Adds, deletes, or displays a list of server certificates for Adaptive Server.
sp_ssladmin {[addcert, certificate_path [, password | NULL]] [dropcert, certificate_path] [lscert] [help]} [lsciphers] [setciphers, {"FIPS" | "Strong" | "Weak" | "All" | quoted_list_of_ciphersuites}]
adds a certificate for the local server in the certificates file.
specifies the absolute path to the certificates file on the local server.
the password that is used to encrypt the private key when adding a new server certificate to the certificates file.
used to require an attended atart-up of Adaptive Server by requesting the password during start-up from the command line.
deletes the certficate from the certificate file.
lists the certificates in the certificate file.
displays online help for sp_ssladmin.
displays the values for any set cipher suite preferences.
sets a specific cipher suite preference. Select one of these options:
“FIPS” – is the set of encryptions, hash, and key exchange algorithms that are FIPS-compliant. The algorithms included in this list are AES, 3DES, DES, and SHA1.
“Strong” – is the set of encryption algorithms using keys longer than 64 bits.
“Weak” – is the set of encryption algorithms from the set of all supported cipher suites that are not included in the strong set.
“All” – is the set of default cipher suites.
quoted_list_of_ciphersuites – specifies a set of cipher suites as a comma-separated list, ordered by preference. Use quotes (“ ”) to mark the beginning and end of the list. The quoted list can include any of the predefined sets as well as individual cipher suite names. Unknown cipher suite names cause an error to be reported, and no changes are made to preferences. See Chapter 19, “Confidentiality of Data,” in the System Administration Guide for the list of cipher suites included in the defined sets.
Adds an entry for the local server, Server1.crt, in the certificates file in the absolute path to /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows). The private key is encrypted with the password “mypassword”. The password should be the one specified when you created the private key:
sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt", "mypassword"
Deletes the certificate, Server1.crt from the certificates file located in /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows):
sp_ssladmin dropcert , "/sybase/ASE-12_5/certificates/Server1.crt"
Lists of all server certificates on the local server:
sp_ssladmin lscert go
certificate_path ---------------------------------------- /sybase/ASE-12_5/certificates/Server1.crt
On initial startup, before any cipher suite preferences have been set, no preferences are shown by sp_ssladmin lscipher.
1> sp_ssladmin lscipher 2> go
Cipher Suite Name Preference ----------------- ---------- (0 rows affected) (return status = 0)
This example specifies the set of cipher suites that use FIPS algorithms:
1> sp_ssladmin setcipher, 'FIPS' 2> go
A preference of 0 (zero) sp_ssladmin output indicates a cipher suite is not used by Adaptive Server. The other, non-zero numbers, indicate the preference order that Adaptive Server uses the algorithm during the SSL handshake. The client side of the SSL handshake chooses one of these cipher suites that matches its list of accepted cipher suites.
Uses a quoted list of cipher suites to set preferences in Adaptive Server:
1> sp_ssladmin setcipher, 'TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA' 2> go
The Adaptive Server listener must present to the client a certificate. The common name in the certificate must match the common name used by the client in the interfaces file. If they do not match, the server authentication and login fail.
When NULL is specified as the password, dataserver must be started with a -y flag. This flag prompts the administrator for the private-key password at the command line.
The use of NULL as the password is intended to protect passwords during the intitial configuration of SSL, before the SSL encrypted session begins.
After restarting Adaptive Server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by Adaptive Server. Any subsequent starts of Adaptive Server from the command line would use the encrypted password; you do not have to specify the password on the command line during start up.
You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.
The lsciphers and setciphers options allow you to restrict the set of cipher suites that Adaptive Server uses, giving control to the system security officer over the kinds of encryption algorithms that may be used by client connections to the server or outbound connections from Adaptive Server. By default, Adaptive Server uses an internally defined set of preferences for cipher suites. See Chapter 19, “ Confidentiality of Data” in the System Administration Guide for more information.
sp_ssladmin setciphers sets cipher suite preferences to the given ordered list. This restricts the available SSL cipher suites to the specified set of “FIPS”, “Strong”, “Weak”, “All”, or a quoted list of cipher suites. This takes effect on the next listener started, and requires that you restart Adaptive Server to ensure that all listeners use the new settings.
You can display any cipher suite preferences that have been set using sp_ssladmin lsciphers. If no preferences have been set, sp_ssladmin lsciphers returns 0 rows to indicate no preferences are set and Adaptive Server uses its default (internal) preferences.
You must have the system security officer role to use sp_ssladmin.
Values in event and extrainfo columns from the sysaudits table are:
Event |
Audit option |
Command or access audited |
Information in extrainfo |
---|---|---|---|
38 |
exec_procedure |
Execution of a procedure |
|
Document Chapter 19, “Confidentiality of Data” in the System Administration Guide.