Informix

 View Only
  • 1.  TLS/SSL with IBM Data Server Driver

    IBM Champion
    Posted Fri August 26, 2022 12:29 PM

    All:

    We have a .NET application which, unfortunately, is connecting to Informix using the IBM Data Server Driver v10.5. We need to change our connections to communicate via TLS/SSL rather than unencrypted. Does anyone here have any experience with this?

    From what I can tell, the easy part is changing the port number and the protocol. The hard part is, where does the TLS certificate go, and how do we tell the driver where to look for it. I was able to find some seemingly-relevant documentation here, but it's far from clear. If I understand that correctly, I should be able to set SecurityTransportMode=SSL,SSLClientKeystoredb=/path/to/db,SSLClientKeystash=/path/to/sth in the IfxConnection parameters, but it's been giving us trouble.

    I'm hoping someone else here has already invented this wheel so that I don't have to. ;)

    Thanks in advance,

    - TJG



    ------------------------------
    TOM GIRSCH
    ------------------------------

    #Informix


  • 2.  RE: TLS/SSL with IBM Data Server Driver

    IBM Champion
    Posted Fri August 26, 2022 06:08 PM
    HI,

    You need to put the certificate in a keystore and tell the client and server about the keystore.


    https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol

    Regards,
    David.

    ------------------------------
    David Williams
    ------------------------------



  • 3.  RE: TLS/SSL with IBM Data Server Driver

    IBM Champion
    Posted Tue September 06, 2022 09:52 PM
    Edited by System Fri January 20, 2023 04:49 PM

    That part I get. The question is where and how, with the Data Server Driver specifically. I know exactly how to do it with CSDK, but documentation on this subject relevant to Data Server Driver is sparse to nonexistent.

    For the record, we were able to get it to work simply by dropping our client.kdb and client.sth files in the etc directory in the Data Server Driver's directory tree. From there, we just had to change port and protocol in the connection string. No need to reference the Client Keystore or Transport Mode in the connection string. If we were putting the client.kdb/sth in a non-standard directory, I imagine I _would_ have to set those values.

    [Edited to note that the documentation you provided seems to refer exclusively to INFORMIXDIR, which doesn't exist at all in Data Server Driver installations.]

    ------------------------------
    TOM GIRSCH
    ------------------------------