Configuring a client for SSL connections

Configure an ESQL/C, ODBC, DB-Access, dbexport, dbimport, dbschema, or dbload connection by adding connection information to the sqlhosts file, setting SSL configuration parameters, and configuring the keystore and the digital certificates it stores.

The client and the server must be enabled with a mutual TLS version. Set the TLS version on the server with the TLS_VERSION configuration parameter.

Note: Transport Layer Security (TLS) is the successor to SSL. In this documentation, the same information applies to TLS as to SSL.
  1. Update connection information in the sqlhosts file by using the onsocssl protocol for SSL SQLI client connections.

    The following table shows an example of an sqlhosts file configured for these client connections.

    Table 1. Example of sqlhosts file configured for SSL SQLI client connections
    Server Name Protocol Host Name Server Name
    sf_on onsoctcp sanfrancisco sf_serv
    oak_on onsocssl oakland oak_serv
  2. Using a text editor, create a conssl.cfg file in the $INFORMIXDIR/etc directory. The file must contain the following information:
    • SSL_KEYSTORE_FILE information that specifies the fully qualified file name of the keystore that stores the root CA certificates of all of the servers to which the client connects
    • SSL_KEYSTORE_STH information that specifies the fully qualified file name of the stash file containing the encrypted keystore password.
    The format of the conssl.cfg file is: 
    Parameter    Value   # Comment
    For example, the conssl.cfg file might contain this information:
    SSL_KEYSTORE_FILE   /work/keystores/ssl_client.kdb   # Keystore file
SSL_KEYSTORE_STH    /work/keystores/ssl_client.sth   # Keystore stash file
  3. Use the GSKCapiCmd command-line interface, which is a part of the Java runtime environment, to set up a keystore and its password stash file and digital certificate.
    When you create the password, be sure that:
    • You use the command associated with the installed version of GSKit (for example, gsk7capicmd or gsk8capicmd).
    • The name and location of the keystore and its stash file are as specified in the conssl.cfg file.
    • Permissions on the keystore and its stash file are set to 666, even though the permissions are not enforced.

    If the certificate created for server is self-signed, you must extract the certificate from the server and use FTP to move the extracted certificate to the client, for the client keystore to use. If use the default certificates that are provided, you must create the client keystore.

    For example:

    • If the certificate is self-signed or is a default CA certificate, run the following commands on the client to create the keystore and add your certificate: 
      GSK_COMMAND -keydb -create -db client.kdb -pw PASSWORD -type cms -stash
    • If the certificate created for the server is self-signed, additionally:
      1. Log on to the remote server and extract the certificate from the server keystore: 
        GSK_COMMAND -cert -extract -db $INFORMIXSERVER.kdb -format ascii   -label
  SSL_KEYSTORE_LABEL -pw PASSWORD -target SSL_KEYSTORE_LABEL.cert
      2. Use FTP to move the extracted certificate to your client.
      3. Add the certificate to the client keystore: 
        GSK_COMMAND -cert -add -db client.kdb -pw PASSWORD -label 
  SSL_KEYSTORE_LABEL   -file SSL_KEYSTORE_LABEL.cert -format ascii
  4. Add the digital certificate of the Certificate Authority that issued the server digital certificate to the keystore.
Parent topic: Secure sockets layer protocol
Previous topic: Configuring a server instance for secure sockets layer connections
Related information:
GSKIT_VERSION configuration parameter
TLS_VERSION configuration parameter
Copyright© 2018 HCL Technologies Limited