This topic has been updated for build 1823.
The following enhancements have been made to SQL Anywhere 16.0 since its original release.
xp_getenv system procedure improvement—database upgrade or rebuild required The xp_getenv system procedure has been changed so that it is a procedure that runs with invoker privileges regardless of the invoker/definer setting. The procedure returns a LONG NVARCHAR value. Previously, it returned a LONG BINARY value.
sa_cpu_topology system procedure improvement—database upgrade or rebuild required The sa_cpu_topology system procedure has been modified to include information about user-selected physical processors specified using the -gta database server option or the ProcessorAffinity server property. This feature allows the database server to make use of newly added processors during runtime (also know as hot-add and hot-remove).
The restrictions and limitations for the -gt, -gta, and -gtc database server options are preserved.
sp_list_directory system procedure enhancements In addition to returning the path, file type, and file name of all files and directories in a specified location, the sp_list_directory system procedure now also returns the date the file was created, last modified, and last accessed, as well as the owner and any access permissions required for the file or directory.
Multiple OData Producer support This feature has been updated for build 1823.
The OData Server now supports multiple customizable OData Producers that allow you to establish multiple database connections. Use the new embedded HTTP server option, Producers, in your OData Server configuration to create OData Producers.
Optimistic Concurrency Control (ETags) This feature has been updated for build 1823.
OData Producers now support Optimistic Concurrency Control as defined by version 2.0 of the OData Specification. The concurrencytoken clause of the ENTITY OSDL statement is used to generate ETags that identify the state of an entity instance at the time the instance is requested.
See ENTITY statement.
OData enhancement: Search strings are restricted to 254 bytes When using OData filters—such as startswith, substringof, and indexofwith—on long search strings, searches are performed on the first 254 bytes only.
OData enhancement: Support for proxy table insertions All key properties must be explicitly specified when creating entities in entity sets that are proxy tables in a SQL Anywhere database.
OData enhancement: substringof return value This feature has been updated for build 1823.
The substringof(s1, s2) filter returns whether the s1 string is a substring of s2.
Support for callbacks in the SQL Anywhere C API Support for callbacks has been added to version 3 of the SQL Anywhere C API. The following function is now available when _SACAPI_VERSION is defined as 3.
sacapi_bool sqlany_register_callback( a_sqlany_connection * sqlany_conn, a_sqlany_callback_type index, SQLANY_CALLBACK_PARM callback );
This function can be used to register callback functions.
See ODBC escape syntax.
ODBC The ODBC driver support for escape sequences has been enhanced to include the TIMESTAMPADD and TIMESTAMPDIFF functions. Previously, calling the ODBC SQLGetInfo function to retrieve the version of the ODBC driver (SQL_DRIVER_VER) returned a string that did not include the build number of the driver. Now, the format of the string returned is xx.yy.zzzz where xx is the 2-digit major version number, yy is the 2-digit minor version number, and zzzz is the build number (for example, 16.00.1234).
Support for SAP Sybase IQ 16 The MobiLink server now supports consolidated databases running on SAP Sybase IQ 16.0 servers. For information about recommended ODBC drivers, see http://www.sybase.com/detail?id=1011880.
dbmlsync offline transaction log retrieval has changed The dbmlsync utility can now retrieve offline transaction logs from the SQL Anywhere database server instead of accessing them directly. If offline transaction logs are required but the given offline transaction log directory cannot be opened or it does not contain offline transaction log files, then dbmlsync retrieves the offline transaction logs through the database server. The following restrictions apply:
The user ID that is used by dbmlsync to connect to the synchronization database must have the READ FILE and WRITE FILE privileges and all the offline transaction log files must be in the online transaction log directory.
The SQL Anywhere database server must have Support Package build number 1823 or later to support this feature.
There is a slight performance penalty when using this feature because the database server must do more work to retrieve the pages. If performance is critical, then using the dbmlsync OfflineDirectory extended option may be best for your deployment.
dbmlsync provides the ability to restart downloads when no bytes of data have been received The dbmlsync utility now allows you to restart a failed download even if no bytes of the download have been received. Previously a download could only be restarted if at least one byte had been received.
See Relay Server Record.
These changes are being released in version 12 and version 16 Support Packages.
Read the following descriptions to determine how you may be impacted by this change.
FIPS encryption now requires the private key of an identity file to be encrypted using AES
OpenSSL FIPS supports AES encryption for the private key of an identity file. New servers using the OpenSSL FIPS encryption module will not start when using an identity file that has its private key encrypted with 3DES. You must re-encrypt the identity file using AES. To do this, run a command similar to the following using an upgraded viewcert utility:
viewcert -p -o new-file-name -op new-password -ip old-password old-file-name
The new and old passwords can be the same.
The sample server certificate (rsaserver.id) and client certificate (rsaclient.id) have been modified so that the private key is encrypted using AES rather than 3DES.
Versions of the server that use the Certicom encryption module will not start when using an identity file that has its private key encrypted using AES. Trusted root certificate files specified using trusted_certificates do not need to be modified.
Self-signed certificates must now have the Certificate Signing attribute set Self-signed certificates must now have the Certificate Signing attribute set when using the identity encryption option (for example, the -x mlsrvXX and -xs dbsrvXX options). To determine if a certificate has the Certificate Signing attribute set, use the viewcert utility and look for Certificate Signing in the Key Usage portion of the output. If your self-signed certificates do not have the Certificate Signing attribute set, then you must regenerate the certificates.
Create Certificate utility (createcert) now uses AES encryption instead of 3DES The Create Certificate utility (createcert) now uses AES rather than 3DES encryption for encrypting the private key in the server identity file.
A new option, -3des, has been added to the Create Certificate utility. Use this option when you want to create a 3DES-encrypted server identity file that can be used by both new and old servers. Note that new servers running in FIPS mode cannot start using 3DES-encrypted certificates; however, if you are not running in FIPS mode, then you can use 3DES-encrypted certificates.
View Certificate utility (viewcert) now uses AES encryption instead of 3DES The View Certificate utility (viewcert) now uses AES rather than 3DES encryption when you specify the -p option to PEM-encode the output and when you specify the -ip and -op options to set the password.
A new option, -3des, has been added to the View Certificate utility to allow you encrypt output and passwords using 3DES instead of AES.
Database server now loads the FIPS driver file, dbfipsXX.dll, at startup Previously, the 32-bit Windows database server loaded the FIPS driver file, dbfipsXX.dll, only when needed. Now, the 32-bit Windows database server always attempts to load dbfipsXX.dll at startup, and keeps it loaded for the life of the server. If loading dbfips16.dll fails, then an error is returned only when an attempt is made to use FIPS encryption.
Deploying FIPS If you are deploying FIPS encryption, then there are new shared libraries to deploy; these files are included in your software. The former files, sbgse2.dll and libsbgse2.so, are no longer installed by the software. The new files to deploy are:
Windows 64-bit: libeay32.dll, ssleay32.dll, and msvcr100.dll
Windows 32-bit: libeay32.dll, ssleay32.dll, and msvcr90.dll
Linux: libcrypto.so and libssl.so
On Windows, although 32-bit and 64-bit FIPS-certified OpenSSL libraries for encryption are provided, you must use the 64-bit libraries on a 64-bit system.
MobiLink-related changes and information
Connecting to a MobiLink server using client-side certificates now requires the Digital Signature certificate attribute to be set TLS/SSL connections to a MobiLink server using client-side certificates now require the client-side certificate to have the Digital Signature attribute set. If the attribute is not set, then the connection will fail.
To determine if a certificate has the Digital Signature attribute set, use the View Certificate utility (viewcert) and look for the Digital Signature attribute in the Key Usage portion of the output. If your client-side certificates do not have the Digital Signature attribute set, then you must regenerate the certificates.
FIPS-based end-to-end encryption now requires the private key to be encrypted using AES If the private key file provided to a MobiLink server by the e2ee_private_key file option of the -x command-line option is encoded using 3DES and you are running in FIPS mode, then the private key file needs to be regenerated with the private key encrypted using AES.
How to update a MobiLink deployment that uses non-FIPS TLS/SSL (includes HTTPS) and client-side certificates
If your client-side identity certificates do not have the Digital Signature attribute set and the client connects directly to the MobiLink server, then you must regenerate and deploy client-side certificates with the Digital Signature attribute set.
Update the server-side binaries.
Update the client-side binaries.
How to update a MobiLink deployment that uses FIPS, TLS/SSL (includes HTTPS) and client-side certificates These steps update the client identity certificates twice if the Digital Signature attribute is missing from client-side identity certificates. This procedure can make the update less disruptive because synchronizations can continue without having to coordinate the client-side and server-side updates to occur at the same time.
If your current client-side identity certificates do not have the Digital Signature attribute set and the client connects directly to the MobiLink server, then you must regenerate and deploy client-side certificates with the Digital Signature attribute set.
Update the server-side binaries (remembering to include the new FIPS driver files) and deploy server identity certificates with AES-encrypted private keys.
Update the client-side binaries (remembering to include the new FIPS driver files) and deploy client identity certificates with AES-encrypted private keys.
How to update a MobiLink deployment that uses FIPS and end-to-end encryption
Regenerate the primary key file referenced by the e2ee_private_key encryption option.
Shut down the MobiLink server.
Update the MobiLink server binaries, remembering to include the new required FIPS driver files.
Change the e2ee_private_key option to point to the new private key file (or replace the old file), updating the e2ee_private_key_password, if required.
Restart the MobiLink server.
UltraLite UltraLite no longer supports deploying FIPS on Windows Mobile.
FIPS-certified encryption on Windows Mobile no longer supported. Previously, FIPS-certified encryption was supported on Windows Mobile devices, but only devices that used ARM processors. This support has ended. FIPS-certified encryption is no longer supported for Windows Mobile.
Upgrading overwrites the JRE directory (%SQLANY16%\binXX\jre170) and its subdirectories. If you are using certificates, then your certificate store (%SQLANY16%\binXX\jre170\lib\security\cacerts) is overwritten, including your certificates. Similarly, fonts you added to the %SQLANY16%\binXX\jre170\lib\fonts\fallback directory to help display characters in the administration tools may be lost. To minimize upgrading steps as a result of the JRE change, create a backup copy of the JRE directory and all of its subdirectories before you upgrade so that you can refer to or restore files (such as cacerts) from the backup, as needed.
The SAP JRE may perform differently than the Oracle JRE. Use the java_vm_options option (SQL Anywhere), and/or the -sl java option (MobiLink) to optimize your Java VM startup settings.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|