Configure the HCL Informix® instance for
Secure Sockets Layer (SSL) connections by adding connection information to the
sqlhosts file, setting SSL configuration parameters, and configuring the
keystore and the digital certificates it stores.
Note: Transport
Layer Security (TLS) is the successor to SSL. In this documentation,
the same information applies to TLS as to SSL.
To configure the Informix instance for SSL
connections:
- Update connection information in the sqlhosts file to
include information about SSL connections. Use the:
- onsocssl protocol for ESQL/C, ODBC, DB-Access, dbexport utility, dbimport utility, dbschema utility,
or dbload utility connections
- drsocssl protocol for DRDA connections
The following table shows an example of an sqlhosts file
configured for both SSL and non-SSL connections.
Table 1. Example of sqlhosts file
configured for SSL connections| Server Name |
Protocol |
Host Name |
Server Name |
|---|
| sf_on |
onsoctcp |
sanfrancisco |
sf_serv |
| oak_on |
onsocssl |
oakland |
oak_serv |
| sac_on |
drsocssl |
sacramento |
sac_serv |
For more information about the sqlhosts file, see the IBM Informix Administrator's Guide.
- Update configuration parameters in the onconfig file,
as follows:
- Specify the name of the label of the server digital
certificate in the SSL_KEYSTORE_LABEL configuration
parameter.
The label can contain up to 512 bytes. If
you do not specify a label name, Informix uses
the default certificate in the keystore.
For example, specify:
SSL_KEYSTORE_LABEL sf_ssl
- Configure poll threads for SSL connections by using
the NETTYPE configuration parameter.
If
you do not configure poll threads, Informix starts
one poll thread.
For the protocol, specify socssl. The protocol
format is iiippp, where iii=[ipc|soc|tli] and ppp=[shm|str|tcp|imc|ssl].
For
example, specify:
NETTYPE socssl,3,50,NET
- Configure Encrypt Virtual Processors (VPs) for SSL encryption
and decryption operations, by using the VPCLASS parameter.
If Encrypt VPs are not configured, Informix starts
one Encrypt VP the first time an SSL operation occurs.
You
can also use the onmode -p command to add or drop
Encrypt VPs when the database server is in online mode.
Tip: For large systems, configure multiple Encrypt VPs.
- Set up a keystore and its password stash file and digital
certificate by using the iKeyman utility, GSKCmd command-line interface,
or GSKCapiCmd command-line interface.
To use the iKeyman utility and GSKCmd tool,
a supported Java™ runtime environment must be installed. The GSKCapiCmd tool is
a part of the GSKit and does not require Java.
When
you create the password, be sure to:
- Select the option to stash the password to a file.
- Name the keystore as servername.kdb,
where servername is value of the DBSERVERNAME configuration
parameter.
- Create the keystore and its stash file in the INFORMIXDIR/ssl
directory.
- Set the permissions on the INFORMIXDIR/ssl/server_name.kdb and $INFORMIXDIR/ssl/server_name.sth files
to 600, with informix set as both
the owner and the group, even though Informix does
not enforce these permissions.
For example,
specify:
gsk8capicmd -keydb -create -db sf_server.kdb -pw sf_password
-type cms -stash
gsk8capicmd -cert -create -db sf_server.kdb -pw sf_password
-label my_ssl_label -size 1024 -default_cert yes
Important: If the DBSA configures the database
server to use a different version of GSKit, the version-specific gsk8capicmd command
must be replaced with command from the different GSKit version. For
example, gsk7capicmd.
For information
about the keystore, the password stash file, and digital certifications,
see Secure sockets layer protocol.
For
information about the iKeyman utility, GSKCmd command-line interface,
and the GSKCapiCmd command-line interface, see IBM Global Security Kit (GSKit).
If any of the Informix utilities
(such as DB-Access) must connect to the server by SSL, you must configure
a client keystore for the utility on the server, following the steps
in Configuring a client for SSL connections.