Making a new self-signed certificate  Certificate authorities

Chapter 13: Transport-Layer Security

Using a self-signed certificate

You can use the self-signed certificate for server authentication by following these steps:

  1. Supply a copy of the public certificate to all clients. When the client first contacts the Sybase IQ server, the server will send the client a copy of the public certificate, self.crt. The client can detect fake certificates by comparing the one sent by the server with the copy the client already has.

  2. Tell each client that it is to trust only servers that can decrypt messages encoded using the public key contained within the copy of the supplied public certificate. For Sybase IQ clients, you do so using the trusted_certificates security parameter. For example, you can tell an Sybase IQ client to trust only the self.crt certificate by including a parameter in the address clause of the synchronization subscription.

    To tell a client to trust only the desired certificate, name the trusted certificate using the –r option at the command line when running the generator.

  3. When you start the Sybase IQ server, specify the name of the server certificate file, serv1.crt, and the corresponding password. Open a command prompt and run the following command line:

start_asiq -c "dsn=Adaptive Server IQ Demo;uid=DBA;pwd=SQL" –x tcpip ( security=rsa_tls ( certificate=serv1.crt; certificate_password=password ) )

You can hide the contents of the command line using the File Hiding utility, dbfhide. For more information, see the Adaptive Server Anywhere Database Administration Guide.

Note that the clients do not need and should not have either the private key or the password that unlocks it. Clients need only the public certificate.

In contrast, the Sybase IQ server requires access to the private key, as well as to the public parts of the certificate. Thus, the server requires access to the server certificate file, which contains both public and private information.

The Sybase IQ server must have access to the private key and the password that protects it. For this reason, you must ensure that the Sybase IQ command line and log file are secure. This is best done using a firewall and by otherwise limiting access to the computer running the Sybase IQ server.

NoteThe certificate file name and password are not displayed in the log file.




Copyright © 2006. Sybase Inc. All rights reserved. Certificate authorities

View this document as PDF