Validating the server by its certificate

Any Adaptive Server OBDC Driver client connection to an SSL-enabled server requires have a certificate file, which consists of the server’s certificate and an encrypted private key. The certificate must also be digitally signed by a signing/certification authority (CA). Adaptive Server OBDC Driver client applications establish a socket connection to Adaptive Server similar to the way that existing client connections are established. Before any user data is transmitted, an SSL handshake occurs on the socket when the network transport-level connect call completes on the client side and the accept call completes on the server side.

To make a successful connection to an SSL-enabled server:

  1. The SSL-enabled server must present its certificate when the client application makes a connection request.

  2. The client application must recognize the CA that signed the certificate. A list of all “trusted” CAs is in the “trusted roots file.”

The trusted roots file

The list of known and trusted CAs is maintained in the trusted roots file. The trusted roots file is similar in format to a certificate file, except that it contains certificates for CAs known to the entity (such as client applications, servers, network resources, and so on). The system security officer adds and deletes trusted CAs using a standard ASCII-text editor.

The application program specifies the location of the trusted roots file using the TrustedFile=trusted file path property in the ConnectString. A trusted roots file with the most widely used CAs (thawte, Entrust, Baltimore, VeriSign, and RSA) is installed in a file located at $SYBASE/config/trusted.txt.

For more information about certificates, see the Open Client Client-Library/C Reference Manual.