Table of Contents
This chapter describes how to use and manage communication encryption in Tibero.
Tibero provides communication encryption to ensure the confidentiality of messages between a server and a client. Tibero's communication encryption uses Netscape's SSL communication protocol and is developed using libraries provided by the OpenSSL Project. Note that communication encryption is currently not supported in Windows.
To use communication encryption, the server and client environments must be prepared. The server must have a private key and a certificate in advance. If it does not have them, they must be created. The location of the private key and the certificate need to be specified in an environment configuration file in order to open a port for encrypted communication. For clients, the configuration file determines if unencrypted or encrypted communication will be used.
Create a private key and a certificate that complies with X.509 v3 (PKI ITU-T standard).
The following example shows how to create these items:
[Example 12.1] Creating a Private Key and a Certificate
$ cd $TB_HOME/bin $ ./tb_cert_manager Enter new password: tibero Repeat: tibero Enter basename to make a certificate and a private key.(default: $TB_SID): (enter) TB Enter the number of days to make a certificate valid for.(default: 3650): (enter) 3650 === STEP 1. Generate private key === Generating RSA private key, 1024 bits long modulus ....++++++ ..........++++++ e is 65537 (0x10001) === STEP 2. Generate CSR(Certificate Signing Request) === You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: 82 State or Province Name (full name) [Some-State]: Kyounggi Locality Name (eg, city) []: Seongnam Organization Name (eg, company) [Internet Widgits Pty Ltd]: TIBERO Organizational Unit Name (eg, section) []: RnD Common Name (eg, YOUR name) []: Hong Gil Dong Email Address []: gdhong@tibero.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: (enter) An optional company name []: (enter) === STEP 3. Generate certificate ===
After all items are entered, the following file will be created in the location $TB_HOME/config/tb_wallet/, where an electronic wallet exists:
Public Key based Private Key: [$TB_SID].key Request for Creating a Certificate: [$TB_SID].csr Certificate: [$TB_SID].crt
The locations of the private key and the certificate can be specified in the configuration file $TB_SID.tip by adding the initialization parameters CERTIFICATE_FILE and PRIVKEY_FILE as follows:
[Example 12.2] Specifying Locations for a Private Key and a Certificate
<$TB_SID.tip>
# Add the following $TB_HOME as an absolute path. CERTIFICATE_FILE=$TB_HOME/config/tb_wallet/[$TB_SID].crt PRIVKEY_FILE=$TB_HOME/config/tb_wallet/[$TB_SID].key
Communication encryption can be enabled by specifying the file tbdsn.tbr as follows:
[Example 12.3] Specifying a Client
<tbdsn.tbr>
TB=( (INSTANCE=(HOST=Server IP) (PORT=Server Port) (DB_NAME=Database Name) (USE_SSL=Y) ) )
If USE_SSL in SID is specified as Y, communication encryption can be used. If USE_SSL does not exist or is specified as a value other than Y, unencrypted communication is used.
PORT is a server port (LISTENER_PORT). Internally, an SSL-only port (_LSNR_SSL_PORT = LISTENER_PORT + 2) is also specified. To create an SSL socket, the handshaking process is performed using unencrypted communication via a general port. Once the SSL socket is created, secure communication is performed via the SSL-only port.