Adds, deletes, or displays a list of server certificates for the SAP ASE server.
sp_ssladmin {[addcert, certificate_path [, password | NULL]]
[dropcert, certificate_path]
[lscert]
[help]}
[lsciphers]
[setciphers,
{"FIPS" | "Strong" | "Weak" | "All" | quoted_list_of_ciphersuites}]
“FIPS” – is the set of encryptions, hash, and key exchange algorithms that are FIPS-compliant. The algorithms included in this list are AES, 3DES, DES, and SHA1.
“Strong” – is the set of encryption algorithms using keys longer than 64 bits.
“Weak” – is the set of encryption algorithms from the set of all supported cipher suites that are not included in the strong set.
“All” – is the set of default cipher suites.
quoted_list_of_ciphersuites – specifies a set of cipher suites as a comma-separated list, ordered by preference. Use quotes (“ ”) to mark the beginning and end of the list. The quoted list can include any of the predefined sets as well as individual cipher suite names. Unknown cipher suite names cause an error to be reported, and no changes are made to preferences. See Chapter 19, “Confidentiality of Data,” in the System Administration Guide for the list of cipher suites included in the defined sets.
sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt", "mypassword"
sp_ssladmin dropcert , "/sybase/ASE-12_5/certificates/Server1.crt"
sp_ssladmin lscert go
certificate_path ---------------------------------------- /sybase/ASE-12_5/certificates/Server1.crt
1> sp_ssladmin lscipher 2> go
Cipher Suite Name Preference ----------------- ---------- (0 rows affected) (return status = 0)
1> sp_ssladmin setcipher, 'FIPS' 2> go
A preference of 0 (zero) sp_ssladmin output indicates a cipher suite is not used by the SAP ASE server. The other, non-zero numbers, indicate the preference order that the SAP ASE server uses the algorithm during the SSL handshake. The client side of the SSL handshake chooses one of these cipher suites that matches its list of accepted cipher suites.
1> sp_ssladmin setcipher, 'TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA' 2> go
The SAP ASE listener must present to the client a certificate. The common name in the certificate must match the common name used by the client in the interfaces file. If they do not match, the server authentication and login fail.
When NULL is specified as the password, dataserver must be started with a -y flag. This flag prompts the administrator for the private-key password at the command line.
The use of NULL as the password is intended to protect passwords during the intitial configuration of SSL, before the SSL encrypted session begins.
After restarting the SAP ASE server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by the SAP ASE server. Any subsequent starts of the SAP ASE server from the command line would use the encrypted password; you do not have to specify the password on the command line during start up.
You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.
See also Confidentiality of Data in the System Administration Guide.
The permission checks for sp_ssladmin differ based on your granular permissions settings.
| Setting | Description |
|---|---|
Enabled | With granular permissions enabled, you must be a user with manage security configuration privilege. |
Disabled | With granular permissions disabled, you must be a user with sso_role. |
Values in event and extrainfo columns from the sysaudits table are:
| Information | Values |
|---|---|
Event | 38 |
Audit option | exec_procedure |
Command or access audited | Execution of a procedure |
Information in extrainfo |
|