Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 12.0.1 » SQL Anywhere Server - Database Administration » Security » Transport-layer security » SQL Anywhere client/server communication encryption


Database server with transport-layer security

To start the database server with transport-layer security, supply the server identity file name and the password protecting the server's private key.

For an overview of the steps required to set up transport-layer security, see Setting up transport-layer security.

Use the -ec database server option to specify the identity and identity_password parameters. If you want to allow unencrypted connections over shared memory, you must also specify the -es option.

Following is the syntax of a partial dbsrv12 command line:

-ec tls(
   identity_password=password )
-x tcpip
  • algorithm   The algorithm to use. The algorithm can be rsa or ecc for RSA and ECC encryption, respectively. For FIPS-certified RSA encryption, specify tls_type=rsa;fips=y. RSA FIPS-certified encryption uses a separate certified library, but is compatible with SQL Anywhere 9.0.2 or later clients using RSA.

    For a list of FIPS-certified components, see [external link]

    The algorithm must match the encryption (ECC or RSA) used to create your certificates.

    For information about enforcing FIPS-certified algorithms, see -fips dbeng12/dbsrv12 server option.

  • server-identity-filename   The path and file name of the server identity file. If you are using FIPS-certified RSA encryption, you must generate your certificates using the RSA algorithm.

    An identity file contains the public certificate and its private key. For certificates that are not self signed, the identity file also contains all the signing certificates.

    For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Digital certificates.

  • password   The password for the server private key. You specify this password when you create the server certificate.

You can also start the database server with simple encryption. Simple encryption makes it more difficult for someone using a packet sniffer to read the network packets sent between the client and the server, but does not assure data integrity or provide server authentication.

You specify the TCP/IP protocol using the -x database server option.

 See also