MobiLink Synchronization User's Guide
Transport-Layer Security
Invoking transport-layer security
Self-signed certificates
You can use the self-signed certificate for server authentication by following these steps:
Supply a copy of the public certificate to all clients. When the client first contacts the MobiLink synchronization server, the server will send them a copy of the public certificate, self.crt. The client can detect fake certificates by comparing the one sent by the server with the copy the client already has.
Tell each client that it is to trust only servers that can decrypt messages encoded using the public key contained within the copy of the supplied public certificate. For Adaptive Server Anywhere clients, you do so using the trusted_certificates security parameter. For example, you can tell an Adaptive Server Anywhere client to trust only the self.crt certificate by including the following parameter in the address clause of the synchronization subscription:
CREATE SYNCHRONIZATION SUBSCRIPTION FOR 'user001' TO test -pub ADDRESS 'host=myhost;security=ecc_tls ( trusted_certificates=self.crt )'
To tell an UltraLite client to trust only the desired certificate, name the trusted certificate using the -r option when running the UltraLite generator, as follows. Open a command prompt and run the following command line:
ulgen -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -r self.crt -j custapi
When you start the MobiLink synchronization server, specify the name of the server certificate file, serv1.crt, and the corresponding password. Open a command prompt and run the following command line:
dbmlsrv9 -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -x tcpip ( security=ecc_tls ( certificate=serv1.crt; certificate_password=password ) )
You can hide the contents of the command line using the File Hiding utility, dbfhide. For more information, see The File Hiding utility.
Note that the clients do not need and should not have either the private key or the password that unlocks it. Clients need only the public certificate.
In contrast, the MobiLink synchronization server requires access to the private key, as well as to the public parts of the certificate. Thus, the server requires access to the server certificate file, which contains both public and private information.
The MobiLink synchronization server must have access to the private key and the password that protects it. For this reason, you must ensure that the MobiLink command line and log file are secure. This is best done using a firewall and by otherwise limiting access to the computer running the MobiLink synchronization server.
The certificate file name and password are not displayed in the log file.