-ec dbeng12/dbsrv12 server option

{ dbeng12 | dbsrv12 } -ec encryption-options ...

encryption-options :

{ NONE |
   SIMPLE |
   TLS ( TLS_TYPE=algorithm;
   [ FIPS={ Y | N }; ]
   IDENTITY=server-identity-filename;
   IDENTITY_PASSWORD=password ) }, ...

NONE accepts connections that aren't encrypted.
SIMPLE accepts connections that are encrypted with simple encryption. This type of encryption is supported on all platforms, and on previous versions of the database server and clients. Simple encryption doesn't provide server authentication, strong elliptic-curve or RSA encryption, or other features of transport-layer security.
TLS accepts connections that are encrypted. The TLS parameter accepts the following required arguments:
- algorithm can be RSA or ECC for RSA and ECC encryption, respectively. For FIPS-certified RSA encryption, specify TLS_TYPE=RSA;FIPS=Y. RSA FIPS-certified encryption uses a separate certified library, but is compatible with version 9.0.2 or later clients specifying RSA.
  For a list of FIPS-certified components, see http://www.sybase.com/detail?id=1061806.
  
  The algorithm must match the encryption (ECC or RSA) used to create your certificates.
  
  For information about enforcing the FIPS-certified algorithm, see -fips dbeng12/dbsrv12 server option.
  
  Note
  
  Version 10 and later clients cannot connect to version 9.0.2 or earlier database servers using the ECC algorithm. If you require strong encryption for this configuration, use the RSA algorithm.
- server-identity-filename is the path and file name of the server identity certificate. If you are using FIPS-certified RSA encryption, you must generate your certificates using the RSA algorithm.
  For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Digital certificates.
- password is the password for the server private key. You specify this password when you create the server certificate.

NONE and SIMPLE apply to all servers and operating systems.

TLS applies to all servers and operating systems, except Windows Mobile.

For information about supporting FIPS-certified encryption, see [external link] http://www.sybase.com/detail?id=1061806.

You can use this option to secure communication packets between client applications and the database server using transport-layer security. See Transport-layer security.

Note

Separately licensed component required.

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. You must specify at least one of the supported parameters in a comma-separated list. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted and are never encrypted, regardless of the usage of the -ec option. Setting the TDS protocol option to NO disallows these unencrypted TDS connections. See TDS protocol option (server side only).

By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally.

If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.

Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (ECC, RSA, and RSA FIPS-certified encryption) fail, and connections requesting no encryption use simple encryption.

Starting the server with -ec SIMPLE,TLS(TLS_TYPE=ECC) tells the database server to only accept connections with ECC encryption or simple encryption. Connections using RSA or RSA FIPS-certified encryption enabled fail, and connections requesting no encryption use simple encryption.

If you want the database server to accept encrypted connections over TCP/IP, but also want to be able to connect to the database from the local computer over shared memory, you can specify the -es option with the -ec option when starting the database server. See -es dbeng12/dbsrv12 server option.

The dbecc12.dll and dbrsa12.dll files contain the ECC and RSA code used for encryption and decryption. The file dbfips12.dll contains the code for the FIPS-certified RSA algorithm. When you connect to the database server, if the appropriate file cannot be found, or if an error occurs, a message appears in the database server messages window. The server doesn't start if the specified types of encryption cannot be initiated.

The client's and the server's encryption settings must match or the connection fails except in the following cases:

If -ec SIMPLE is specified on the database server, but -ec NONE is not, then connections that do not request encryption can connect and automatically use simple encryption.
If the database server specifies RSA and the client specifies FIPS-certified encryption, or vice versa, the connection succeeds. In these cases, the Encryption connection property returns the value specified by the database server.

The following example specifies that connections with no encryption and simple encryption are allowed.

dbsrv12 -ec NONE,SIMPLE -x tcpip c:\mydemo.db

The following example specifies starts a database server that uses the elliptic-curve server certificate eccserver.id.

dbsrv12 -ec TLS(TLS_TYPE=ECC;IDENTITY=eccserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the RSA server certificate rsaserver.id.

dbsrv12 -ec TLS(TLS_TYPE=RSA;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.id.

dbsrv12 -ec TLS(TLS_TYPE=RSA;FIPS=Y;IDENTITY=rsaserver.id;IDENTITY_PASSWORD=test) -x tcpip c:\mydemo.db

-ec dbeng12/dbsrv12 server option

Syntax

Allowed values

Note

Applies to

Remarks

Note

See also

Example