This article describes how applications can use secure communication using NonStop JDBC Type 4 and Linux ODBC/MX drivers.
Secure Sockets Layer (SSL) Encryption mode and its successor Transport Layer Security (TLS) are cryptographic protocols that provide communication security over the network. SSL uses digital certificates for key exchange and authentication. When a client initiates an SSL connection, the server presents the client with a certificate that is signed by a Certificate Authority (CA). A CA is a trusted party that guarantees the identity of the certificate and its creator. SSL is a security protocol that creates secure communication between client and server. This enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
NonStop SQL/MX supports SSL communication for JDBC T4 and Linux ODBC/MX clients for secure communication. SSL ensures the data that is transferred between a JDBC T4 and Linux ODBC/MX client and a SQL/MX server remains private. This protocol enables the JDBC T4 and Linux ODBC/MX client to authenticate the identity of the SQL/MX server.
The above figure describes application using JDBC T4 driver or Linux ODBC/MX driver, for secure communication with server along with SSL configurations respectively.
Starting MXCS Service
MXCS service can be started in SSL mode by executing the MXOAS command. MXCS service can be started as a Persistent Process or Persistent Process Pair. For more information please refer NonStop SQL/MX Connectivity Service Manual.
run mxoas /name $<Service Name>, nowait/ -pn <port number>
-ssl -SSLPWDFILE <path> -CACERT <CA certificate location>
-SRVCERT <Server certificate location> -SRVKEY <Server Key >
Indicates that MXOAS must be started in SSL Encryption mode. If the SSL initialization fails, this option is ignored, and MXOAS is started without SSL encryption (pass through mode). If MXOAS starts in SSL Encryption mode, you can see the SSL Mode Activated message in the EMS log.
Specifies a filename and its OSS path, containing the SSL password. To keep the password safe, this file permissions should be set carefully. To restrict the file access, set the file access mode to 400 or 600.
Specifies the CA certificates for signing. The value is a list of comma-separated filenames. The first file on the list must contain a certificate for signing the given server certificate. Subsequent files must contain certificates that sign the previous certificate in the list. filename must be the absolute Guardian file path.
Specifies the server certificate.
Specifies the private key.
After starting the MXCS service in SSL mode successfully, use the NonStop system’s IP address/name and port number to communicate in SSL mode from JDBC T4 or Linux ODBC/MX client to the SQL/MX server. Once the MXCS service is started in SSL mode, non-SSL clients cannot use this MXCS service.
Note: To generate self-signed certificates please refer to the HPE NonStop SSL Reference Manual
JDBC Type 4 SSL Configuration
The JDBC Type 4 driver uses the standard Java package(javax.net.ssl) for SSL support. You can configure SSL encryption using the runtime JVM property, sslEncryption.
To enable SSL encryption, set the sslEncryption property to ON. You can use the command line and set the property as follows:
-Dt4sqlmx.sslEncryption = ON
You can also set this as a system property in the application using the following method:
Note: You cannot set this property on a DataSource object or in the properties file.
Linux ODBC/MX SSL Configuration
Linux ODBC/MX driver supports SSL. It uses TLS protocol for communication with the server. OpenSSL libraries are used in Linux ODBC/MX driver for obtaining secure connections to the SQL/MX server. OpenSSL (a toolkit for general-purpose cryptography and secure communication) supports a wide range of ciphers, including symmetric ciphers like AES, DES as well as asymmetric ciphers like RSA. Ciphers refer to the algorithms used for encryption and decryption of data.
The minimum supported version to use SSL with Linux Driver is OpenSSL 1.1.1x. The recommended version to use SSL with Linux Driver is OpenSSL 3.0.x. The supported OpenSSL version must be installed and configured on the client machine.
SSL attributes should be set for the MXCS Datasource in the MXODSN file or provided in the connection string. The following table describes about each SSL attributes.
|UseSSL||String||true or false (case insensitive)||To enable secure connection set value to true. Default value is false.|
|SSLCACert||String||absolute/relative path of Client-||This property contains the path to the certificate that the client will use to verify the server’s identity during the connection.|