
Create a ECDA public key file <servicename>.crt using the <servicename>_req.txt file with the CA private key file to sign the ECDA public key file:
prompt% certauth -C trusted.txt -Q servicename_req.txt -K CA_pkey.txt -P mycapassword -T 180 -O servicename.crt
The following appears:
-- Sybase Test Certificate Authority certauth/15.0/SWR 9609 GA/P/Sun_svr4/OS 5.8/main/1647/32-bit/OPT/Fri Jun 1 17:19:08 2001 --Certificate Validity: startDate = Tue Apr 23 15:11:33 2002 endDate = Sun Oct 20 15:11:33 2002 CA sign certificate SUCCEED (0)
Append the service name private key file to the signed service name public key file:
prompt% cat servicename_pkey.txt >> servicename.crt
Verify that the private key file is appended and is similar to the following by entering:
prompt% cat servicename.crt
Copy the trusted.txt file to the ECDA <servicename>.txt file:
prompt% cp trusted.txt servicename.txt
Using the pwdcrypt utility, create and enter an encrypted password for ECDA to establish an SSL connection:
prompt% pwdcrypt
Enter your password that is to be encrypted, which will be similar to the following example:
The password you enter will not be visible. This is
the same password (mydcpassword) that you entered in step 2.
Enter password please: Enter password again: The encrypted password: 0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c
Insert the encrypted password from the previous step into a file:
prompt% vi servicename.pwd
Copy the trusted.txt file to the ECDA srvname.txt file:
cp trusted.txt srvname.txt
From the list of files, verify that all the following files are present:
prompt% ls
CA.in CA_pkey.txt CA_req.txt
servicename.crt servicename.pwd servicename.txt servicename_pkey.txt servicename_req.txt srvname.txt trusted.txt
To create the ECDA certificates
directory, enable SSL, and verify the ECDA log files
Create a ECDA directory to hold the certificates:
mkdir /<install_dir>/DC-15_0/servers/<server name> /certificates
Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new ECDA certificates directory created in the previous step:
cp <install_dir>/OCS-15_0/bin/servicename.* /<install_dir>/DC 15_0/servers/<servername> /certificates/.
cp <install_dir>/OCS-15_0/bin/srvname.txt /<install_dir>/DC-15_0/servers/<servername> /certificates/.
Verify that the files are copied by listing the contents of the ECDA certificates directory:
<prompt>% cd /<install_dir>/DC-15_0 /<servername>/certificates
prompt% ls
servicename.crt servicename.pwd servicename.txt
srvname.txt
Edit the server.cfg file to enable the SSL service:
Enter the name of the service in the SSLServices property that is going to use SSL.
Enter yes in the SSLEnabled property to enable the SSL feature:
cd /<install_dir>/DC-15_0/servers /<servername>/cfg
vi server.cfg
{Client Interaction}
SSLServices=servicename
SSLEnabled=yes
From the many properties displayed, verify that the logging properties are set correctly and match the following:
prompt% cat server.cfg
{Logging}
LogWrap=yes
LogToScreen=yes
LogOCOSMessages=1
LogFlush=yes
LogFileSize=500000
LogFileName=
LogClientMessages=1
LogClientLogin=yes
Append “ssl” to the master and query entries in the interfaces file:
cd <install_dir> vi interfaces
server name
master tcp ether machine name 12510 ssl query tcp ether machine name 12510 ssl
Start ECDA by entering the following:
cd /<install_dir>/DC-15_0/bin prompt% DCStart -S<dcservername>
Verify that the following log file entries are in the /<install_dir> /DC-15_0/servers/<server name>/log /<server name>.log file:
LogHeader ...SSL: Checking for servicename.txt... LogHeader ...SSL: Using trusted CA file... LogHeader ...SSL: Checking for servicename.crt... LogHeader ...SSL: Using certificate file... LogHeader ...SSL: Checking for servicename.pwd... LogHeader ...SSL: Using certificate password file...
