Encryption connection parameter [ENC]

Encrypts packets sent between the client application and the server using transport-layer security or simple encryption.

Usage

For TLS, TCP/IP only.

For NONE or SIMPLE, anywhere.

Values
Encryption= { NONE
 | SIMPLE 
 | TLS( TLS_TYPE=cipher;
 [ FIPS={ Y | N }; ]
TRUSTED_CERTIFICATES=public-certificate ) }
Default

NONE

Remarks

You can use this parameter if you want to secure communications between client applications and the database server using transport-layer security or simple encryption. See Transport-layer security.

Separately licensed component required

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

The Encryption (ENC) connection parameter accepts the following arguments:

  • NONE   Accepts communication packets that are not encrypted.

  • SIMPLE   Accepts communication packets that are encrypted with simple encryption supported on all platforms and on previous versions of SQL Anywhere. Simple encryption does not provide server authentication, strong elliptic-curve or RSA encryption, or other features of transport-layer security.

    If the database server accepts simple encryption, but does not accept no encryption, then any non-TDS connection attempts using no encryption automatically use simple encryption.

    Starting the database server with -ec SIMPLE tells the database server to accept only connections using simple encryption. TLS connections (ECC, RSA, RSA FIPS) fail, and connections requesting no encryption use simple encryption.

    Starting the database server with -ec SIMPLE,TLS( TLS_TYPE=ECC;... ) tells the database server to accept only connections with ECC TLS encryption or simple encryption. Both RSA and RSA FIPS connections fail, and connections requesting no encryption use simple encryption.

  • cipher   can be RSA or ECC for RSA and ECC encryption, respectively. For FIPS-approved RSA encryption specify TLS_TYPE=RSA;FIPS=Y. RSA FIPS uses a separate approved library, but is compatible with servers specifying RSA with SQL Anywhere 9.0.2 or later.

    The connection fails if the cipher does not match the encryption (RSA or ECC) used to create your certificates.

  • public-certificate   is the path and file name of a file that contains one or more trusted certificates. If you are using FIPS-approved RSA encryption, you must generate your certificates using RSA.

For more information about verifying certificate fields for server authentication, see Verifying certificate fields.

For more information about using digital certificates, see Creating digital certificates.

You can use the CONNECTION_PROPERTY system function to retrieve the encryption settings for the current connection:

SELECT CONNECTION_PROPERTY ( 'Encryption' );

The function returns one of five values: None, Simple, ecc_tls, rsa_tls, or rsa_tls_fips depending which type of encryption is being used by the connection.

See CONNECTION_PROPERTY function [System].

See also
Examples

The following connection string fragment connects to a database server named demo with a TCP/IP link, using transport-layer security and elliptic-curve encryption:

"ENG=demo;LINKS=tcpip;ENCRYPTION=tls(tls_type=ecc;trusted_certificates=eccserver.id)"

The following connection string fragment connects to a database server named demo with a TCP/IP link, using transport-layer security and RSA encryption:

"ENG=demo;LINKS=tcpip;ENCRYPTION=tls(tls_type=rsa;fips=n;trusted_certificates=rsaserver.id)"

The following connection string fragment connects to a database server named demo with a TCP/IP link, using simple encryption:

"ENG=demo;LINKS=tcpip;ENCRYPTION=simple"