IBM Support

Using Secure Sockets Layer (SSL) Protocol

Question & Answer


Question

What options and considerations are involved with the use of Secure Sockets Layer protocol (SSL)?

Cause

There are several options for selecting a communication protocol which can provide privacy and protection for an Informix database. It helps to know why the SSL option may be useful over other methods.

Answer

The Secure Sockets Layer (SSL) protocol uses encryption to provide privacy and integrity for data communication through a reliable end-to-end secure connection between two points over a network.

You can use SSL for encrypted communication for both DRDA® and SQLI clients. SSL is a more widely used alternative to the IBM Informix CSM's,since it can be used with:

  • IBM Data Server Driver for JDBC and SQLJ connections.
  • IBM Informix ESQL/C or ODBC Driver connections.
  • DB-Access connections
  • Enterprise Replication connections and High-availability data replication (HDR) connections between an HDR primary server and one or more secondary servers of any type (HDR secondary, SD secondary, or RS secondary).
  • Distributed transaction connections which span multiple database servers.
  • The dbexport, dbimport, dbschema, and dbload utility connections.
  • Connection Manager connections between servers in a cluster.
  • SSL permits extra encryption layers, if desired:
      • CSM can be added, but it should be noted that configuring ENCCSM or SPWDCSM with SSL involves additional effort without extra benefit.
      • Pluggable Authentication Module (PAM) and the Generic Security Services Communications Support Module (GSSCSM), which uses the Kerberos 5 security protocol for single sign-on (SSO) can be used with SSL connections.
SSL uses digital certificates, which are electronic ID cards issued by a trusted party, to exchange keys for encryption and server authentication. The trusted entity that issues a digital certificate is known as a Certificate Authority (CA).
  • The CA issues a digital certificate based on a limited time period. When the expiration date passes, another digital certificate must be acquired.
  • With SSL, the data that moves between a client and server is encrypted by a symmetric (private) key algorithm. An asymmetric (public) key algorithm is used for the exchange of the keys in the symmetric algorithm.
When a client attempts to connect to a secure server, an SSL handshake occurs. The handshake involves the following events:
    1. The server sends its digital certificate to the client.
    2. The client verifies the validity of the server digital certificate. For this to occur, the client must possess the digital certificate of the CA that issued the server digital certificate.
    3. If the handshake succeeds, these events occur:
      1. The client generates a random symmetric key and sends it to the server, in an encrypted form, by using the asymmetric key in the server digital certificate.
      2. The server retrieves the symmetric key by decrypting it.
      3. Because the server and the client now know and can use the symmetric key, the server and client encrypt data for the duration of the session.
Keystores that store SSL keys and digital certificates. A keystore is a protected database that stores SSL keys and digital certificates. Both the client and server must have the keystore to store the digital certificates used in SSL communication.

Server Side keystore and its configuration. The keystore stores its digital certificate and the root CA certificate of all other servers that Informix is connecting to. The server keystore must be located in the INFORMIXDIR/ssl directory. The name of the keystore file must be server_name.kdb, where server_name is the value specified in the DBSERVERNAME configuration parameter.
  • Each Informix instance has its own keystore. The keystore is accessible only to Informix, who retrieves the digital certificate. The informix password protects the private key for the server.
  • Each certificate in the keystore has a unique label. When you set up Informix to use SSL, the name of the label of the digital certificate is specified in the SSL_KEYSTORE_LABEL configuration parameter in the onconfig file. If no label name is specified in the SSL_KEYSTORE_LABEL configuration parameter, Informix uses the default certificate in the keystore for SSL communication.
  • Only one certificate in a keystore is the default certificate.

Client Side keystore and its configuration
The keystore on an Informix client stores the root CA certificates of all servers to which the client is connecting. A password for the keystore is optional on the client. For Informix SQLI clients (ESQL/C, ODBC, DB-Access, and the dbexport, dbimport, dbschema, and dbload utilities), the location of the keystore and its stash file is not fixed. Instead, the conssl.cfg file in the $INFORMIXDIR/etc directory specifies the keystore and the stash file for Informix clients.

[{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.5;11.7;12.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
03 June 2021

UID

swg21680710