-ec server option

Uses transport-layer security or simple encryption to encrypt all native SQL Anywhere packets (DBLib, ODBC, and OLE DB) transmitted to and from all clients. TDS packets aren't encrypted.

Syntax
{ dbsrv11 | dbeng11 } -ec encryption-options ...
encryption-options :
{ NONE | 
   SIMPLE | 
   TLS ( TLS_TYPE=cipher;
   [ FIPS={ Y | N }; ]
   IDENTITY=server-identity-filename;
   IDENTITY_PASSWORD=password ) }, ...
Applies to

NONE and SIMPLE apply to all servers and operating systems.

TLS applies to all servers and operating systems, except Windows Mobile.

For information about FIPS support, see [external link] SQL Anywhere Supported Platforms and Engineering Support Status.

Remarks

You can use this option to secure communication packets between client applications and the database server using transport-layer security. See Transport-layer security.

Separately licensed component required

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted regardless of the usage of the -ec option, and are never encrypted. Setting the TDS protocol option to NO disallows these unencrypted TDS connections. See TDS protocol option.

By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally. The -ec option controls the server's encryption settings and requires at least one of the following parameters in a comma-separated list:

  • NONE   accepts connections that aren't encrypted.

  • SIMPLE   accepts connections that are encrypted with simple encryption. This type of encryption is supported on all platforms, as well as on previous versions of SQL Anywhere. Simple encryption doesn't provide server authentication, strong elliptic-curve or RSA encryption, or other features of transport-layer security.

  • TLS   accepts connections that are encrypted. The TLS parameter accepts the following required arguments:

    • cipher   can be RSA or ECC for RSA and ECC encryption, respectively. For FIPS-approved RSA encryption, specify TLS_TYPE=RSA;FIPS=Y. RSA FIPS uses a separate approved library, but is compatible with clients specifying RSA with SQL Anywhere 9.0.2 or later.

      For a list of supported platforms for FIPS, see [external link] SQL Anywhere Supported Platforms and Engineering Support Status.

      The cipher must match the encryption (ECC or RSA) used to create your certificates.

      For information about enforcing the FIPS-approved algorithm, see -fips server option.

      Note

      Version 10 clients cannot connect to version 9.0.2 or earlier database servers using the ECC algorithm. If you require strong encryption for this configuration, use the RSA algorithm.

    • server-identity-filename   is the path and file name of the server identity certificate. If you are using FIPS-approved RSA encryption, you must generate your certificates using the RSA cipher.

      For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Creating digital certificates.

    • password   is the password for the server private key. You specify this password when you create the server certificate.

If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.

Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (ECC, RSA, and RSA FIPS) fail, and connections requesting no encryption use simple encryption.

Starting the server with -ec SIMPLE,TLS(TLS_TYPE=ECC) tells the database server to only accept connections with ECC encryption or simple encryption. Both RSA and RSA FIPS connections fail, and connections requesting no encryption use simple encryption.

If you want the database server to accept encrypted connections over TCP/IP, but also want to be able to connect to the database from the local computer over shared memory, you can specify the -es option along with the -ec option when starting the database server. See -es server option.

The dbecc11.dll and dbrsa11.dll files contain the ECC and RSA code used for encryption and decryption. The file dbfips11.dll contains the code for the FIPS-approved RSA algorithm. When you connect to the database server, if the appropriate file cannot be found, or if an error occurs, a message appears on the database server messages window. The server doesn't start if the specified types of encryption cannot be initiated.

The client's and the server's encryption settings must match or the connection will fail except in the following cases:

  • if -ec SIMPLE is specified on the database server, but -ec NONE is not, then connections that do not request encryption can connect and automatically use simple encryption
  • if the database server specifies RSA and the client specifies FIPS, or vice versa, the connection succeeds. In this case, the Encryption connection property returns the value specified by the database server.
See also
Example

The following example specifies that connections with no encryption and simple encryption are allowed.

dbsrv11 -ec NONE,SIMPLE -x tcpip c:\mydemo.db

The following example specifies starts a database server that uses the elliptic-curve server certificate eccserver.id.

dbsrv11 -ec TLS(TLS_TYPE=ECC;IDENTITY=eccserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the RSA server certificate rsaserver.id.

dbsrv11 -ec TLS(TLS_TYPE=RSA;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.id.

dbsrv11 -ec TLS(TLS_TYPE=RSA;FIPS=Y;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db