Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 10.0.1 » SQL Anywhere Server - Database Administration » The Database Server » The SQL Anywhere database server » Database server options

-dt server option Next Page

-ec server option


Uses transport-layer security or simple encryption to encrypt all native SQL Anywhere packets (DBLib, ODBC, and OLE DB) transmitted to and from all clients. TDS packets aren't encrypted.

Syntax

{ dbsrv10 | dbeng10 } -ec encryption-options ...

encryption-options :

{ NONE |
SIMPLE |
TLS ( TLS_TYPE=cipher;
[ FIPS={ Y | N }; ]
CERTIFICATE=server-identity-filename;
CERTIFICATE_PASSWORD=password ) }, ...

Remarks

You can use this option to secure communication packets between client applications and the database server using transport-layer security. See Transport-Layer Security.

Separately licensed component required

ECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations.

See Separately licensed components.

The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted regardless of the usage of the -ec option, and are never encrypted. Setting the TDS protocol option to NO disallows these unencrypted TDS connections. See TDS protocol option.

By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally. The -ec option controls the server's encryption settings and requires at least one of the following parameters in a comma-separated list:

If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.

Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (ECC, RSA, and RSA FIPS) fail, and connections requesting no encryption use simple encryption.

Starting the server with -ec SIMPLE,TLS(TLS_TYPE=ECC) tells the database server to only accept connections with ECC encryption or simple encryption. Both RSA and RSA FIPS connections fail, and connections requesting no encryption use simple encryption.

The dbecc10.dll and dbrsa10.dll files contain the ECC and RSA code used for encryption and decryption. The file dbfips10.dll contains the code for the FIPS-approved RSA algorithm. When you connect to the database server, if the appropriate file cannot be found, or if an error occurs, a message appears on the Server Messages window. The server doesn't start if the specified types of encryption cannot be initiated.

The client's and the server's encryption settings must match or the connection will fail except in the following cases:

See also
Example

The following example specifies that connections with no encryption and simple encryption are allowed.

dbsrv10 -ec NONE,SIMPLE -x tcpip c:\mydemo.db

The following example specifies starts a database server that uses the elliptic-curve server certificate sample.crt.

dbsrv10 -ec TLS(TLS_TYPE=ECC;CERTIFICATE=sample.crt;CERTIFICATE_PASSWORD=tJ1#m6+W) -x tcpip c:\mydemo.db

The following example starts a database server that uses the RSA server certificate rsaserver.crt.

dbsrv10 -ec TLS(TLS_TYPE=RSA;CERTIFICATE=rsaserver.crt;CERTIFICATE_PASSWORD=test) -x tcpip c:\mydemo.db

The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.crt.

dbsrv10 -ec TLS(TLS_TYPE=RSA;FIPS=Y;CERTIFICATE=rsaserver.crt;CERTIFICATE_PASSWORD=test) -x tcpip c:\mydemo.db