Setting up a secure SSL connection for Informix servers
and clients
In public, but also in private networks, there is a potential risk that a connection between a database server and a client can be intercepted.
The best way to prevent eavesdropping is to establish an encrypted connection. Informix provides an easy way to set up secure SSL connections. Server and clients have a private key that is exchanged before the connection is established. The key is stored both on the server and on the client in an encrypted keystore.
This article describes how to set up a secure SSL connection for Informix servers and clients with a few commands.
The starting point for this article is based on the development of the CURSOR Admin-Scout. Informix administration with the Admin-Scout is done classically via a server-client connection. For us it was an important concern to secure this connection according to approved techniques. The second part of this article therefore describes how to set up an SSL connection between the database server and the Admin-Scout.
Setup on the server:
Prerequisites:
Depending on the operating system version you need the IBM GSKit (Gloabl Security Toolkit). The command gsk8capicmd in the description must be called gsk8capicmd_32 or gsk8capicmd_64 depending on the platform. The 8 in the command is the main version of the GSKit and may change in the future. All our examples use the 64Bit variant. 32Bit platforms have to replace _64 with _32.
Based on the IBM Tutorial (here) the following steps are necessary on the server:
1. creating a keystore on the server and a certificate
For this you first create a directory ssl in the $INFORMIXDIR as user informix.
In this directory a keystore must now be created that has the name of the server instance.
For this you have to use the DBSERVERNAME from onconfig, not an alias of the server. Since the password is only needed here and stored encrypted, you should keep it safe.
If you select the option -dn for creating a certificate, fill the fields CN=, OU=, O= and C= with the name and data of your company. You can freely choose the label. In the onconfig, exactly this label must be specified later under SSL_KEYSTORE_LABEL. The certificate must also be stored on the client under this label in the KeyStore, because the server requests exactly this label name from the client.
cd $INFORMIXDIR/ssl
# Creating the KeyStore
gsk8capicmd_64 -keydb -create -db <DBSERVERNAME>.kdb -pw <password> -type cms -stash
# Generating the certificate
gsk8capicmd_64 -cert -create -db <DBSERVERNAME>.kdb -pw <password> -label <labelname> -size 1024 -default_cert yes -dn
"CN=<DBSERVERNAME>,OU=<ORGANISATION UNIT>,O=<ORGANISATION>,C=<Two-digit country code>"
The KeyStore is now complete. However, we need the generated certificate on all clients. Therefore it has to be exported from the KeyStore:
gsk8capicmd_64 -cert -extract -db <DBSERVERNAME>.kdb -format ascii -label <labelname> -pw <password> -target <labelname>.cert
This command creates the file <labelname.cert>. We need to copy this file to all clients and paste it into the keystore.
2. Edit the onconfig file of the instance
The following entries must be made in the onconfig file of the instance:
SSL_KEYSTORE_LABEL <labelname>
NETTYPE socssl, <number of listeners>,<number of connections per listener>,NET
VPCLASS encrypt,num=1,noage
DBSERVERALIASES <new Alias>
Depending on the size of the instance you have to select the <number of listeners>, <number of connects> or the num= for the VPCLASS parameter. The same rules apply as for an unencrypted soctcp connection.
For the SSL connection, a new listener name must be added to the DBSERVERALIASES variable. This listener must now be defined in the sqlhosts file.
3. Editing the sqlhosts file
For the listener name (DBSERVERALIASES) just entered in onconfig, the connection parameters must now be defined. A new line must be entered in the sqlhosts file:
<new Alias> onsocssl <Hostname> <Port/Servicename>
This is analogous to a normal onsoctcp connection. The SSL connection needs its own port or service name. As with the soctcp, the host name can be preceded by a * in order to start the connection on all network interfaces.
Setup on the Client
The path to the KeyStore on the client is not as defined on the server. The location can be defined in the $INFORMIXDIR/etc/conssl.cfg file. If this file does not exist, the KeyStore is expected in $INFORMIXDIR/etc.
1. Create Conssl.cfg
Two variables must be set in conssl.cfg:
SSL_KEYSTORE_FILE /opt/informix/sslClient/client.kdb
SSL_KEYSTORE_STH /opt/informix/sslClient/client.sth
In the example we assume that $INFORMIXDIR is /opt/informix. The directory sslClient is created there.
The first entry is the path to the keystore and the second entry is the path to the password file created by the -stash option.
2. create KeyStore and import certificate
In the directory sslClient we also create the KeyStore:
gsk8capicmd_64 -keydb -create -db client.kdb -pw <password> -type cms -stash
Now we need the file <labelname>.cert, which we exported from the KeyStore on the server.
gsk8capicmd_64 -cert -add -db client.kdb -pw <password> -label <labelname> -file <labelname>.cert -format ascii
On the client as well as on the server, you can display the content of the KeyStore with the following command:
gsk8capicmd_64 -cert -list -db <KeyStoreName>.kdb -stashed
The output should then be like this:
Certificates found
* Standard, - personal, ! reliable, # secret key
! ol_scout
Where in this case ol_scout is my 'label name'.
Setup on the Admin-Scout
Also on the Admin-Scout we need the file <labelname>.cert from the server. On the Admin-Scout start page we can use the menu item 'Installation CSDK / SSL' from version Scout 2.3 on. If necessary, a current client SDK can be installed here. However, this is only necessary if the GSKit version installed on the Scout is too old for your server.
If this is not the case, you have to enter the same password once in the box 'Informix SSL Installation' in the two password fields and press the button 'Create Keystore'. If the button is grayed out, a keystore already exists.
Now click on 'Select Certificate File' and select your <label name>.cert file from the server in the file browser that opens. Then click on 'Upload'. After successfully uploading the file, enter the name of the label in the 'Certificate Label' field and click 'Install Certificate'. The certificate is now imported and appears on the right side under 'Installed SSL Certificates'.
Here you can remove a certificate by clicking on the red cross next to the label name.
This completes the certificate installation. You can now set up a connection to the instance with the onsocssl protocol under Admin / Add Connection.
(Andreas Seifert, May 2019)
