Informix

Expand all | Collapse all

SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

  • 1.  SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Wed June 23, 2021 01:45 PM
    Hi All, Back to informix world after about 2.5 years

    IMPORTANT NOTE - I understand the version is outdated and there will be suggestions to upgrade Informix version.  FYI, I just joined this new company two weeks back and don't have any say on the versions at this point although I have already advised them that moving to version 14 is the future direction.

    Problem Description:  New SSL Setup

    OS version - SunOS <hostname> 5.10 Generic_153153-01 sun4v sparc sun4v

    Informix Version - IBM Informix Dynamic Server Version 11.50.FC9W3XI

     

    --------------- Noticing issue with SSL Protocol specifications on Solaris ---------

     

    If protocol is specified as socssl (both onconfig and sqlhosts are modified to match)

    Informix comes up but could NOT see the ssl listener getting forked during startup according to the configuration

     

    Initializing DR structures...succeeded

    Forking 2 'ipcshm' listener threads...succeeded

    Forking 1 'tlitcp' listener threads...succeeded         <--- SSL listener not getting forked during startup itself ---->

    Starting tracing...succeeded

     

    Trying to start through onmode gives error.

     

    onmode -P start <DBSERVERALIASNAME for ssl>

    Could not start listen thread for server <DBSERVERALIASNAME for ssl>

     

    Inside message log

    15:56:26  Starting listen thread for sqlhosts server <DBSERVERALIASNAME for ssl>

    15:56:26  Unknown or unsupported type of network protocol for the specified server.

     

    -----------------------------

     

    Considering that OS is solaris, If protocol is specified as "tlissl", the engine is not even coming up.

    (Both  onconfig and sqlhosts modified properly)

     

    Initialization of Encryption...succeeded

    The specified service name or protocol is unknown. Error -25507.

    Initializing ASF...FAILED


    ===========================================================

    Any clue on what would be the correct SSL protocol to specify (apart from "onsocssl"  and "ontlissl" ).
    Additional Info:The same implementation of "onsocssl" protocol is working in AIX and Informix 12.1  Combination.

    ------------------------------
    Thanks & Regards,
    Vijayanand Dhandapani
    ------------------------------


  • 2.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Wed June 23, 2021 01:51 PM

    You can't start an SSL from command line AFAIK, it is/was in the code so the onmode –P will fail

     

    I wouldn't expect soc to work, if you mismatch the protocol then the engine will start one tlitcp listener - at least that is what I have seen under Solaris

     

    What is your SQLHOSTS and nettype?

     

    Cheers

    Paul

     

     

     






  • 3.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 02:17 AM

    Hi Paul,

    Thanks for your response. I have tried below two combinations

    1) sqlhosts - <unique_alias_for_ssl> onsocssl <hostname> <portno>
        NETTYPE  socssl,3,150,NET

    Informix comes up fine without any error but no  ssl listener getting forked.

    2) sqlhosts - <unique_alias_for_ssl> ontlissl <hostname> <portno>
       NETTYPE  tlissl,3,150,NET

    Informix doesn't even comeup (more information in my first post)

    -------------
    I have also tried replacing hostname with IPaddress.

    Please let me know if there is any other protocol for ssl that would work on solaris 10 and Informix 11.5 combination.



    ------------------------------
    Vijayanand Dhandapani
    ------------------------------



  • 4.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 11:05 AM

    Under Solaris I would expect the socssl to be ignored.

     

    Have you set/created the keystore ?

     

    Is the SSL INFORMIXSERVER in DBSERVERNAME or DBSERVERALIASES

     

     

    Cheers

    Paul

     






  • 5.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 11:40 PM
    Thankyou Andreas, Cesar & Paul for taking time to share your inputs.

    Found the issue to be a silly Blunder.  There was a  space character after comma in DBSERVERALIAS parameter which is why it was completely ignoring the SSL alias name and not forking it.

    i,e -- 
    DBSERVERALIAS         <existing alias>, <newly added ssl alias>   <-- Not working
    DBSERVERALIAS         <existing alias>,<newly added ssl alias>    <-- Working

    Rest all configurations and ssl setup were correct and now it is working.
    Once again thankyou everyone for spending time on this and providing your inputs.


    ------------------------------
    Vijayanand Dhandapani
    ------------------------------



  • 6.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 11:44 PM
    Second set of eyes always fixes it

    Paul Watson
    Oninit LLC
    +1-913-387-7529
    www.oninit.com
    Oninit®️ is a registered trademark of Oninit LLC





  • 7.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 01:45 PM

    Hi, 
    I use SSL since version 11.50 on AIX and Linux without major issues. 
    Have you set the basics?
    You can found all these commands and references on the Informix manual.

    a) Have you the IBM GSKIT installed?
      if not, install, it's mandatory.

    b) Have created the SSL stash / "database" for your instance ?
    All commands below are GSKIT and should be run on $INFORMIXDIR/ssl
    gsk8capicmd_64 -keydb -create -db $INFORMIXSERVER.kdb -pw you_password -stash
    (here I use gskit v8, your version probably will be 7 or early)

    c) supposing that you don't have a certificate, you need to create one : 
    $ gsk8capicmd_64 -cert -create -db $INFORMIXSERVER.kdb -stashed -label label_$INFORMIXSERVER_ssl -expire 7300 -size 1024 -dn "CN=your.company,O=your,C=BR,OU=your-ti,EMAIL=you@yourcompany.com"
    $ gsk8capicmd_64 -cert -list -db $INFORMIXSERVER.kdb -stashed
    $ gsk8capicmd_64 -cert -details -db $INFORMIXSERVER.kdb -stashed -label label_$INFORMIXSERVER_ssl
    $ gsk8capicmd_64 -cert -extract -db $INFORMIXSERVER.kdb -stashed -label label_$INFORMIXSERVER_ssl -target $INFORMIXSERVER_ssl.cert

    your client will need this .cert file to connect to your instance using the SSL
    (there is other annoying configuration to make this work)

    d) adjust onconfig

    DBSERVERALIASES <INFORMIXSERVER>_ssl
    NETTYPE socssl,2,50,NET
    # (not sure if this configuration exists for ifx 11.50
    SSL_KEYSTORE_LABEL label_<INFORMIXSERVER>_ssl

    e) configure your sqlhosts
    <INFORMXISERVER>_ssl onsocssl <host> <port>

    I set all this long time ago, not sure about few rules : 
    1) the stash file name, should have the name of your instance/$informixserver
    2) all this should be saved on your $INFORMIXDIR/ssl
    3) you can up your listener using onmode -P, however, I don't recommend using it. This command is very buggy on old versions. 
    4) the alias doesn't need to use the informixserver as a prefix, I use it just for my convenience;

    If all this was set and your listener still not up, I have no other ideas...​sorry

    Regards
    Cesar

    ------------------------------
    Cesar Martins
    ------------------------------



  • 8.  RE: SSL Listener not getting started in Solaris 10 and Informix 11.5 Combination.

    Posted Thu June 24, 2021 03:55 PM
    Can confirm this does work on Solaris, in v11.50:

    $ uname -a
    SunOS sirius 5.10 Generic_147147-26 sun4v sparc sun4v

    ...
    Creating VP classes...succeeded
    Forking main_loop thread...succeeded
    Initializing DR structures...succeeded
    Forking 1 'socssl' listener threads...succeeded
    Forking 1 'soctcp' listener threads...succeeded
    Starting tracing...succeeded
    Initializing 8 flushers...succeeded
    ...​

    $ onstat -g ntt
    
    IBM Informix Dynamic Server Version 11.50.FC9W3 -- On-Line -- Up 00:02:52 -- 149504 Kbytes
    
    global network information:
      #netscb connects         read        write    q-free  q-limits  q-exceed alloc/max
       4/   5        9         3726         3725    2/   2  170/  10    0/   0    2/   2
    
    Individual thread network information (times):
              netscb thread name    sid     open     read    write address
           1121cd478 soctcplst        5 21:46:18 21:46:29          sirius|12717|soctcp
           1121adaa8 socssllst        4 21:46:18                   sirius|12718|socssl
           112192aa8 soctcppoll       3 21:46:18
           112177aa8 socsslpoll       2 21:46:18
    ​



    ------------------------------
    Andreas Legner
    ------------------------------