sp_ssladmin

Description

Adds, deletes, or displays a list of server certificates for Adaptive Server.

Syntax

sp_ssladmin {[addcert, certificate_path [, password | NULL]] 
	[dropcert, certificate_path]
	[lscert] 
	[help]}
	[lsciphers]
	[setciphers, 
	{"FIPS" | "Strong" | "Weak" | "All" | quoted_list_of_ciphersuites}]

Parameters

addcert

adds a certificate for the local server in the certificates file.

certificate_path

specifies the absolute path to the certificates file on the local server.

password

the password that is used to encrypt the private key when adding a new server certificate to the certificates file.

NULL

used to require an attended atart-up of Adaptive Server by requesting the password during start-up from the command line.

dropcert

deletes the certficate from the certificate file.

lscert

lists the certificates in the certificate file.

help

displays online help for sp_ssladmin.

lsciphers

displays the values for any set cipher suite preferences.

setciphers, {"FIPS" | "Strong" | "Weak" | "All" | quoted_list_of_ciphersuites}

sets a specific cipher suite preference. Select one of these options:

  • “FIPS” – is the set of encryptions, hash, and key exchange algorithms that are FIPS-compliant. The algorithms included in this list are AES, 3DES, DES, and SHA1.

  • “Strong” – is the set of encryption algorithms using keys longer than 64 bits.

  • “Weak” – is the set of encryption algorithms from the set of all supported cipher suites that are not included in the strong set.

  • “All” – is the set of default cipher suites.

  • quoted_list_of_ciphersuites – specifies a set of cipher suites as a comma-separated list, ordered by preference. Use quotes (“ ”) to mark the beginning and end of the list. The quoted list can include any of the predefined sets as well as individual cipher suite names. Unknown cipher suite names cause an error to be reported, and no changes are made to preferences. See Chapter 19, “Confidentiality of Data,” in the System Administration Guide for the list of cipher suites included in the defined sets.

Examples

Example 1

Adds an entry for the local server, Server1.crt, in the certificates file in the absolute path to /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows). The private key is encrypted with the password “mypassword”. The password should be the one specified when you created the private key:

sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt", 
    "mypassword"

Example 2

Deletes the certificate, Server1.crt from the certificates file located in /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows):

sp_ssladmin dropcert , "/sybase/ASE-12_5/certificates/Server1.crt"

Example 3

Lists of all server certificates on the local server:

sp_ssladmin lscert
go
certificate_path
----------------------------------------
/sybase/ASE-12_5/certificates/Server1.crt

Example 4

On initial startup, before any cipher suite preferences have been set, no preferences are shown by sp_ssladmin lscipher.

1> sp_ssladmin lscipher
2> go
 Cipher Suite Name  Preference  
-----------------   ---------- 
(0 rows affected)
(return status = 0)

This example specifies the set of cipher suites that use FIPS algorithms:

1> sp_ssladmin setcipher, 'FIPS'
2> go

A preference of 0 (zero) sp_ssladmin output indicates a cipher suite is not used by Adaptive Server. The other, non-zero numbers, indicate the preference order that Adaptive Server uses the algorithm during the SSL handshake. The client side of the SSL handshake chooses one of these cipher suites that matches its list of accepted cipher suites.

Example 5

Uses a quoted list of cipher suites to set preferences in Adaptive Server:

1> sp_ssladmin setcipher, 'TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA'
2> go

Usage


Using lsciphers and setciphers to set cipher suites

The lsciphers and setciphers options allow you to restrict the set of cipher suites that Adaptive Server uses, giving control to the System Security Officer over the kinds of encryption algorithms that may be used by client connections to the server or outbound connections from Adaptive Server. By default, Adaptive Server uses an internally defined set of preferences for cipher suites. See Chapter 19, “ Confidentiality of Data” in the System Administration Guide for more information.

sp_ssladmin setciphers sets cipher suite preferences to the given ordered list. This restricts the available SSL cipher suites to the specified set of “FIPS”, “Strong”, “Weak”, “All”, or a quoted list of cipher suites. This takes effect on the next listener started, and requires that you restart Adaptive Server to ensure that all listeners use the new settings.

You can display any cipher suite preferences that have been set using sp_ssladmin lsciphers. If no preferences have been set, sp_ssladmin lsciphers returns 0 rows to indicate no preferences are set and Adaptive Server uses its default (internal) preferences.

Permissions

You must have the System Security Officer role to use sp_ssladmin.

Auditing

Values in event and extrainfo columns from the sysaudits table are:

Event

Audit option

Command or access audited

Information in extrainfo

38

exec_procedure

Execution of a procedure

  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect

50

security

Server start

  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information

    • -dmasterdevicename

    • -iinterfaces file path

    • -Sservername

    • -eerrorfilename

  • Proxy information – Original login name, if set proxy in effect

See also

Document Chapter 19, “Confidentiality of Data” in the System Administration Guide.