Uses transport-layer security or simple encryption to encrypt all native SQL Anywhere packets (DBLib, ODBC, and OLE DB) transmitted to and from all clients. TDS packets aren't encrypted.
{ dbsrv10 | dbeng10 } -ec encryption-options ...
encryption-options :
{ NONE |
SIMPLE |
TLS ( TLS_TYPE=cipher;
[ FIPS={ Y | N }; ]
CERTIFICATE=server-identity-filename;
CERTIFICATE_PASSWORD=password ) }, ...
You can use this option to secure communication packets between client applications and the database server using transport-layer security. See Transport-Layer Security.
Separately licensed component requiredECC encryption and FIPS-certified encryption require a separate license. All strong encryption technologies are subject to export regulations. |
The -ec option instructs the database server to accept only connections that are encrypted using one of the specified types. Connections over the TDS protocol, which include Java applications using jConnect, are always accepted regardless of the usage of the -ec option, and are never encrypted. Setting the TDS protocol option to NO disallows these unencrypted TDS connections. See TDS protocol option.
By default, communication packets aren't encrypted, which poses a potential security risk. If you are concerned about the security of network packets, use the -ec option. Encryption affects performance only marginally. The -ec option controls the server's encryption settings and requires at least one of the following parameters in a comma-separated list:
NONE accepts connections that aren't encrypted.
SIMPLE accepts connections that are encrypted with simple encryption. This type of encryption is supported on all platforms, as well as on previous versions of SQL Anywhere. Simple encryption doesn't provide server authentication, strong elliptic-curve or RSA encryption, or other features of transport-layer security.
TLS accepts connections that are encrypted. The TLS parameter accepts the following required arguments:
cipher can be RSA or ECC for RSA and ECC encryption, respectively. For FIPS-approved RSA encryption, specify TLS_TYPE=RSA;FIPS=Y. RSA FIPS uses a separate approved library, but is compatible with clients specifying RSA with SQL Anywhere 9.0.2 or later.
For a list of supported platforms for FIPS, see the Separately Licensed Components sections of the SQL Anywhere, UltraLite, and MobiLink tables in![[external link]](gif/external.gif)
SQL Anywhere 10.0.1 Components by Platform.
The cipher must match the encryption (ECC or RSA) used to create your certificates.
For information about enforcing the FIPS-approved algorithm, see -fips server option.
NoteVersion 10 clients cannot connect to version 9.0.2 or earlier database servers using the ECC algorithm. If you require strong encryption for this configuration, use the RSA algorithm. |
server-identity-filename is the path and file name of the server identity. If you are using FIPS-approved RSA encryption, you must generate your certificates using the RSA cipher.
For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Creating digital certificates.password is the password for the server private key. You specify this password when you create the server certificate.
If the database server accepts simple encryption, but does not accept unencrypted connections, then any non-TDS connection attempts using no encryption automatically use simple encryption.
Starting the database server with -ec SIMPLE tells the database server to only accept connections using simple encryption. TLS connections (ECC, RSA, and RSA FIPS) fail, and connections requesting no encryption use simple encryption.
Starting the server with -ec SIMPLE,TLS(TLS_TYPE=ECC) tells the database server to only accept connections with ECC encryption or simple encryption. Both RSA and RSA FIPS connections fail, and connections requesting no encryption use simple encryption.
The dbecc10.dll and dbrsa10.dll files contain the ECC and RSA code used for encryption and decryption. The file dbfips10.dll contains the code for the FIPS-approved RSA algorithm. When you connect to the database server, if the appropriate file cannot be found, or if an error occurs, a message appears on the Server Messages window. The server doesn't start if the specified types of encryption cannot be initiated.
The client's and the server's encryption settings must match or the connection will fail except in the following cases:
if -ec SIMPLE is specified on the database server, but -ec NONE is not, then connections that do not request encryption can connect and automatically use simple encryption
if the database server specifies RSA and the client specifies FIPS, or vice versa, the connection succeeds. In this case, the Encryption connection property returns the value specified by the database server.
The following example specifies that connections with no encryption and simple encryption are allowed.
dbsrv10 -ec NONE,SIMPLE -x tcpip c:\mydemo.db
The following example specifies starts a database server that uses the elliptic-curve server certificate sample.crt.
dbsrv10 -ec TLS(TLS_TYPE=ECC;CERTIFICATE=sample.crt;CERTIFICATE_PASSWORD=tJ1#m6+W) -x tcpip c:\mydemo.db
The following example starts a database server that uses the RSA server certificate rsaserver.crt.
dbsrv10 -ec TLS(TLS_TYPE=RSA;CERTIFICATE=rsaserver.crt;CERTIFICATE_PASSWORD=test) -x tcpip c:\mydemo.db
The following example starts a database server that uses the FIPS-approved RSA server certificate rsaserver.crt.
dbsrv10 -ec TLS(TLS_TYPE=RSA;FIPS=Y;CERTIFICATE=rsaserver.crt;CERTIFICATE_PASSWORD=test) -x tcpip c:\mydemo.db