Creating server directory entries  Performance

Chapter 19: Confidentiality of Data

Administering certificates

To administer SSL and certificates in Adaptive Server, use sp_ssladmin. sso_role is required to execute the stored procedure.

sp_ssladmin is used to:

The syntax for sp_ssladmin is:

sp_ssladmin {[addcert, certificate_path [, password|NULL]] 
	[dropcert, certificate_path]
	[lscert] 
	[help]}
	[lsciphers]
	[setciphers, {"FIPS" | "Strong" | "Weak" | "All" 
	| quoted_list_of_ciphersuites}]

For example:

sp_ssladmin addcert, "/sybase/ASE-12_5/certificates/Server1.crt",
      "mypassword"

This adds an entry for the local server, Server1.crt, in the certificates file in the absolute path to /sybase/ASE-12_5/certificates (x:\sybase\ASE-12_5\certificates on Windows). The private key is encrypted with the password “mypassword”. The password should be the one specified when you created the private key.

Before accepting the certificate, sp_ssladmin verifies that:

If the common names do not match, sp_ssladmin issues a warning. If the other criteria fails, the certificate is not added to the certificates file.

WARNING! Adaptive Server limits passwords to 64 characters. In addition, certain platforms restrict the length of valid passwords when creating server certificates. Select a password within these limits:

The use of NULL as the password is intended to protect passwords during the initial configuration of SSL, before the SSL-encrypted session begins. Since you have not yet configured SSL, the password travels unencrypted over the connection. You can avoid this by specifying the password as NULL during the first login.

When NULL is the password, you must start dataserver with a -y flag, which prompts the administrator for the private-key password at the command line.

After restarting Adaptive Server with an SSL connection established, use sp_ssladmin again, this time using the actual password. The password is then encrypted and stored by Adaptive Server. Any subsequent starts of Adaptive Server from the command line use the encrypted password; you do not have to specify the password on the command line during start-up.

An alternative to using a NULL password during the first login is to avoid a remote connection to Adaptive Server via isql. You can specify “localhost” as the hostname in the interfaces file (sql.ini on Windows) to prevent clients from connecting remotely. Only a local connection can be established, and the password is never transmitted over a network connection.

NoteAdaptive Server has sufficient memory in its network memory pool to allow sp_ssladmin addcert to set the certificate and private key password with its default memory allocations. However, if another network memory consumer has already allocated the default network memory, sp_ssladmin may fail and display this error to the client:

Msg 12823, Level 16, State 1:
Server 'servername', Procedure 'sp_ssladmin', Line 72:
Command 'addcert' failed to add certificate path
/work/REL125/ASE-12_5/certificates/servername.crt, system error: ErrMemory.
(return status = 1)

Or the following message may appear in the error log:

 ... ssl_alloc: Cannot allocate using ubfalloc(rnetmempool, 131072)

As a workaround, you can increase the additional network memory configuration parameter. Adaptive Server needs about 500K bytes of memory for sp_ssladmin addcert to succeed, so increasing additional network memory by this amount may allow it to succeed. This memory is reused by the network memory pool when needed, or you can return additional network memory to its previous value after sp_ssladmin has successfully completed.




Copyright © 2005. Sybase Inc. All rights reserved. Performance

View this book as PDF