IBM Support

Using Connection Support Modules (CSM)

Question & Answer


Question

Are there any guidelines for determining when to use encrypted Connection Support Modules?

Cause

There are several options for authentication and encryption.

Answer

Using CSM
Communication support modules require a configuration file (called concsm.cfg) which defines what methods and options are used for encryption. The concsm.cfg file has to be modified to use encryption with communication support modules. One or more lines in the concsm file has an entry for each communications support module that you are using.

  • You must have a concsm.cfg file for both the client application and the database server, unless the client is a JDBC application.
  • An entry is needed in the options column of the sqlhosts file or registry.
  • Any module changes require a server restart.
  • The database server reads the concsm.cfg file when creating the CSM virtual processor. The CSM virtual processor and cssmbox_cn thread are instantiated with the first successful connection request.

Specifying the cypher and mode
You must specify which cypher and mode to use for the encryption. The encryption algorithm options are:
    1. Data Encryption Standard (DES) is a cryptographic algorithm designed to encrypt and decrypt data by using 8-byte blocks and a 64-bit key.
    2. Triple DES (DES3) is a variation of DES in which three 64-bit keys are used for a 192-bit key. DES3 works by first encrypting the plain text by using the first 64-bits of the key. Then the cipher text is decrypted by using the next part of the key. In the final step, the resulting cipher text is re-encrypted by using the last part of the key.
    3. Advanced Encryption Standard (AES) is a replacement algorithm that is used by the United States government.
For more information on these options, see Encryption cyphers and modes.

Understanding the MAC key
Encrypted data includes a short piece of information called the Message Authentication Code (MAC). It helps establish how the communication will be encrypted and how the data should be handled. Database servers or client computers that participate in encryption usually require a MAC key file.
  • A default MAC key file is provided with the Informix Software, but it provides only limited message verification; it performs validation of the received message and determination that it has come from an Informix client or server.
  • A site-generated MAC key file performs the strongest verification. You can generate key files with the GenMacKey utility.
  • Each of the MAC key files is prioritized and negotiated at connect time. The prioritization for the MAC key files is based on their creation time by the GenMacKey utility. The built-in key file has the lowest priority. If there are no MAC key files present, the built-in MAC key is used by default.
  • Using a generated MAC key file will disable the built-in MAC key.

MAC levels
Communication between databases may involve different levels of encryption. The level of encryption is determined by the MAC level. The supported generation levels are:
  • high. Uses SHA1 MAC generation on all messages.
  • medium. Uses SHA1 MAC generation for all messages greater than 20 bytes long and XOR folding on smaller messages.
  • low. Uses XOR folding on all messages.
  • off. Does not use MAC generation.
The level is prioritized in relation to the highest value present. The off entry must only be used between servers when it is guaranteed that there is a secure network connection. All servers and client computers that transmit encrypted communication must have at least one MAC level setting in common, or the communication will fail.

Switch frequency
When the secret key and encryption cipher remain in use for long periods of time, it becomes more likely that encryption rules might be broken by an attacker. To avoid this, cryptologists recommend periodically changing the secret key and cipher on long-term connections. The switch frequency determines how frequently ciphers and/or secret keys are renegotiated. It is set in the concsm.cfg file. The default time for renegotiation is once an hour. By using switch options, the time in minutes can be set to a shorter interval to determine when the renegotiation should occur.

[{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.5;11.7;12.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
03 June 2021

UID

swg21680693

Page Feedback