SSL certificates expiration / expiração de certificados SSL

This article is written in English and Portuguese
Este artigo está escrito em Inglês e Português

English version:


In a recent customer engagement I was questioned about a topic that to be honest I never had to work with before. It relates to SSL connections to Informix and how should we handle the certificates, in particular the fact that they can/will expire… And what happens then.
Configuring SSL connections is a relatively simple process. It’s well explained in the security manual and it’s not my objective to explain it in detail here. Nevertheless, for the readers who haven’t done it before here’s a quick reference (if you really want to do it, read the manual!). Note that this example uses a self signed certificate, so this will be also copied to the client(s):

  • Server configuration
    1. Create a key database where the server certificates will be stored. This can be done with a command included in the IBM Global Security Kit which is bundled in the engine package:

      gsk8capicmd -keydb -create -db $INFORMIXDIR/ssl/$SERVER_NAME.kdb -pw $MYPASSWORD -type cms -stash

      The command above uses two variables that you need to set or replace by real values:
      SERVER_NAME is the value of the DBSERVERNAME parameter in $INFORMIXDIR/etc/$ONCONFIG
      MYPASSWORD is the password used to encrypt/access the keystore.

      We’re creating the file of type “cms” in $INFORMIXDIR/ssl with the name of the engine and we’re requesting the creation of a stash file which will allow the engine to get the password and access the keystore without having to specify the password again
      Naturally this file is security sensitive.

    2. Then we need to create a certificate file and store it in the keystore we created above. For testing purposes we’re going to create a self sign certificate. Proper setups would use a CA (Certification Authority) to sign the certificates. The CA could be external or one implemented in your company (depending on the needs):

      gsk8capicmd -cert -create -db $INFORMIXDIR/ssl/$SERVER_NAME.kdb -pw ${MYPASSWORD} -label ${SERVER_NAME}_label -dn “CN=`hostname`” -size ${KEYSIZE} -default_cert yes -expire ${EXPIRE}

      The variables that need to be set or replaced by values are:

      SERVER_NAME and MYPASSWORD as explain above
      KEYSIZE to specify the key length (e.g 1024)
      EXPIRE to define the number of days that the certificate will be valid. Default should be 365 (one year)

      Note that we’re defining a “label” for this certificate (${SERVER_NAME}_label) so that the engine can define which certificate it will use from the ones stored in the keystore. This label will be used in the engine configuration (see next step)

    3. Configure the label to define which certificate will be used by the engine. This is done by setting the SSL_KEYSTORE_LABEL:

      SSL_KEYSTORE_LABEL panther_label

    4. Create an entry in $INFORMIXSQLHOSTS for SSL (e.g panther_ssl) using the onsocssl protocol
    5. Configure one NETTYPE entry in $INFORMIXDIR/etc/$ONCONFIG:

      NETTYPE        onsocssl,1,20,NET

    6. Configure one (or more) virtual processor for SSL:

      VPCLASS ssl,num=1,noage

    7. Make sure that the new SSL port is configured in DBSERVERALIAS or DBSERVERNAME
    8. Extract the certificate so that it can be imported in the clients database (for self signed certificates):

      gsk8capicmd -cert -extract -db $INFORMIXDIR/ssl/${SERVER_NAME}.kdb -format ascii -label ${SERVER_NAME}_label -pw ${MYPASSWORD} -target ${SERVER_NAME}_label.cert

  •  On the client side
    1. Create the keystore on the client side:

      gsk8capicmd -keydb -create -db $INFORMIXDIR/etc/clientdb.kdb -pw ${MYPASSWORD} -type cms -stash

    2. Import the self signed certificate that we extracted in the server side last step:

      gsk8capicmd -cert -add -db $INFORMIXDIR/etc/clientdb.kdb -pw ${MYPASSWORD} -label ${SERVER_NAME}_label -file ${SERVER_NAME}_label.cert -format ascii

      note that the PATH specified after “-file” needs to point to the file extracted from the server keystore. You may need to FTP/SCP the file or use another copy method.
      In a proper setup you would import the CA certificate used to sign the certificates used in the servers to which the client wants to connect to

    3. Configure the client $INFORMIXSQLHOSTS file with the appropriate entry to define the SSL enabled port
    4. Create a file named $INFORMIXDIR/etc/conssl.cfg with the following content:

      SSL_KEYSTORE_FILE   /usr/informix/client_INFORMIXDIR/etc/clientdb.kdb   # Keystore file
      SSL_KEYSTORE_STH    /usr/informix/client_INFORMIXDIR/etc/clientdb.sth   # Keystore stash file

      This will tell the clients where the client side keystore and stash file are.

    5. Make sure the keystore and stash file have appropriate filesystem permissions (don’t allow access to non-authorized people)

The problem

Once you have an SSL enabled environment you should be able to connect your clients (to which you need to make the certificate available). But then, you have the…

Auteur : (Fernando Nunes)

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.