As a note that I don't think was well documented, when going to the newer versions of Informix with the newer releases of GSKit (8.0.55 or 8.0.60) the old -type cms keystores no longer work for servers.
If you set one up using -type cms you can bring the engine online, however if you try and connect to ssl from any version of dbaccess you get:
"cannot initalize GSKit secure socket/GSK_ERROR_SOCKET_CLOSED" with no other information.
To get around this create a new keystore in the .p12 format. Older certificates can be cleanly imported to provide backwards compatibility with older Informix systems already running ssl.
You need to add the -type pkcs12 -pqc false flags for this to work cleanly. The docs say the -pqc false should no longer be required but from my testing it still is.
(Sample for the client keystore)
gsk8capicmd_64 -keydb -create -db clikeydb.p12 -pw my_password -type pkcs12 -pqc false -stash
gsk8capicmd_64 -cert -add -db clikeydb.p12 -stashed -file server.cert
Make sure to update $INFORMIXDIR/etc/conssl.cfg to use the .p12 filename rather than .kdb
The new client keystore will still work fine importing certificates from the older gskit versions on other servers.
One other interesting note that I am curious if anyone else has seen. If you are missing the certificate with the label of SSL_KEYSTORE_LABEL it still will bring the engine online, but you won't be able to connect via ssl with the same generic error as before.
Do any of you have any other details with this? I am doing an update to my ssl writeup on the WAIUG site and I just want to make sure I have everything covered.
------------------------------
Thomas Beebe
Vice President
xDB Systems, Inc
Woodbridge VA
5713399029
------------------------------