Using network encryption
Encryption is the process of transforming data into an unintelligible form to prevent the unauthorized use of the data. Network encryption refers to data encryption in transit between client and server, and between server and another server.
Unencrypted data is called plain text because it is in a commonly understandable form. Encrypted data is called cipher text because it is in a secret and non-understandable form. Unencrypted plain text can be converted to encrypted cipher text using an encryption-decryption algorithm or cipher. Ciphers can be categorized based on the type of the encryption key used in the cryptographic algorithm:
- Private key cryptography
- One key is used for both encryption and decryption. Also known as symmetric cryptography.
- Public key cryptography
- A key used for encryption is different than the key used for decryption. Also known as asymmetric cryptography.
Informix supports only symmetric cryptography for network data encryption.
You can configure Informix server with one of the following two network encryption options:
- Integrated communication support modules (CSMs), which is a complete data encryption with a standard cryptography library.
- Secure Sockets Layer (SSL), which is a communication protocol that uses encryption for data communication through a reliable, end-to-end, secure connection.
SSL is a more widely used alternative to the IBM Informix CSMs. You can use SSL for encrypted communication with both DRDA and SQLI clients, but you can use the CSMs only for connections with SQLI clients.
You can also configure the CSMs with SSL connections. However, there will be no extra benefit from the redundant CSMs encryption functionality that involves additional configuring effort.
You can configure pluggable authentication module (PAM) and the generic security services communications support module (GSSCSM), which uses the Kerberos 5 security protocol for single sign-on (SSO) with SSL connections.
The communication support modules (CSMs) encryption option in Informix provides complete data encryption with a standard cryptography library and many configurable options. A message authentication code (MAC) is transmitted as part of the encrypted data transmission to ensure data integrity. You can use the CSMs to encrypt data transmissions, including distributed queries, over the network.
CSMs have the following restrictions:
- An encryption CSM cannot be used with a simple password CSM simultaneously.
- You cannot use any CSM over a multiplexed connection.
- Enterprise replication and high-availability clusters cannot use a connection configured with a CSM.
- Encrypted connections and unencrypted connections cannot be combined on the same port.
Enabling data encryption with CSMs for Informix server requires the following high-level steps:
Locate the concsm.cfg file to insert entries for
describing the CSMs used for data encryption.
The oncsm.cfg file is in $INFORMIXDIR/ect by default, but you can put
it anywhere else on the host and set the INFORMIXCONCSMCFG environment
variable to the full path name of the new location.
Create an oncsm.cfg file if it does not exist. You can use the examples in $INFORMIXDIR/ect/concsm.example.
Add an entry to the concsm.cfg file for the CSM you are going to
use. The entry specifies encryption libraries and encryption options to be
used. You must specify which ciphers and mode to use in the encryption
options. Each entry must conform to the
- The following characters are not allowed to be part of the library path names:
- = (equal sign)
- " (double quotation mark)
- , (comma)
- White spaces cannot be used unless the white spaces are part of a path name.
- The length is limited to 1024 bytes.
You can specify the following types of encryption options:
- DES and AES ciphers to use during encryption
- Modes to use during encryption
- Message authentication code (MAC) key files
- MAC levels
- Switch frequency for ciphers and keys
You can use either one of the following methods to specify encryption options.
- Invoke an encryption parameters file in concsm.cfg
is the simpler method. Listing 8 shows an encryption parameter
file that states to use all available ciphers for this
connection and also to switch the cipher being used every 120
minutes and renegotiate the secret key every 60
Listing 8. Invoking the encryption parameters file
ENCCSM_CIPHERS all ENCCSM_SWITCH 120,60 ENCCSM_MAC medium ENCCSM_MACFILES /usr/informix/etc/MacKey.dat
Listing 9 illustrates a line in the concsm.cfg file to specify encryption with a parameter file named encrypt.txt:
Listing 9. Specifying encryption with the encrypt.txt file.
- Use encryption tags in concsm.cfg
- Listing 10 shows
an entry using encryption tags in oncsm.cfg file that
uses all available ciphers except for any of the Blowfish
ciphers does not use any cipher in ECB mode.
Listing 10. Using encryption tags in concsm.cfg
Generate a MAC key file that contains encryption keys to be used to encrypt messages. The same MAC key file is required to enable data encryption between Informix client and server. The default MAC key file is the built-in file provided by IBM Informix. This file provides limited message verification (some validation of the received message and confirmation that it has come from an IBM Informix client or server). A site-generated MAC key file performs the strongest verification. You can generate key files with the GenMacKey utility. Listing 11 generates a MAC key file named IfxMacKey.dat.
Listing 11. Creating a MAC key file
cd $INFORMIXDIR/etc GenMacKey -o IfxMacKey.dat
If you don't specify the key file name, GenMacKey will use the default name MacKey.dat. You need to transfer the MAC key file generated to the remote client machine using secure copy or secure FTP. The GenMacKey utility prioritizes each of the MAC key files based on its creation time. The built-in key file has the lowest priority. If you don't have MAC key files present, the built-in MAC key is used by default. However, by using a MAC key file, the default built-in MAC key is disabled.
Enable the CSM in the options column of the sqlhosts file or registry. The format of the CSM option in the sqlhosts file is csm=(name,options). The value of the name must match a name entry in the concsm.cfg file. CSM options defined in the sqlhosts file override options specified in the concsm.cfg file. CSM encryption options cannot be specified in the sqlhosts file. If you do not specify the csm option, the database server uses the default authentication policy for that database server. Table 2 shows the available CSM options.
Note: The s=7 option is deprecated and is not required for the single sign-on (SSO) CSM.
Table 2. CSM options for the sqlhosts file
|p||Password||This option is available as part of the simple password CSM, which provides password encryption||
|c||Confidentiality service||Data transmitted to and from the SSO-authenticated user is encrypted and can be viewed only by the user logged in with the authorized credentials. This option is available as part of the generic security services CSM, which supports single sign-on (SSO).||
|i||Integrity service||Ensures that data sent between user and the DBMS is not altered during transmission. This option is available as part of the generic security services CSM, which supports single sign-on (SSO).||
Listing 12 shows that the Informix server ids1170fc4_encrypt is configured to use CSM ENCCSM, as specified in the oncsm.cfg file.
Listing 12. Using the ENCCSM file
Ids1170fc4_encrypt onsoctcp idshost.informix.ibm.com 9889 csm=(ENCCSM)
Where ENCCSM is the name specified for the CSM in the oncsm.cfg file.
The secure sockets layer (SSL) protocol is a communication protocol that uses encryption to provide privacy and integrity for data communication through a reliable, end-to-end, secure connection between two points over a network.
The SSL protocol provides the following advantages over the Informix communication support modules (CSMs):
- SSL is a more widely used alternative to the IBM Informix CSMs.
- You can use SSL for encrypted communication with both DRDA and SQLI clients.
You can use the SSL protocol for all types of connections, including client-to-server connections and server-to-server connections.
SSL uses digital certificates to exchange keys for encryption and server authentication. The trusted entity that issues a digital certificate is known as a certificate authority (CA). The CA issues a digital certificate for only a limited time. When the expiration date passes, you must acquire another digital certificate.
SSL uses a symmetric key (secret or private key) algorithm for data encryption, but it uses an asymmetric key (public key) algorithm for the exchange of the secret keys in the symmetric algorithm.
Typically, establishing a new SSL connection involves the following two steps:
- Hand shake to establish a secure connection by the client's validating the digital certificate received from the server
- Cipher exchange: the client generates a random symmetric key and sends it to the server
Once those two steps are complete successfully, the client and server encrypt data for the duration of the session.
Informix uses a keystore, which is a protected database, to store SSL keys and digital certificates. Both the client and server must have the keystore. The server keystore stores its digital certificate and the root CA certificate of all other servers to which Informix is connecting. The server keystore must be located in the INFORMIXDIR/ssl directory and must be named server_name.kdb, where server_name is the value specified in the DBSERVERNAME configuration parameter. The keystore on an Informix client stores the root CA certificates of all servers to which the client is connecting. A password for the keystore is optional on the client.
Each Informix instance must have its own keystore, and the keystore is protected by a password that Informix must know so that it can retrieve the digital certificate for SSL communications.
You can use the IBM Global Security Kit (GSKit) to generate keys required to run SSL. The GSKit is installed together with both Informix server and client (CSDK) to provide libraries and utilities for SSL communication. The GSKit includes the GSKCapiCmd command-line interface for managing keys, certificates, and certificate requests.
Complete the following steps to configure IDS to use SSL.
- Set up Informix ONCONFIG.
- Configure the server name and server aliases for SSL connections.
- Configure encrypt VPs using the VPCLASS onconfig
VPCLASS encrypt, num=3. If VPCLASS is not configured, IDS will start one encrypt VP by default.
- Configure poll threads for SSL connection using the NETTYPE onconfig
parameter. If poll threads are not configured, IDS will start one
poll thread. For example, enter
- Configure the SSL_KEYSTORE_LABEL for the server's digital certificate in
keystore. For example, enter
SSL_KEYSTORE_LABEL myssllabel. If not configured, the server will use the default label in keystore for SSL communication.
- Configure or create an $INFORMIXDIR/etc/conssl.cfg file. This file is
needed by only SQLI clients, including dbaccess, dbimport,
and esql applications. The file contains the fully qualified filename of the client keystore
and the fully qualified filename of the client stash file.
Following are the client configuration parameters that are in the conssl.cfg file and their descriptions.
- This is the fully qualified file name of the keystore that stores the root CA certificates of all of the servers to which the client connects.
- This is the fully qualified file name of the stash file containing the encrypted keystore password.
Listing 13 shows examples.
Listing 13. Entering client configuration parameters
SSL_KEYSTORE_FILE /u/keystores/clikeydb.kdb SSL_KEYSTORE_STH /u/keystores/clikeydb.sth
If conssl.cfg does not exist, the client keystore and stash file will default to $INFORMIXDIR/etc/client.kdb and $INFORMIXDIR/etc/client.sth.
- Set up sqlhosts to configure a server name to use the onsocssl SSL
protocol. You need to update connection information in the sqlhosts file
(UNIX) or the SQLHOSTS registry (Windows) to include information about
SSL connections. Use onsocssl protocol for Informix
SQLI connections and drsocssl protocol for DRDA connections.
Table 3 shows an example of an sqlhosts file configured for both SSL and non-SSL connections.
Table 3. Example of sqlhosts file configured for SSL connections
|Server name||Protocol||Host name||Server name|
- Create a server keystore. Set up a keystore and its password stash file
and digital certificate by using the iKeyman utility, GSKCmd
command-line interface, or GSKCapiCmd command-line interface. The
iKeyman utility and GSKCmd tool require JRE 1.6 or later. The
GSKCapiCmd tool is a part of the GSKit (see Resources) and does not require Java.
Create the keystore and its stash file in the INFORMIXDIR/ssl directory using the code in Listing 14.
Listing 14. Creating the keystore and stash file
Where the servername is the value of the DBSERVERNAME onconfig parameter.
It is recommended that you change the permissions on the keystore and stash file to 664/informix:informix, as shown in Listing 15.
Listing 15. Changing permissions on keystore and stash file
gsk8capicmd -keydb -create -db oak_on.kdb -pw mypasswd -type cms -stash gsk8capicmd -cert -create -db oak_on.kdb -pw mypasswd -label myssllabel -size 1024 -default_cert yes
Important: If the DBSA configures the database server to use a different version of GSKit, the version-specific gsk8capicmd command must be replaced with command from the different GSKit version, such as
Export the certificate to an ASCII file (to be imported to client keystore), as shown in Listing 16.
Listing 16. Export the certificate
gsk8capicmd -cert -extract -db oak_on.kdb -format ascii -label myssllabel -pw mypasswd -target myssllabel.cert
- Create a client keystore by importing the
server certificate using GSKit, as shown in Listing 17.
Listing 17. Importing the server certificate
gsk8capicmd -keydb -create -db clikeydb.kdb -pw mypasswd -type cms -stash gsk8capicmd -cert -add -db clikeydb.kdb -pw mypasswd -label myssllabel -file myssllabel.cert -format ascii
Change the permissions on the keystore and stash file to 664/informix:informix. In an INFORMIXDIR that contains CSDK or I-Connect, you should have public read access. If the INFORMIXDIR contains only IDS, you might use just 600 or 640 permissions.
- Initialize the server by completing the following steps:
- Move the server and client keystores to the specified location (as described in earlier steps).
- Initialize the server. All the communication between client and server on the SSL configured port will be encrypted using SSL protocol.