ASA Database Administration Guide
The Database Server
The database server
Database server options
Encrypt all native Adaptive Server Anywhere packets (DBLib, ODBC, and OLEDB) transmitted to and from all clients. TDS packets are not encrypted.
{ dbsrv9 | dbeng9 } -ec encryption-options ...
encryption-options: { NONE
| SIMPLE
| ECC_TLS (CERTIFICATE=filename; CERTIFICATE_PASSWORD=password )
| RSA_TLS (CERTIFICATE=filename; CERTIFICATE_PASSWORD=password )
| ALL } , ...
The -ec
option instructs the database server to accept only connections from ODBC, OLE DB, or embedded SQL interfaces that are encrypted using one of the specified types. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted, regardless of encryption.
By default, communication packets are not encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec
option. Encryption affects performance only marginally. The -ec
option controls the server's encryption settings and requires one or more of the following parameters in a comma-separated list:
none accepts only connections that are not encrypted.
simple accepts connections that are encrypted with simple encryption. This type of encryption is supported on all platforms, as well as on previous versions of Adaptive Server Anywhere. Simple encryption is not as strong as Certicom encryption.
ECC_TLS Formerly called Certicom encryption, this parameter accepts connections that are encrypted using the elliptic curve-based Certicom encryption technology. To use this type of encryption, both the server and the client must be operating on Solaris, Linux, NetWare, or any supported Windows platform except Windows CE, and the connection must be over the TCP/IP port. UNIX platforms, except for Solaris and Linux, do not recognize the client or server ECC_TLS parameter. Specifying CERTICOM is accepted to mean ECC_TLS. This parameter accepts the following arguments:
certificate the file name of the certificate. The default value is sample.crt.
certificate_password the password for the certificate named above. The password for sample.crt is tJ1#m6+W.
RSA_TLS this parameter accepts connections that are encrypted using RSA-based encryption technology. To use this type of encryption, both the server and the client must be operating on Solaris, Linux, NetWare, or any supported Windows platform except Windows CE, and the connection must be over the TCP/IP port. UNIX platforms, except for Solaris and Linux, do not recognize the client or server RSA_TLS parameter. This parameter accepts the following arguments:
certificate the file name of the certificate. The default value is rsaserver.crt.
certificate_password the password for the certificate named above. The password for rsaserver.crt is test.
Caution The sample certificate should be used for testing purposes only. The sample certificate provides no security in deployed situations because it and the corresponding password are widely distributed with Sybase software. To protect your system, you must create your own certificate. |
You can use the gencert utility provided with SQL Anywhere Studio to generate new certificates in Adaptive Server Anywhere.
For information about the gencert utility and creating certificates, see Self-signed certificates.
all accepts connections that are not encrypted (none), or encrypted with simple encryption (simple). This is the default.
The dbtls9.dll and dbrsa9.dll files contain the Certicom code used for encryption and decryption. When you connect to the server, if the appropriate file cannot be found, or if an error occurs, a message appears on the server console in debug mode. The server does not start if the types of encryption specified cannot be initiated.
The client's and the server's encryption settings must match or the connection will fail. The server automatically encrypts client transmissions that request encryption if the none parameter is not used with the -ec
option.
dbsrv9 -ec simple,certicom(certificate=sample.crt; certificate_password=tJ1#m6+W) -x tcpip asademo.db
dbsrv9 -ec ecc_tls(certificate=sample.crt; certificate_password=tJ1#m6+W) -x tcpip asademo.db
dbsrv9 -ec rsa_tls(certificate=rsaserver.crt; certificate_password=test) -x tcpip asademo.db
Encryption connection parameter [ENC]
Encrypting client/server communications