A certificate may be signed by other certificates, or it may be self-signed, which means it is signed only with its own private key. A sequence of public certificates, each signed by the next, is called a certificate chain. At one end of a typical chain is a certificate used for a particular Sybase IQ server. At the other end is a certificate, signed by no other certificates, called the root certificate.
You can arrange certificates in various ways, depending on your requirements. The following sections describe how to construct and use certificate chains to achieve particular security goals. The following topics are covered:
If you have only a single server, the simplest setup is to create a self-signed certificate. The only disadvantage is that the private key for the certificate must be held on the Sybase IQ server, where it is harder to protect.
An enterprise root certificate is of particular benefit to organizations using more than one Sybase IQ server. In this setup, IQ clients need keep only a copy of this root certificate to recognize any server issuing a certificate signed by this root certificate.
Commercial certificate authorities can benefit organizations that require the utmost in security. These organizations can help in two ways. First, the root certificates they use are of the highest possible quality, making these certificates somewhat less prone to attack. Secondly, commercial certificate authorities can provide a trusted third party when two companies wish to communicate securely but are not familiar with each other.
You can, and in some cases should, use the facilities provided to verify certificate fields. This precaution is appropriate in many scenarios, but is particularly so when using a globally signed certificate. In this case, you are unlikely to want your clients to trust certificates that your certificate authority has signed for other customers.
In all cases, you must ensure that the Sybase IQ command line and log file are secure. This is best done using a firewall and by otherwise limiting access to the computer running the Sybase IQ server.
Sybase IQ transport-layer security is a flexible mechanism that lets you achieve the security important to your setup. The basic system allows you to keep information private, while certificates ensure IQ clients that they are talking to a trusted Sybase IQ server.
