Starting the database server with transport-layer security

To start the database server with transport-layer security, supply the server identity file name and the password protecting the server's private key.

For an overview of the steps required to set up transport-layer security, see Setting up transport-layer security.

Use the -ec server option to specify the identity and identity_password parameters. If you want to allow unencrypted connections over shared memory, you must also specify the -es option.

Following is the syntax of a partial dbsrv11 command line:

-ec tls(
   tls_type=cipher;
   identity=server-identity-filename;
   identity_password=password )
-x tcpip
  • cipher   The cipher to use. The cipher can be rsa or ecc for RSA and ECC encryption, respectively. For FIPS-approved RSA encryption, specify tls_type=rsa;fips=y. RSA FIPS uses a separate approved library, but is compatible with SQL Anywhere 9.0.2 or later clients using RSA.

    For a list of supported platforms for FIPS, see [external link] SQL Anywhere Supported Platforms and Engineering Support Status.

    The cipher must match the encryption (ECC or RSA) used to create your certificates.

    For information about enforcing the FIPS-approved algorithm, see -fips server option.

  • server-identity-filename   The path and file name of the server identity file. If you are using FIPS-approved RSA encryption, you must generate your certificates using the RSA cipher.An identity file contains the public certificate and its private key. For certificates that are not self signed, the identity file also contains all of the signing certificates.

    For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Creating digital certificates.

  • password   The password for the server private key. You specify this password when you create the server certificate.

You can also start the database server with simple encryption. Simple encryption makes it more difficult for someone using a packet sniffer to read the network packets sent between the client and the server, but does not assure data integrity or provide server authentication.

See -ec server option and -es server option.

You specify the TCP/IP protocol using the -x server option. See -x server option.

Examples

The following example (entered all on one line) uses the -ec server option to specify ECC security, the server identity file, and the password protecting the server's private key:

dbsrv11 -ec tls( tls_type=ecc;identity=c:\test\serv1_ecc.id;identity_password=mypwd )
 -x tcpip c:\test\secure.db

You can hide the command line options, including passwords, using a configuration file and the File Hiding utility (dbfhide). See File Hiding utility (dbfhide) and @data server option.

The following example (entered all on one line) uses the -ec server option to specify RSA security, the server identity, and the password protecting the server's private key:

dbsrv11 -ec tls(tls_type=rsa;identity=c:\test\serv1_rsa.id;identity_password=test)
 -x tcpip c:\test\secure.db