Configuring the SSL Windows client (for Windows)  Configuring the SSL client (for UNIX)

Chapter 5: Setting up SSL and a Windows Service

Setting up SSL on the server (for UNIX)

NoteThe following procedure to provide SSL encryption and to authenticate clients is not valid for DirectConnect for Oracle. Refer to the ECDA Option for Oracle Server Administration and User’s Guide.

DirectConnect for SSL provides encryption of data sent over the network and authenticates clients and their passwords using digital certificates. Setting up DirectConnect involves the following tasks:

NoteDirectConnect 12.6 does not support transfer to and transfer from on the SSL-enabled Adaptive Server servers.

StepsTo create the certificate of authority files

  1. Set up the Sybase environment variables:

    Source $SYBASE/SYBASE.csh (or .sh)

    NoteIf you have previously created or obtained the certificate of authority files, skip steps 2-9.

  2. Change to the Sybase Open Client/Server bin directory to run the SSL utilities:

    prompt% cd $SYBASE/$SYBASE_OCS/bin

  3. Create the Certificate of Authority (CA) CA.in file. (For the parameters, refer to the ASE Utilities Guide document for certreq.) Enter the parameters for the CA certificate that you are going to use with the certreq utility, as shown:

    vi CA.in
req_certtype=Server
req_keytype=RSA
req_keylength=512
req_country=US
req_state=CO
req_locality=Boulder
req_organization=Sybase
req_orgunit=Security
req_commonname=CA

  4. Create a private key file and a certificate request file for the CA certificate:

    prompt% certreq -F CA.in -R CA_req.txt 
-K CA_pkey.txt -P mycapassword

    The following message appears:

    Generating key pair (please wait)...

  5. Create a public key file named trusted.txt by using the CA_req.txt file with the private key file to sign the public key file:

    prompt% certauth -r -C CA_req.txt -Q CA_req.txt 
-K CA_pkey.txt -P mycapassword -T 365 -O trusted.txt

    

    -- Sybase Test Certificate Authority certauth/12.6/SWR 9609 GA/P/Sun_svr4/OS 5.8/main/1647/32-bit/OPT/Fri Jun  1 17:19:08 2001 

    --Certificate Validity:
startDate = Tue Apr 23 15:01:40 2002
endDate = Wed Apr 23 15:01:40 2003
CA sign certificate SUCCEED (0).

StepsTo create the certificate of authority files specific to the DirectConnect server and service

NoteIn UNIX, the name of the server and service must be the same.

  1. Input DirectConnect parameters for the CA. (For the parameters, refer to the ASE utilities documentation for certreq.)

    prompt%

    vi DC.in

    req_certtype=Server
req_keytype=RSA
req_keylength=512
req_country=US
req_state=CO
req_locality=Boulder
req_organization=Sybase
req_orgunit=Database
req_commonname=servicename

  2. Create private key and certificate request files for the DirectConnect service:

    prompt% certreq -F DC.in -R servicename_req.txt 
-K servicename_pkey.txt -P mydcpassword

  3. Create a DirectConnect public key file <servicename>.crt using the <servicename>_req.txt file with the CA private key file to sign the DirectConnect public key file:

    prompt% certauth -C trusted.txt 
-Q servicename_req.txt -K CA_pkey.txt 
-P mycapassword 
-T 180 -O servicename.crt

    The following appears:

    -- Sybase Test Certificate Authority certauth/12.6/SWR 9609 GA/P/Sun_svr4/OS 5.8/main/1647/32-bit/OPT/Fri Jun  1 17:19:08 2001 --Certificate Validity:
startDate = Tue Apr 23 15:11:33 2002
endDate = Sun Oct 20 15:11:33 2002
CA sign certificate SUCCEED (0)

  4. Append the service name private key file to the signed service name public key file:

    prompt% cat servicename_pkey.txt >> servicename.crt

  5. Verify that the private key file is appended and is similar to the following by entering:

    prompt% cat servicename.crt

  6. Copy the trusted.txt file to the DirectConnect <servicename>.txt file:

    prompt% cp trusted.txt servicename.txt

  7. Using the pwdcrypt utility, create and enter an encrypted password for DirectConnect to establish an SSL connection:

    prompt% pwdcrypt

    Enter your password that is to be encrypted, which will be similar to the following example:

    NoteThe password you enter will not be visible. This is the same password (mydcpassword) that you entered in step 2.

    Enter password please:
Enter password again:
The encrypted password:
0x018c2e0ea8cfc44513e8ff06f3a1b20825288d0ae1ce79268d0e8669313d1bc4c70c

  8. Insert the encrypted password from the previous step into a file:

    prompt% vi servicename.pwd

  9. Copy the trusted.txt file to the DirectConnect srvname.txt file:

    cp trusted.txt srvname.txt

  10. From the list of files, verify that all the following files are present:

    prompt% ls

    CA.in
CA_pkey.txt
CA_req.txt

    servicename.crt
servicename.pwd
servicename.txt
servicename_pkey.txt
servicename_req.txt
srvname.txt
trusted.txt

StepsTo create the DirectConnect certificates directory, enable SSL, and verify the DirectConnect log files

NoteIn the following steps, the DirectConnect server name and service name must be the same.

  1. Create a DirectConnect directory to hold the certificates:

    mkdir $SYBASE/$SYBASE_ECON/server name/certificates

  2. Copy the servicename.crt, servicename.pwd, servicename.txt, and the svrname.txt files into the new DirectConnect certificates directory created in the previous step:

    cp $SYBASE/$SYBASE_OCS/bin/servicename.*
$SYBASE/$SYBASE_ECON/server name/certificates

    cp $SYBASE/$SYBASE_OCS/bin/srvname.txt
$SYBASE/$SYBASE_ECON/servername/certificates

  3. Verify that the files are copied by listing the contents of the DirectConnect certificates directory:

    <machine name>% cd $SYBASE/$SYBASE_ECON/
servername /certificates

    prompt% ls

    servicename.crt
servicename.pwd
servicename.txt

    srvname.txt

  4. Edit the server.cfg file to enable the SSL service:

    prompt% cd $SYBASE/$SYBASE_ECON/servername/cfg

    prompt% vi server.cfg

    {Client Interaction}
SSLServices=servicename
SSLEnabled=yes

  5. From the many properties displayed, verify that the logging properties are set correctly and match the following:

    prompt% cat server.cfg

    {Logging}
LogWrap=yes
LogToScreen=yes
LogOCOSMessages=1
LogFlush=yes
LogFileSize=500000
LogFileName=
LogClientMessages=1
LogClientLogin=yes

  6. Append “ssl” to the master and query entries in the interfaces file:

    cd $SYBASE
vi interfaces

    server name

    master tcp ether machine name 12510 ssl
query tcp ether machine name 12510 ssl

  7. Start DirectConnect by entering the following:

    prompt% DCStart -S<dcservername>

  8. Verify that the following log file entries are in the $SYBASE/$SYBASE_ECON/<server name>/log /<server name>.log file:

    LogHeader	...SSL: Checking for servicename.txt...
LogHeader	...SSL: Using trusted CA file...
LogHeader	...SSL: Checking for servicename.crt...
LogHeader	...SSL: Using certificate file...
LogHeader	...SSL: Checking for servicename.pwd...
LogHeader	...SSL: Using certificate password file...

    WARNING! Echo of the password caused a blank character to be appended to the password. Remove the additional space to avoid an error.




Copyright © 2005. Sybase Inc. All rights reserved. Configuring the SSL client (for UNIX)

View this book as PDF