Using transport-layer security for web services

Setting up transport-layer security for web services

1. Create digital certificates.

   Create both public and server certificates. Public certificates (which can be Certificate Authority certificates) are distributed to browsers or web clients. Server certificates are stored securely with your Adaptive Server Anywhere web server. See “Creating the certificates”.

2. Start the web server with transport-layer security.

   Use the -xs database server option to specify HTTPS, the server certificate, and the password to protect the private key. For syntax, see “Starting the database server”in the Sybase IQ Utility Guide.

• Start the web server with transport-layer security

  Following is a partial start_asiq command line.

  -xs protocol(Certificate=server-certificate;Certificate_Password=password;...) ...
  

  • protocol can be https, or https_fips for FIPS-approved RSA encryption. https_fips uses a separate approved library, but is compatible with https.

    Note The Mozilla Firefox browser can connect when https_fips is used. However, the cipher suite used by https_fips is not supported by the Internet Explorer, Opera, or Safari browsers—if you are using https_fips, these browsers cannot connect.

  • server-certificate The path and file name of the server certificate.

    For HTTPS, you must use an RSA certificate.

  • password The password for the server certificate's private key. You specify this password when you create the server certificate.

• Configure web clients Configure browsers or other web clients to trust public certificates. The trusted certificate can be self-signed, an enterprise root, or a Certificate Authority certificate.

  For general information about creating digital certificates, including information about using Certificate Authorities, see “Digital certificates”.

Example

1. Obtain an RSA server certificate file. For example, obtain a file called server_cert.crt with password pwd.

2. Obtain a public RSA certificate file. For example, obtain a file called client_cert.crt.

3. On the start_asiq command line, include the following:

   -x https(certificate=server_cert.crt;certificate_password=pwd)
   

   Instead of exposing the password in the command line, you can use the dbfhide utility. For more information, see “File Hiding utility (dbfhide)” in the Sybase IQ Utility Guide.

4. In the synchronization user or the synchronization subscription, use the following type and address:

   ... TYPE https ADDRESS "trusted_certificates=client_cert.crt"
   

---

Copyright © 2006. Sybase Inc. All rights reserved.

View this document as PDF