Establishing a client connection using transport-layer security

To set up client applications to use transport-layer security, use the Encryption [ENC] connection parameter in your connection string. The connection string takes the following form (which must be written all on one line):

Encryption=tls(
   tls_type=cipher;
   [ fips={ y | n }; ]
   trusted_certificates=public-certificate
 [ certificate_company=organization; ]
 [ certificate_name=common-name; ]
 [ certificate_unit=organization-unit ] )
  • cipher   can be rsa or ecc for RSA and ECC encryption, respectively. The default is rsa. For FIPS-approved RSA encryption, specify tls_type=rsa;fips=y. RSA FIPS uses a separate approved library, but is compatible with SQL Anywhere 9.0.2 or later database servers using RSA. You cannot specify fips=y with tls_type=ecc.

    The connection fails if the cipher does not match the encryption (RSA or ECC) used to create your certificates.

  • public-certificate   is the path and file name of a file that contains one or more trusted certificates. If you are using FIPS-approved RSA encryption, you must generate your certificates using RSA. See trusted_certificates protocol option.

  • organization   forces the client to accept server certificates only when the Organization field on the certificate matches this value. See certificate_company protocol option.

  • common-name   forces the client to accept server certificates only when the Common Name field on the certificate matches this value. See certificate_name protocol option.

  • organization-unit   forces the client to accept server certificates only when the Organization Unit field on the certificate matches this value. See certificate_unit protocol option.

For more information about trusted_certificates and other client security parameters, see Verifying certificate fields and Using the trusted_certificates protocol option.

For more information about creating or obtaining the certificate, see Creating digital certificates.

For more information about the encryption connection parameter, see Encryption connection parameter [ENC].

Example

The following example uses the trusted_certificates encryption connection parameter to specify the certificate, public_cert.crt.

"UID=DBA;PWD=sql;ENG=myeng;LINKS=tcpip;
ENC=tls(tls_type=ecc;trusted_certificates=public_cert.crt)"

The following example uses the trusted_certificates encryption connection parameter to specify the certificate, public_cert.crt, and verifies certificate fields using the certificate_unit and certificate_name encryption connection parameters.

"UID=DBA;PWD=sql;ENG=myeng;LINKS=tcpip;
ENC=tls(tls_type=ecc;trusted_certificates=public_cert.crt;
certificate_unit=test_unit;certificate_name=my_certificate)"