Using data packet encryption for SQL OpenNet
The SQL OpenNet data packet encryption feature enables you to encrypt the transfer of sensitive data across a network. SQL OpenNet interfaces with a third-party library, OpenSSL, to provide SSL support for secure data transport between client and server.
To use data packet encryption (SSL encryption) for SQL OpenNet, the server and all clients must be version 10.3.3 or higher.
Using SSL encryption can affect performance because data must be encrypted and decrypted on both sides of the SQL OpenNet connection. The cipher negotiation between client and server, even though it happens only when a connection is established, also takes time.
To use SSL encryption, start vtxnetd or vtxnet2 with the -e option. With this option, you specify the SSL certificate file and key file that the SQL OpenNet service will use, and you can optionally specify which TLS levels the service will allow for SQL OpenNet encryption. TLS 1.1. and 1.2 are supported, and by default both are allowed for the service. However, security best practices require 1.2. Keep in mind that because protocol support varies by operating system, older systems may not support newer protocols. And as new threats and vulnerabilities are found, Synergex may need to update the default for accepted protocols to maintain a high level of security.
Follow these steps to set up SQL OpenNet to use SSL encryption.
|1.||Install OpenSSL on your server machine. For details on which version of OpenSSL is required for your operating system and where to get it, see OpenSSL requirements.|
|2.||Ensure that the OpenSSL shared libraries are in the correct location on the server and have been added to the correct path. The library path must be set before starting vtxnetd or vtxnet2.|
- On Windows, the libraries must be located on the SQL OpenNet machine in the dbl\bin and \connect directories that correspond to the bitness of your machine.
- On UNIX and OpenVMS, the OpenSSL libraries are installed in a standard location determined by the operating system. You don’t need to move them or set the path.
|3.||Create a certificate file and a key file. You may name these anything you like and put them anywhere on the server. Note that the key file cannot include a pass phrase. For more information, see Creating a local certificate authority and Requesting a certificate from a certificate authority.|
|4.||Install and configure OpenSSL on the client machines.|
- On Windows clients, copy the OpenSSL libraries to both the dbl\bin directory and the connect directory.
- On UNIX clients, the library path is used to find the OpenSSL libraries. If you used the setsde script to set up your Synergy environment, the path will be correctly set. You can run the dltest utility to find your shared library path and determine if Synergy can find the necessary DLLs.
You can configure default client SSL settings for all SQL OpenNet connections by using settings in net.ini (see Setting SQL OpenNet client options in net.ini). And you can configure client SSL settings for specific DSNs and SQL Connection connections (see Setting up access with DSNs and %SSC_CMD).
|5.||Start vtxnetd or vtxnet2 with the -e option. Specify the certificate and the key file, and optionally specify the protocol (TLS levels). See vtxnetd and vtxnet2 programs for details.|
To determine whether the SQL OpenNet service is set to use data packet encryption (SSL), start vtxnetd or vtxnet2 with the log option, and then use vtxping to test the connection. If SSL encryption is in use, the log file will include something like the following:
Thu Mar 17 10:38:02 2016 - Version 220.127.116.11. Thu Mar 17 10:38:02 2016 - Starting vtxnetd (pid: 6128). Thu Mar 17 10:38:02 2016 - Server port 1987 Thu Mar 17 10:38:02 2016 - SSL enabled Thu Mar 17 10:38:02 2016 - SSL compile/library: OpenSSL 1.0.2d 9 Jul 2015/OpenSSL 1.0.2d 9 Jul 2015 Thu Mar 17 10:38:02 2016 - Creating 'listen' queue (max: 10) Thu Mar 17 10:38:02 2016 - Setup done. Going into 'accept' loop Thu Mar 17 10:38:07 2016 - Starting a TCMHOST thread (parms: 128 VTX11_12)
If the log file includes an “SSL compile/library:…No such file or directory” error, the path to the certificate or key file is incorrect.
If the log file includes an “SSL compile/library:…problems getting password” error, the key file includes a pass phrase, which is not supported. See Creating a local certificate authority.
An “INVVER: NET version mismatch…” error may mean that a client from a prior version of Connectivity Series is attempting to connect to the SQL OpenNet service while SSL encryption is enabled. To use SSL encryption, the server and all clients must be version 10.3.3 or higher.