using SSL with Informix

View Only

Expand all | Collapse all

using SSL with Informix

1. using SSL with Informix

0 Like
mark collins
Posted Tue July 25, 2023 04:13 PM

Reply
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

2. RE: using SSL with Informix

Like

IBM Champion

Paul Watson

Posted Tue July 25, 2023 04:49 PM

did you install the GSK ? and you need to use the 64 version of gsk8capicmd, which AFAIR is called gsk8capicmd64

On 7/25/2023 3:13 PM, mark collins via IBM TechXchange Community wrote:

010001898eaf6706-e916d16a-ee6f-464d-82b6-0e2ab9ca8915-000000@email.amazonses.com">
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is...

Informix

Post New Message

using SSL with Informix

Reply to Group Reply to Sender

Jul 25, 2023 4:13 PM

mark collins

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

--  Paul Watson Oninit www.oninit.com Tel: +1 913 364 0360 Cell: +1 913 387 7529  Oninit® is a registered trademark of Oninit LLC  If you want to improve, be content to be thought foolish and stupid Failure is not as frightening as regret

Original Message

3. RE: using SSL with Informix

Like

mark collins

Posted Wed July 26, 2023 11:51 AM

Looking at the docs (https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol#ids_ssl_001), I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------
mark collins
------------------------------

Original Message

4. RE: using SSL with Informix

Like

IBM Champion

Paul Watson

Posted Wed July 26, 2023 12:11 PM

Did you as root ?

The installgskit install doesn't do anything if it thinks the GSK is already there, at least that is my experience.

On 7/26/2023 10:51 AM, mark collins via IBM TechXchange Community wrote:

0100018992e5d014-40317d55-df31-466b-90e2-f0fe59121304-000000@email.amazonses.com">
Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw Until and including version 14.10.xC3, all Informix products use GSKit only...

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 11:51 AM

mark collins

Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------
mark collins
------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message:
Sent: 7/26/2023 11:51:00 AM
From: mark collins
Subject: RE: using SSL with Informix

Looking at the docs (https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol#ids_ssl_001), I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------
mark collins
------------------------------

Original Message:
Sent: Tue July 25, 2023 04:48 PM
From: Paul Watson
Subject: using SSL with Informix

did you install the GSK ? and you need to use the 64 version of gsk8capicmd, which AFAIR is called gsk8capicmd64

On 7/25/2023 3:13 PM, mark collins via IBM TechXchange Community wrote:

010001898eaf6706-e916d16a-ee6f-464d-82b6-0e2ab9ca8915-000000@email.amazonses.com">
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is...

Informix

Post New Message

using SSL with Informix

Reply to Group Reply to Sender

Jul 25, 2023 4:13 PM

mark collins

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

--  Paul Watson Oninit www.oninit.com Tel: +1 913 364 0360 Cell: +1 913 387 7529  Oninit® is a registered trademark of Oninit LLC  If you want to improve, be content to be thought foolish and stupid Failure is not as frightening as regret

Original Message:
Sent: 7/25/2023 4:13:00 PM
From: mark collins
Subject: using SSL with Informix

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

5. RE: using SSL with Informix

Like

mark collins

Posted Wed July 26, 2023 12:17 PM

Yes, I did the install as root.

------------------------------
mark collins
------------------------------

Original Message

Original Message:
Sent: Wed July 26, 2023 12:10 PM
From: Paul Watson
Subject: using SSL with Informix

Did you as root ?

The installgskit install doesn't do anything if it thinks the GSK is already there, at least that is my experience.

On 7/26/2023 10:51 AM, mark collins via IBM TechXchange Community wrote:

0100018992e5d014-40317d55-df31-466b-90e2-f0fe59121304-000000@email.amazonses.com">
Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw Until and including version 14.10.xC3, all Informix products use GSKit only...

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 11:51 AM

mark collins

Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message: Sent: Tue July 25, 2023 04:48 PM

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message: Sent: 7/26/2023 11:51:00 AM From: mark collins Subject: RE: using SSL with Informix

Looking at the docs (https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol#ids_ssl_001), I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------ mark collins
Original Message: Sent: Tue July 25, 2023 04:48 PM From: Paul Watson Subject: using SSL with Informix

did you install the GSK ? and you need to use the 64 version of gsk8capicmd, which AFAIR is called gsk8capicmd64

On 7/25/2023 3:13 PM, mark collins via IBM TechXchange Community wrote:

010001898eaf6706-e916d16a-ee6f-464d-82b6-0e2ab9ca8915-000000@email.amazonses.com">
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is...

Informix

Post New Message

using SSL with Informix

Reply to Group Reply to Sender

Jul 25, 2023 4:13 PM

mark collins

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

--  Paul Watson Oninit www.oninit.com Tel: +1 913 364 0360 Cell: +1 913 387 7529  Oninit® is a registered trademark of Oninit LLC  If you want to improve, be content to be thought foolish and stupid Failure is not as frightening as regret

Original Message:
Sent: 7/25/2023 4:13:00 PM
From: mark collins
Subject: using SSL with Informix

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

6. RE: using SSL with Informix

Like

IBM Champion

Paul Watson

Posted Wed July 26, 2023 12:21 PM

From a 14.10 server

[root@strider-int ~]# find / -mount -name gsk\* 2>/dev/null
/usr/bin/gsk8capicmd_64
/usr/bin/gsk8ver_64
/usr/local/ibm/gsk8_64
/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64
/usr/local/ibm/gsk8_64/bin/gsk8ver_64

[root@strider-int ~]# find / -mount -name lib*gsk\* 2>/dev/null
/usr/lib64/libgsk8iccs_64.so
/usr/lib64/libgsk8sys_64.so
/usr/lib64/libgsk8p11_64.so
/usr/lib64/libgsk8km_64.so
/usr/lib64/libgsk8ssl_64.so
/usr/lib64/libgsk8drld_64.so
/usr/lib64/libgsk8kicc_64.so
/usr/lib64/libgsk8ldap_64.so
/usr/lib64/libgsk8cms_64.so
/usr/lib64/libgsk8acmeidup_64.so
/usr/lib64/libgsk8km2_64.so
/usr/lib64/libgsk8valn_64.so
/usr/lib64/libgsk8dbfl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8acmeidup_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8dbfl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8drld_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8kicc_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8km2_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8km_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8ldap_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8p11_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8valn_64.so

On 7/26/2023 11:17 AM, mark collins via IBM TechXchange Community wrote:

0100018992fda7be-c5dd5179-89dc-4c16-b2cb-7c5ab18e51c0-000000@email.amazonses.com">
Yes, I did the install as root. ------------------------------ mark collins ------------------------------ -posted to the "Informix" group

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 12:17 PM

mark collins

Yes, I did the install as root.

------------------------------
mark collins
------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message:
Sent: 7/26/2023 12:17:00 PM
From: mark collins
Subject: RE: using SSL with Informix

Yes, I did the install as root.

------------------------------
mark collins
------------------------------

Original Message:
Sent: Wed July 26, 2023 12:10 PM
From: Paul Watson
Subject: using SSL with Informix

Did you as root ?

The installgskit install doesn't do anything if it thinks the GSK is already there, at least that is my experience.

On 7/26/2023 10:51 AM, mark collins via IBM TechXchange Community wrote:

0100018992e5d014-40317d55-df31-466b-90e2-f0fe59121304-000000@email.amazonses.com">
Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw Until and including version 14.10.xC3, all Informix products use GSKit only...

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 11:51 AM

mark collins

Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message: Sent: Tue July 25, 2023 04:48 PM

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message: Sent: 7/26/2023 11:51:00 AM From: mark collins Subject: RE: using SSL with Informix

Looking at the docs (https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol#ids_ssl_001), I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------ mark collins
Original Message: Sent: Tue July 25, 2023 04:48 PM From: Paul Watson Subject: using SSL with Informix

did you install the GSK ? and you need to use the 64 version of gsk8capicmd, which AFAIR is called gsk8capicmd64

On 7/25/2023 3:13 PM, mark collins via IBM TechXchange Community wrote:

010001898eaf6706-e916d16a-ee6f-464d-82b6-0e2ab9ca8915-000000@email.amazonses.com">
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is...

Informix

Post New Message

using SSL with Informix

Reply to Group Reply to Sender

Jul 25, 2023 4:13 PM

mark collins

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

--  Paul Watson Oninit www.oninit.com Tel: +1 913 364 0360 Cell: +1 913 387 7529  Oninit® is a registered trademark of Oninit LLC  If you want to improve, be content to be thought foolish and stupid Failure is not as frightening as regret

Original Message:
Sent: 7/25/2023 4:13:00 PM
From: mark collins
Subject: using SSL with Informix

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

7. RE: using SSL with Informix

Like

mark collins

Posted Wed July 26, 2023 12:42 PM

Well, that helped a bit. I don't know if this is because of the age of the release, but there are no gsk8* files on the server, but there are some gsk7* files.

[692] ls -l /opt/ibm/gsk7_64/bin
total 2912
drwxr-xr-x 2 root sys 96 Mar 28 2011 ./
drwxr-xr-x 6 root sys 8192 Mar 28 2011 ../
-rwxr-xr-x 1 root sys 1348040 Oct 5 2016 gsk7capicmd_64*
-rwxr-xr-x 1 root sys 9728 Oct 5 2016 gsk7cmd_64*
-rwxr-xr-x 1 root sys 9728 Oct 5 2016 gsk7ikm_64*
-rwxr-xr-x 1 root sys 97176 Oct 5 2016 gsk7ver_64*

[695] ls -l /opt/ibm/gsk7_64/lib64
total 37200
drwxr-xr-x 2 root sys 8192 Jan 12 2018 ./
drwxr-xr-x 6 root sys 8192 Mar 28 2011 ../
-rwxr-xr-x 1 root sys 1760792 Oct 5 2016 libgsk7acmeidup_64.sl*
-rwxr-xr-x 1 root sys 5700312 Oct 5 2016 libgsk7cms_64.sl*
-rwxr-xr-x 1 root sys 1426112 Oct 5 2016 libgsk7dbfl_64.sl*
-rwxr-xr-x 1 root sys 1196368 Oct 5 2016 libgsk7drld_64.sl*
-rwxr-xr-x 1 root sys 59184 Oct 5 2016 libgsk7iccs_64.sl*
-rwxr-xr-x 1 root sys 853488 Oct 5 2016 libgsk7kicc_64.sl*
-rwxr-xr-x 1 root sys 217704 Oct 5 2016 libgsk7kjni_64.sl*
-rwxr-xr-x 1 root sys 2088136 Oct 5 2016 libgsk7km_64.sl*
-rwxr-xr-x 1 root sys 90304 Oct 5 2016 libgsk7krnc_64.sl*
-rwxr-xr-x 1 root sys 90304 Oct 5 2016 libgsk7krrb_64.sl*
-rwxr-xr-x 1 root sys 90304 Oct 5 2016 libgsk7krsw_64.sl*
-rwxr-xr-x 1 root sys 90304 Oct 5 2016 libgsk7msca_64.sl*
-rwxr-xr-x 1 root sys 1645512 Oct 5 2016 libgsk7p11_64.sl*
-rwxr-xr-x 1 root sys 2070968 Oct 5 2016 libgsk7ssl_64.sl*
-rwxr-xr-x 1 root sys 11888 Oct 5 2016 libgsk7sys_64.sl*
-rwxr-xr-x 1 root sys 1559312 Oct 5 2016 libgsk7valn_64.sl*

Like I said, this was an 11.50.FC6 instance, with CSDK 3.50.FC6, on HP-UX 11.31 PA-RISC. I know that IBM no longer support PA-RISC, so I may be out of luck.

------------------------------
mark collins
------------------------------

Original Message

Original Message:
Sent: Wed July 26, 2023 12:21 PM
From: Paul Watson
Subject: using SSL with Informix

From a 14.10 server

[root@strider-int ~]# find / -mount -name gsk\* 2>/dev/null
/usr/bin/gsk8capicmd_64
/usr/bin/gsk8ver_64
/usr/local/ibm/gsk8_64
/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64
/usr/local/ibm/gsk8_64/bin/gsk8ver_64

[root@strider-int ~]# find / -mount -name lib*gsk\* 2>/dev/null
/usr/lib64/libgsk8iccs_64.so
/usr/lib64/libgsk8sys_64.so
/usr/lib64/libgsk8p11_64.so
/usr/lib64/libgsk8km_64.so
/usr/lib64/libgsk8ssl_64.so
/usr/lib64/libgsk8drld_64.so
/usr/lib64/libgsk8kicc_64.so
/usr/lib64/libgsk8ldap_64.so
/usr/lib64/libgsk8cms_64.so
/usr/lib64/libgsk8acmeidup_64.so
/usr/lib64/libgsk8km2_64.so
/usr/lib64/libgsk8valn_64.so
/usr/lib64/libgsk8dbfl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8acmeidup_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8dbfl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8drld_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8kicc_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8km2_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8km_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8ldap_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8p11_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so
/usr/local/ibm/gsk8_64/lib64/libgsk8valn_64.so

On 7/26/2023 11:17 AM, mark collins via IBM TechXchange Community wrote:

0100018992fda7be-c5dd5179-89dc-4c16-b2cb-7c5ab18e51c0-000000@email.amazonses.com">
Yes, I did the install as root. ------------------------------ mark collins ------------------------------ -posted to the "Informix" group

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 12:17 PM

mark collins

Yes, I did the install as root.
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message: Sent: Wed July 26, 2023 12:10 PM

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message: Sent: 7/26/2023 12:17:00 PM From: mark collins Subject: RE: using SSL with Informix

Yes, I did the install as root.

------------------------------ mark collins
Original Message: Sent: Wed July 26, 2023 12:10 PM From: Paul Watson Subject: using SSL with Informix

Did you as root ? The installgskit install doesn't do anything if it thinks the GSK is already there, at least that is my experience.

On 7/26/2023 10:51 AM, mark collins via IBM TechXchange Community wrote:

0100018992e5d014-40317d55-df31-466b-90e2-f0fe59121304-000000@email.amazonses.com">
Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw Until and including version 14.10.xC3, all Informix products use GSKit only...

Informix

Post New Message

Re: using SSL with Informix

Reply to Group Reply to Sender

Jul 26, 2023 11:51 AM

mark collins

Looking at the docs (www.ibm.com/docs/en/informix-servers/... I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

Original Message: Sent: Tue July 25, 2023 04:48 PM

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

Original Message:Sent: 7/26/2023 11:51:00 AMFrom: mark collinsSubject: RE: using SSL with Informix

Looking at the docs (https://www.ibm.com/docs/en/informix-servers/14.10?topic=encryption-secure-sockets-layer-protocol#ids_ssl_001), I saw

Until and including version 14.10.xC3, all Informix products use GSKit only. GSKit is packaged and installed with the Informix products themselves.

I took that to mean that GSKit would have been installed at the time that the 11.50.FC6 instance was installed. I did see $INFORMIXDIR/gskit/installgskit, and I ran that, but I still don't see any gsk8capi* files.

------------------------------mark collins Original Message:Sent: Tue July 25, 2023 04:48 PMFrom: Paul WatsonSubject: using SSL with Informix

did you install the GSK ? and you need to use the 64 version of gsk8capicmd, which AFAIR is called gsk8capicmd64

On 7/25/2023 3:13 PM, mark collins via IBM TechXchange Community wrote:

010001898eaf6706-e916d16a-ee6f-464d-82b6-0e2ab9ca8915-000000@email.amazonses.com">
Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is...

Informix

Post New Message

using SSL with Informix

Reply to Group Reply to Sender

Jul 25, 2023 4:13 PM

mark collins

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?
------------------------------ mark collins ------------------------------

Reply to Group Online View Thread Recommend Forward Flag as Inappropriate

You are subscribed to "Informix" as paul@oninit.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

--  Paul Watson Oninit www.oninit.com Tel: +1 913 364 0360 Cell: +1 913 387 7529  Oninit® is a registered trademark of Oninit LLC  If you want to improve, be content to be thought foolish and stupid Failure is not as frightening as regret

Original Message:
Sent: 7/25/2023 4:13:00 PM
From: mark collins
Subject: using SSL with Informix

Been reading up on what it takes to set up encrypted communications with Informix. As I understand the docs, prior to 14.10.xC4W1, only GSKIT is supported for SSL. We're running 14.10.FC10 on Linux x86-64, so we should be able to use either GSKIT or OpenSSL. However, we have client applications running on HP-UX 11.31 on PA-RISC. The last version of Informix that was supported on PA-RISC is 11.70, and the CSDK that currently resides on that host is 3.50.FC6.

The manual says that if we're using GSKIT, we would need to use the gsk8capicmd utility to build a password stash file. I cannot find gsk8capicmd anywhere on the HP client. Does anyone know what was the first release of CSDK to implement secure connections?

We have other clients on Linux, with 4.50.something for the CSDK, and I find onkstash (but not gsk8capicmd) under $INFORMIXDIR/bin. So it seems that we should be able to use OpenSSL for the keystash on those hosts.

Since there are no recent CSDK releases available for HP-UX on PA-RISC, can we implement secure communications via SSL for that? Or will we have to have a non-encrypted connection for HP-UX clients and then secured connections for Linux and Windows clients?

------------------------------
mark collins
------------------------------

8. RE: using SSL with Informix

0 Like
Scot Jenkins
Posted Tue July 25, 2023 11:10 PM

Reply
Mark,

As Paul mentioned, the command as a '64' in the name.
On my Linux x86_64 systems under both 12.10.FC15W1 and 14.10.FC10,
the location and name is /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64.

There's no trace of that command anywhere under /opt/ibm/informix,
where I installed both the Informix server and the CSDK.

On Linux, the GSKit is installed via .rpm or .deb packages when the
Informix server is installed. These 2 symlinks in /bin are also
created:

lrwxrwxrwx 1 root root 41 Oct 28 2022 /bin/gsk8capicmd_64 -> /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64
lrwxrwxrwx 1 root root 37 Oct 28 2022 /bin/gsk8ver_64 -> /usr/local/ibm/gsk8_64/bin/gsk8ver_64

I'm not sure if the HP version had native packages or not, but if it
did you might try the swlist command to see if/where it was installed.

Alternatively, with patience, this always works too (assuming you
have root access to all files):

find / -name gsk8capi\*

Not sure that answers your questions but maybe helps locate the command.

scot

Original Message
9. RE: using SSL with Informix

0 Like
mark collins
Posted Wed July 26, 2023 11:53 AM

Reply
I found $INFORMIXDIR/gskit/installgskit. I ran that as root, and it did not report any errors, but even after that, I still do not see anything with the 'find / -name gsk8capi\*' command.

------------------------------
mark collins
------------------------------

Original Message
10. RE: using SSL with Informix

0 Like
Martin Fuerderer
Posted Tue August 01, 2023 07:02 PM

Reply
Hi Mark,

with such a big difference/distance between versions (of client and server), things are a bit confusing.
Here are some basics:

SSL and TLS (TLS basically being the successor of SSL) are protocols for secure (i.e. encrypted) communication. The two communication partners (server and client) basically need to be able to agree on a protocol version, as well as ciphers (encryption algorithms) to use for the encryption. If this is possible, then the communication should work, no matter how either communication partner achieves using the protocol. I.e. it doesn't matter whether the client uses GSKit and the server uses OpenSSL, nor which version of these two.
Having said the above, there are a few "restrictions". For one, SSL is no longer considered secure enough since a few years now. And for TLS there are 3 usable versions (1.1, 1.2 and 1.3), where currently TLS 1.2 and TLS 1.3 are generally considered "secure enough". Part of what makes a specific protocol version "secure" is the choice of ciphers that are supported. Generally, older ciphers are considered less secure.
With that, the older clients and the GSKit 7 version they use may not be able to support the newer protocol versions and their associated ciphers that are required by the newest server. Still, it may be possible to find a common protocol version that both sides can use (i.e. that the security library versions of both sides support). Though this may require some specific configuration, possibly on both sides and possibly for the database client and database server as well as for the GSKit and OpenSSL installation.
I have no knowledge of 11.70 version database clients regarding their protocol version support, nor which protocol versions are supported by the GSKit 7 that they use.
You should be able to figure out these details by reading the documentation separately, the 11.70 docs for the 11.70 client and the 14.10.x docs for the 14.10.x server.
Creating keystores, possibly stash files, etc. then would also be done "separately", i.e. following the older 11.70 documentation for the 11.70 client and the newer 14.10 documentation for the new 14.10 server. In order to do this, you will need to have the X509 certificate(s) for the keystores in an independent format, probably as PEM file(s). Then you can use these on both sides (i.e. client and server) to create the keystore in which ever way is appropriate for the product version at hand.
If the 11.70 client product was installed (i.e. came) with GSKit 7, then it will not be able to utilize GSKit 8. These two are different major versions of GSKit, which means that for sure they are not binary compatible. It therefore is rather pointless to try installing GSKit 8 on a 11.70 version client machine.

Sorry that I cannot provide specific help and guidelines for 11.70. But I hope that the above gives you the overview of the concepts and fro there you are able to find your way through this ... jungle.

Regards, Martin

--
Martin Fuerderer (he/him)

Software Engineer

HCL Software

hcl-software.com

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.

Original Message
11. RE: using SSL with Informix

0 Like
IBM Champion

David Williams
Posted Tue August 01, 2023 08:39 PM

Reply
Hi,

When Client SDK 4.50.FC4 dropped support for GSKit I found that a connection manager using OpenSSL and a client using GSKit could not be made to work despite what HCL Support said, so OpenSSL/GSKit are NOT always compatible keystores!

Something so old as a 3.50 CSDK may well onlyhave gskit7 command names.

I would do everything wiht GSKit and see if the 3.50 keystore will work with a 14.10 server otherwise you are out of luck!

Regards,

David.

------------------------------
David Williams
------------------------------

Original Message
12. RE: using SSL with Informix

0 Like
mark collins
Posted Fri August 04, 2023 09:45 AM

Reply
Hi Martin,

Thanks for the detailed breakdown. I'll compare the ciphers in both versions, and maybe I'll get lucky.

------------------------------
mark collins
------------------------------

Original Message

Informix