Using SSL/TLS database connections

If you are upgrading database clients that uses SSL/TLS connections to Client SDK 4.50.xC4W1 or newer, you may need to migrate their client keystores. For more information, see Configuring a client for SSL connections.

To perform keystore migration:

  1. If your database client installation is co-located with the database server installation, the database client continues to use GSKit asencryption library. In this case, keystore migration is not necessary.
  2. If your database client uses a stand-alone installation of Client SDK 4.50.xC4W1 or newer, then it will now use OpenSSL as encryption library,rather than GSKit.In this case:
    1. Ensure to have an appropriate version of OpenSSL installed before you install Client SDK 4.50.xC4W1 or newer.
    2. If your client keystore has the GSKit-proprietary format "CMS" (file extension "*.kdb"), then this keystore needs to be converted to a PKCS#12 keystore. As the CMS format is GSKit-specific, you need the GSKit command "gsk8capicmd" (or "gsk7capicmd") in order to convert the keystore.
      Use a command like: 
      gsk8capicmd -keydb –convert –db KEYSTOREFILE.kdb -pw PASSWORD
-old_format cms -new_db KEYSTOREFILE.p12 -new_pw PASSWORD
-new_format pkcs12
    3. Create a stash file with the keystore password to use with OpenSSL. Use the new utility "onkstash" contained with Client SDK 4.50.xC4W1 (or newer) to stash the keystore password: 
      onkstash KEYSTOREFILE.p12 PASSWORD
      Note: This step is also needed in case your keystore already had the PKCS#12 format.
Parent topic: Migrating to the new version of Informix
Copyright© 2020 HCL Technologies Limited