Encryption (ENC) connection parameter

Encrypts packets sent between the client application and the database server using transport-layer security or simple encryption.

Syntax

{ Encryption | ENC }={ NONE
 | SIMPLE 
 | TLS( TLS_TYPE=algorithm;
    [ FIPS={ Y | N }; ]
   TRUSTED_CERTIFICATE=public-certificate;
    [ CERTIFICATE_COMPANY=organization; ]
    [ CERTIFICATE_NAME=common-name; ]
    [ CERTIFICATE_UNIT=organization-unit ] )

Usage

Allowed values

NONE Accepts communication packets that are not encrypted.
SIMPLE Accepts communication packets that are encrypted with simple encryption supported on all platforms and on previous versions of SQL Anywhere. Simple encryption does not provide server authentication, strong elliptic-curve or RSA encryption, or other features of transport-layer security.
If the database server accepts simple encryption, but does not accept no encryption, then any non-TDS connection attempts using no encryption automatically uses simple encryption.

Starting the database server with -ec SIMPLE tells the database server to accept only connections using simple encryption. TLS connections (ECC, RSA, and RSA FIPS-certified) fail, and connections requesting no encryption use simple encryption.

Starting the database server with -ec SIMPLE,TLS( TLS_TYPE=ECC;... ) tells the database server to accept only connections with ECC TLS encryption or simple encryption. Both RSA and RSA FIPS connections fail, and connections requesting no encryption use simple encryption.
algorithm can be RSA or ECC for RSA and ECC encryption, respectively. For FIPS-certified RSA encryption, specify TLS_TYPE=RSA;FIPS=Y. RSA FIPS uses a separate certified library, but is compatible with SQL Anywhere 9.0.2 or later with servers specifying RSA.
The connection fails if the algorithm does not match the encryption (RSA or ECC) used to create your certificates.

The client can use the following arguments to verify the field values in the server's public certificate:
- trusted_certificate
- certificate_company
- certificate_unit
- certificate_name
For more information about verifying certificate fields for server authentication, see Verifying certificate fields.

Default

Remarks

You can use this parameter if you want to secure communications between client applications and the database server using transport-layer security or simple encryption. See Transport-layer security.

Note

Separately licensed component required.

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

For more information about using digital certificates, see Digital certificates.

You can use the CONNECTION_PROPERTY system function to retrieve the encryption settings for the current connection:

SELECT CONNECTION_PROPERTY ( 'Encryption' );

The function returns one of five values: None, Simple, ecc_tls, rsa_tls, or rsa_tls_fips depending which type of encryption is being used by the connection.

See CONNECTION_PROPERTY function [System].

Example

The following connection string fragment connects to a database server using transport-layer security and elliptic-curve encryption:

"Host=myhost;Server=myserver;ENCRYPTION=tls(tls_type=ecc;trusted_certificate=eccroot.crt)"

The following connection string fragment connects to a database server using transport-layer security and RSA encryption:

"Host=myhost;Server=myserver;ENCRYPTION=tls(tls_type=rsa;fips=n;trusted_certificate=rsaroot.crt)"

The following connection string fragment connects to a database server using simple encryption:

"Host=myhost;Server=myserver;ENCRYPTION=simple"

Discuss this page in DocCommentXchange.