Setting Up SSL In Informix

Published on October 21, 2020 by Tom Beebe

Using SSL With Informix

As networks have gotten more complex and networked systems have become more advanced it has greatly enhanced the need for security in your systems. Even if only doing internal connections, many auditors and security policies now require information to be encrypted end-to-end. While there are a number of ways to accomplish this for Informix, there is a native way to set up a SSL listener port to have fully encrypted communications.

The listener has a public/private keypair where the  private key to decrypt is on the server while a public key can be shared with clients. The public key itself is not as sensitive because the system will generate a new random key to encrypt the data after the initial keypair confirmation.

For the administrators all that needs to happen is to set up the key system, enable the SSL listener and get the client keys out to end users. The same client key process works for Linux, UNIX, and Windows clients.

The following example will show how to take a basic Informix instance, add in a SSL enabled listener and then set up a client to be able to connect.

Current Server Settings

DBSERVERNAME is test_tcp
Hostname is test_host
Standard TCP Listener Port is 9088

Setting Up SSL Guide

1) Modify the onconfig file, and add the following:
DBSERVERALIASES test_ssl
SSL_KEYSTORE_LABEL test_label
VPCLASS encrypt,num=2
NETTYPE socssl,1,50,NET

2) Add a new entry to the sqlhosts file to create a new SSL listener:
test_ssl onsocssl test_server 9089

Run the following steps from the directory $INFORMIXDIR/ssl
3) Create the keystore database. This should have the same name as your DBSERVERNAME:
gsk8capicmd_64 -keydb -create test_ssl.kdb -pw my_password -type cms -stash

4) Create a certificate for the server. Use the label specified for SSL_KEYSTORE_LABEL in the onconfig file:
gsk8capicmd_64 -cert -create -db test_ssl.kdb -pw my_password -label test_label -dn "CN=test server,O=mycompany.com,C=US" -size 2048 -default_cert yes

5) Extract the certificate in ascii format as test_ssl.cert to use it for clients:
gsk8capicmd_64 -cert -extract -db test_ssl.kdb -pw my_password -label test_label -target test_ssl.cert

6) Create the client keystore database:
gsk8capicmd_64 -keydb -create -db clikeydb.kdb -pw my_password -type cms -stash

7) Import the new certificate from test_ssl.cert to the client keyring:
gsk8capicmd_64 -cert -add -db clikeydb.kdb -pw my_password -label test_label -file test_ssl.cert -format ascii

8) Create a conssl.cfg file to tell clients the location of the keystore:
Edit $INFORMIXDIR/etc/conssl.cfg and add the following entries:
SSL_KEYSTORE_FILE /opt/informix/ssl/clikeydb.kdb
SSL_KEYSTORE_STH /opt/informix/ssl/clikeydb.sth

9) Restart Informix, you should see a new listener running. Use dbaccess to verify that you can connect using the new SSL listener, for example:

dbaccess sysmaster@test_ssl <<!
select count(*) from systables;
!

Guide by Thomas Beebe and Mike Walker