In IDS Cheetah release, you can encrypt communication between an HDR pair, to secure the transmission of data over unsecured networks, including the internet. After you enable encryption, the HDR primary encrypts the data before sending it to the HDR Secondary server. The HDR secondary server decrypts the data. Use new ONCONFIG parameter ENCRYPT_HDR to enable encryption between the HDR pair. You can also customized encryption using following parameters.
|Configuration Parameter ||Default value ||Comments/Description |
|ENCRYPT_HDR ||0 ||0 - disable, 1 - enable HDR encryption |
|ENCRYPT_CIPHERS ||allbut:<ecb> || Defines ciphers and modes that can be used by the current database session. |
The following ciphers are currently supported:
- des (64-bit key), des3 (Triple DES), desx (Extended DES, 128-bit key)
- aes/aes128 (128-bit key), aes192 (192-bit key), aes256 (256-bit key)
- bf-1 Blowfish (64-bit key), bf-2 (128-bit key), bf-3 (192-bit key)
|ENCRYPT_MAC ||medium ||Controls the level of message authentication code (MAC) generation. |
- off - does not use MAC generation.
- low - uses XOR folding on all messages.
- medium - uses SHA1 MAC generation for all messages greater than 20 bytes long
and XOR folding on smaller messages.
- high - uses SHA1 MAC generation on all messages.
|ENCRYPT_MACFILE ||builtin ||A list of the full path names of MAC key files. |
|ENCRYPT_SWITCH ||60,60 ||Defines the frequency (in minutes) at which ciphers, secret keys are renegotiated. |
- To use your own MAC key file
- Execute the following command to generate MAC Key file.
$INFORMIXDIR/bin/GenMacKey -o /usr/informix/etc/MacKey1.dat
- Copy MacKey1.dat over to the paired server
- Update ENCRYPT_MACFILE configuration parameter on both the servers as shown below
- NOTE - HDR and Enterprise Replication (ER) share the same encryption configuration parameters: ENCRYPT_CIPHERS, ENCRYPT_MAC, ENCRYPT_MACFILE and ENCRYPT_SWITCH.