Database server with transport-layer security

To start the database server with transport-layer security, supply the server identity file name and the password protecting the server's private key.

For an overview of the steps required to set up transport-layer security, see Setting up transport-layer security.

Use the -ec database server option to specify the identity and identity_password parameters. If you want to allow unencrypted connections over shared memory, you must also specify the -es option.

Following is the syntax of a partial dbsrv12 command line:

-ec tls(
   tls_type=algorithm;
   identity=server-identity-filename;
   identity_password=password )
-x tcpip

algorithm The algorithm to use. The algorithm can be rsa or ecc for RSA and ECC encryption, respectively. For FIPS-certified RSA encryption, specify tls_type=rsa;fips=y. RSA FIPS-certified encryption uses a separate certified library, but is compatible with SQL Anywhere 9.0.2 or later clients using RSA.
For a list of FIPS-certified components, see http://www.sybase.com/detail?id=1061806.

The algorithm must match the encryption (ECC or RSA) used to create your certificates.

For information about enforcing FIPS-certified algorithms, see -fips dbeng12/dbsrv12 server option.
server-identity-filename The path and file name of the server identity file. If you are using FIPS-certified RSA encryption, you must generate your certificates using the RSA algorithm.
An identity file contains the public certificate and its private key. For certificates that are not self signed, the identity file also contains all the signing certificates.

For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Digital certificates.
password The password for the server private key. You specify this password when you create the server certificate.

You can also start the database server with simple encryption. Simple encryption makes it more difficult for someone using a packet sniffer to read the network packets sent between the client and the server, but does not assure data integrity or provide server authentication.

You specify the TCP/IP protocol using the -x database server option.

Example

The following example (entered all on one line) uses the -ec database server option to specify ECC security, the server identity file, and the password protecting the server's private key:

dbsrv12 -ec tls( tls_type=ecc;identity=c:\test\serv1_ecc.id;identity_password=mypwd )
 -x tcpip c:\test\secure.db

You can hide the command line options, including passwords, using a configuration file and the File Hiding utility (dbfhide). See File Hiding utility (dbfhide), and @data dbeng12/dbsrv12 server option.

Discuss this page in DocCommentXchange.

Database server with transport-layer security

See also

Example