|
Sets network protocol options used by the MobiLink server to listen for synchronization requests.
mlsrv17 -c "connection-string" -x protocol[protocol-options] [ -x protocol[protocol-options] ...] ...
protocol : tcpip | tls | http | https
protocol-options : ( option=value; ... )
The -x option must be specified for each protocol being used. For example, to have MobiLink listen for both TCP/IP and HTTP, you would specify something like the following:
mlsrv17 -x tcpip(port=1234) -x http(port=2222)The default is tcpip with port 2439.
The allowed values of protocol are as follows:
Accept connections using TCP/IP.
Accept connections using TCP/IP and Transport Layer Security (TLS).
Accept connections using the standard HTTP web protocol.
Accept connections using a variant of HTTP that handles secure transactions. The HTTPS protocol implements HTTP over TLS using RSA encryption.
You can also specify the following network protocol options, in the form option = value. You must separate multiple options with semicolons.
If you specify the tcpip protocol, you can optionally specify the following protocol options (these options are case sensitive):
| TCP/IP protocol option | Description |
|---|---|
| collect_network_data={ yes | no } | Enables synchronization scripts to read network information from each synchronization. |
| host= hostname | The host name or IP number on which the MobiLink server should listen. The default value is localhost. |
| ignore= hostname | A host name or IP number that gets ignored by the MobiLink server if it makes a connection. This option allows you to ignore requests from load balancers at the lowest possible level, preventing excessive output in the MobiLink server log and MobiLink Profiler output files. You can specify multiple hosts to ignore; for example -x tcpip(ignore=lb1;ignore=123.45.67.89). If you specify multiple instances of -x on a command line, the host is ignored on all instances; for example, if you specify -x tcpip(ignore=1.1.1.1) -x http, then connections for 1.1.1.1 are ignored on both the TCP/IP and the HTTP streams. |
| port= portnumber | The socket port number on which the MobiLink server should listen. The default port is 2439, which is the IANA registered port number for the MobiLink server. |
If you specify the tls protocol, which is TCP/IP with transport layer security, you can optionally specify the following protocol options (these options are case sensitive):
| TLS protocol options | Description |
|---|---|
| collect_network_data={ yes | no } | Enables synchronization scripts to read network information from each synchronization. |
| e2ee_private_key= file |
The PEM or DER encoded file containing the RSA private key. This option is required for end-to-end encryption to take effect. PEM and DER encoded files are created using the createkey utility. |
| e2ee_private_key_password= password |
The password to the private key file. This option is required for end-to-end encryption to take effect. When this option is specified, the e2ee_private_key parameter must also be specified. To avoid making this password visible in the MobiLink server command line, use the dbfhide utility. |
| fips={yes|no} | If you are using the TLS protocol with RSA, you can specify fips=yes to accept connections using the TCP/IP protocol and FIPS-certified encryption algorithms. FIPS-certified connections use separate FIPS 140-2 certified software. Servers using RSA encryption without FIPS-certified encryption are compatible with clients using RSA that have the fips option enabled. Servers using RSA with the fips option enabled are compatible with clients using RSA that do not have the fips option enabled. |
| host= hostname | The host name or IP number on which the MobiLink server should listen. The default value is localhost. |
| identity= identity-file | The path and file name of the identity file that is to be used for server authentication. |
| identity_password= password |
An optional parameter that specifies a password for the identity file. When this option is specified, the identity option must also be specified. To avoid making this password visible in the MobiLink server command line, use the dbfhide utility. |
| ignore= hostname | A host name or IP number that gets ignored by the MobiLink server if it makes a connection. This option allows you to ignore requests from load balancers at the lowest possible level, preventing excessive output in the MobiLink server log and MobiLink Profiler output files. You can specify multiple hosts to ignore; for example -x tcpip(ignore=lb1;ignore=123.45.67.89). |
| port= portnumber | The socket port number on which the MobiLink server should listen. The default port is 2439, which is the IANA registered port number for the MobiLink server. |
| trusted_certificates= certificate_file |
Use this option to ensure the client certificate is valid, then use the NetworkData.ClientCertificates API to further authenticate the certificate in the authenticate_user script. |
If you specify the http protocol, you can optionally specify the following protocol options (these options are case sensitive):
| HTTP options | Description |
|---|---|
| buffer_size= number | The maximum body size for an HTTP message sent from MobiLink server, in bytes. Changing the option decreases or increases the amount of memory allocated for sending HTTP messages. The default is 65536 bytes. |
| collect_network_data={ yes | no } | Enables synchronization scripts to read network information from each synchronization. |
| header_limit= number | The maximum amount of header data that can be sent in an HTTP request. If a request exceeds the value specified, the server returns an HTTP error code and aborts the request. For example, -x http(header_limit=200000) raises the limit to 200000 bytes. The default value is 64000 bytes. |
| host= hostname | The host name or IP number on which the MobiLink server should listen. The default value is localhost. |
| log_bad_request={ yes | no } | When set to yes, the MobiLink server prints an error if it receives an incomplete or unexpected HTTP request. These errors are analogous to those printed by the -vf option. The default is no. |
| port= portnumber | The socket port number on which the MobiLink server should listen. The default port is 80. |
| version= http-version | The MobiLink server automatically detects the HTTP version used by a client. This parameter is a string specifying the default version of HTTP to use if the server cannot detect the version used by the client. You have a choice of 1.0 or 1.1. The default value is 1.1. |
The HTTPS protocol uses RSA digital certificates for transport layer security. If you specify FIPS encryption, the protocol uses separate FIPS 140-2 certified software that is compatible with HTTPS.
If you specify the https protocol, you can optionally specify the following protocol options (these options are case sensitive):
| HTTPS options | Description |
|---|---|
| buffer_size= number | The maximum body size for an HTTPS message sent from MobiLink server, in bytes. Changing the option decreases or increases the amount of memory allocated for sending HTTPS messages. The default is 65536 bytes. |
| collect_network_data={ yes | no } | Enables synchronization scripts to read network information from each synchronization. |
| e2ee_private_key= file |
The PEM or DER encoded file containing the RSA private key. This option is required for end-to-end encryption to take effect. PEM and DER encoded files are created using the createkey utility. |
| e2ee_private_key_password= password |
The password to the private key file. This option is required for end-to-end encryption to take effect. When this option is specified, the e2ee_private_key option must also be specified. To avoid making this password visible in the MobiLink server command line, use the dbfhide utility. |
| fips={yes|no} | If you are using the TLS protocol with RSA, you can specify fips=yes to accept connections using the TCP/IP protocol and FIPS-certified encryption algorithms. FIPS-certified connections use separate FIPS 140-2 certified software. Servers using RSA encryption without FIPS-certified encryption are compatible with clients using RSA that have the fips option enabled. Servers using RSA with the fips option enabled are compatible with clients using RSA that do not have the fips option enabled. |
| header_limit= number | The maximum amount of header data that can be sent in an HTTPS request. If a request exceeds the value specified, the server returns an error code and aborts the request. For example, -x https(header_limit=200000) raises the limit to 200000 bytes. The default value is 64000 bytes. |
| host= hostname | The host name or IP number on which the MobiLink server should listen. The default value is localhost. |
| identity= server-identity | The path and file name of the identity file that is to be used for server authentication. |
| identity_password= password |
An optional parameter that specifies a password for the identity file. When this option is specified, the identity option must also be specified. To avoid making this password visible in the MobiLink server command line, use the dbfhide utility. |
| log_bad_request={ yes | no } | When set to yes, the MobiLink server prints an error if it receives an incomplete or unexpected HTTP request. These errors are analogous to those printed by the -vf option. The default is no. |
| port= portnumber | The socket port number on which the MobiLink server should listen. The port number must match the port the MobiLink server is set up to monitor. The default port is 443. |
| trusted_certificates= certificate_file |
Use this option to ensure the client certificate is valid, then use the NetworkData.ClientCertificates API to further authenticate the certificate in the authenticate_user script. |
| version= http-version | The MobiLink server automatically detects the HTTP version used by a client. This parameter is a string specifying the default version of HTTP to use if the server cannot detect the version used by the client. You have a choice of 1.0 or 1.1. The default value is 1.1. |
The following command line sets the TCP/IP port to 12345:
mlsrv17 -c "DSN=SQL Anywhere 17 CustDB;UID=DBA;PWD=sql" -x tcpip(port=12345)
The following example specifies the type of security (RSA), the server identity file, and the identity password protecting the server's private key:
mlsrv17 -c "DSN=my_cons"
-x tls(identity=c:\test\serv_rsa1.crt;identity_password=pwd)The following example is similar to the previous, except that there is a space in the identity file name:
mlsrv17 -c "DSN=my_cons"
-x "tls(identity=c:\Program Files\test\serv_rsa1.crt;identity_password=pwd)"The following example shows the use of end-to-end encryption over HTTPS:
mlsrv17 -c "DSN=my_cons" -x https(identity=my_identity.id;
identity_password=my_id_pwd;e2ee_private_key=my_pk.pem;
e2ee_private_key_password=my_pk_pwd)The following example shows how to use the NetworkData interface to retrieve certificate information from a secure synchronization.
public class OrderProcessor {
DBConnectionContext _cc;
public OrderProcessor( DBConnectionContext cc ) {
_cc = cc;
}
// The method used for the authenticate_user event.
public void AuthUser() {
NetworkData nd = _cc.getNetworkData();
if( nd != null ) {
if( nd.isTLS() ) {
CertPath certs = nd.getCertificateChain();
if( certs != null ) {
System.out.println( " client-side cert:" );
int n = 1;
for( Certificate c : certs.getCertificates() ) {
System.out.println( " cert " + n++ );
X509Certificate c509 = (X509Certificate) c;
System.out.println( " Subject: " + c509.getSubjectX500Principal().getName() );
System.out.println( " Issuer: " + c509.getIssuerX500Principal().getName() );
}
} else {
System.out.println( " no client cert" );
}
}
}
}
}Execute the following SQL statement to register the Java method.
ml_add_java_connection_script( <version>, 'authenticate_user', 'OrderProcessor.AuthUser' )
The following two examples show the options to add to the MobiLink command line. The first example is for HTTPS and the second example is for TLS.
mlsrv17 -c <connection_string> -x https(collect_network_data=1;trusted_certificates=<certificate_file>) -sl java
mlsrv17 -c <connection_string> -x tls(collect_network_data=1;trusted_certificates=<certificate_file>) -sl javaThe following example shows how to use the NetworkData interface to retrieve certificate information from a secure synchronization.
public class OrderProcessor {
DBConnectionContext _cc;
public OrderProcessor( DBConnectionContext cc ) {
_cc = cc;
}
public void AuthUser() {
NetworkData nd = _cc.NetworkData;
if( nd != null ) {
if( nd.IsTLS ) {
X509Certificate2Collection certs = nd.ClientCertificates;
if( certs != null ) {
PrintLn( " client-side cert:" );
int n = 1;
foreach( X509Certificate2 x509 in certs ) {
PrintLn( " cert " + n++ );
PrintLn( " Subject: " + x509.SubjectName.Name );
PrintLn( " Issuer: " + x509.IssuerName.Name );
}
}
}
}
}
}Execute the following SQL statement to register the .NET method.
ml_add_dnet_connection_script( <version>, 'authenticate_user', 'OrderProcessor.AuthUser' )
The following two examples show the options to add to the MobiLink command line. The first example is for HTTPS and the second example is for TLS.
mlsrv17 -c <connection_string> -x https(collect_network_data=1;trusted_certificates=<certificate_file>) -sl dnetmlsrv17 -c <connection_string> -x tls(collect_network_data=1;trusted_certificates=<certificate_file>) -sl dnet