MobiLink Synchronization User's Guide
Transport-Layer Security
Enterprise root certificates
You can use the signed certificates for server-authentication by following these steps:
Supply a copy of the public root certificate to all clients. When the client first contacts the MobiLink synchronization server, the server sends the client a copy of its own public certificate. This certificate bears the signature of the root certificate. The client can detect fake certificates by verifying that the root signature matches the public key in their copy of the root certificate.
Tell each client that it is to trust only servers whose certificates bear the signature of the root certificate. For Adaptive Server Anywhere clients, use the trusted_certificates security parameter. For example, you can tell an Adaptive Server Anywhere client to trust only the ent_cert.crt certificate by including this parameter in the address clause of the synchronization subscription, as in the following example.
CREATE SYNCHRONIZATION SUBSCRIPTION FOR 'user001' TO test ADDRESS 'host=myhost;security=ecc_tls ( trusted_certificates=ent_cert.crt)'
To tell an UltraLite client to trust only the desired certificate, name the trusted certificate using the -r option when running the UltraLite generator, as follows. Open a command prompt and run the following command line:
ulgen -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -r ent_cert.crt -j custapi
When you start each MobiLink synchronization server, specify the name of that server's certificate file and the corresponding password. Enter each command on one line.
dbmlsrv9 -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -x tcpip ( port=3333; security=ecc_tls ( certificate=serv1.crt; certificate_password=password3 ) ) dbmlsrv9 -c "dsn=UltraLite 9.0 Sample;uid=DBA;pwd=SQL" -x tcpip ( port=4444; security=ecc_tls ( certificate=serv2.crt; certificate_password=password4 ) )