Informix

nested-group-icon.png

DB2

Expand all | Collapse all

Major Issues with Windows CSDK4.50.FC4W1

  • 1.  Major Issues with Windows CSDK4.50.FC4W1

    Posted 11 days ago
    Edited by TOM GIRSCH 10 days ago

    All, a warning.

    I installed the latest release of CSDK for Windows, 4.50.FC4W1, and it's got a few problems.

    1. The default install path changed, and not everything seems to have picked up on that change. So when you fire up, e.g., ConnectTest or any other ODBC configuration deal, it complains that INFORMIXDIR is not set or doesn't include libisi.dll.1; this problem can be manually worked around by running the program from a command prompt where you've manually set INFORMIXDIR correctly. Not ideal. And for whatever reason, changes in SetNet32 seem not to be honored on the systems I've tested.
    2. Once you've worked around the above, if you have any SSL connections, it will complain about not being able to find client.p12 and client.stl. Note that these file extensions are not the usual client.kdb/client.sth files we're used to. Using conssl.cfg to point to the correct files won't work either. I'm working with support here, and they've asked me to try manually running onkstash to generate a new password stash file. But obviously, I shouldn't have to do ANY of this.


    As of this writing, I have been unable to get FC4W1 to work. Ultimately, I reverted to FC3, where everything works fine.

    The good news here is that this is apparently part of an effort by IBM to phase out the kludgy GSKit and switch to using OpenSSL like the rest of modern civilization. However, they shouldn't have broken stuff that already worked in the process, and some heads up would have been nice. Even the tech support agent hadn't heard about any of these changes until he went digging.

    As of right now, it looks to me as if FC4W1 has been pulled from Passport Advantage, although that could just be IBM's usual MO of making things extremely difficult to find on Passport Advantage. ;)

    Two final notes:

    1. A 14.10.FC4W1 engine seems to recognize client.kdb/client.sth without issue, so whatever the problem is here, it seems to be unique to the SDK (and possibly even the Windows SDK)
    2. I've done a bunch of testing with JDBC 4.50.FC4W1 and that seems to work just fine in my limited testing.



    ------------------------------
    TOM GIRSCH
    ------------------------------


  • 2.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 10 days ago
      |   view attached
    Hi Tom,

    You seem to have encountered 3 problems as per email.
    1. Install issue of not installing in default location?
    2. Setnet32 being not effective
    3. OpenSSL seems to have issue with CSDK 4.50.FC4W1 on Windows.

    I installed CSDK 4.50.FC4W1 (in my chosen location) and can see Setnet32 settings being effective on Registry (attaching the screen shots). You are already in touch with Tech Support, I will get more information accordingly. However if you have anything additional to share on the forum to reproduce the issues you are facing, please do so.

    Thanks & Regards
    -Shesh

    ------------------------------
    Sheshnarayan Agrawal
    ------------------------------

    Attachment(s)

    pdf
    CSDK450FC4W1.pdf   251K 1 version


  • 3.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 10 days ago
    On your first point, it's more that the default location has changed that that it's not correct. I was speculating that this might factor into why INFORMIXDIR doesn't appear to be honored. In earlier versions, the install path is "C:\Program Files\Informix Client-SDK\"; with FC4W1, it's "C:\Program Files\IBM Informix Client-SDK\"

    On the second point, I'm not super clear on just what's going on. ConnectTest (for example) on FC4W1 complains that it can't find libisi.dll.1 because INFORMIXDIR is not properly set. Same program on FC3, I don't get that error. In both cases, if I open a command prompt and use "set" to look at the environment, INFORMIXDIR is not set. But for FC4W1, if I manually set it from a command prompt and then run ConnectTest from there, I no longer get the libisi error. It looks, however, like INFORMIXDIR is being set in the registry rather than in the environment, so I need to do some more FC4W1 testing to see what's going on.

    On the third point, you're correct. FC4W1 does not honor %INFORMIXDIR%\etc\client.kdb and client.sth. I even created a new keystore with FC4W1's version of the gskit, and it still didn't honor it, with or without conssl.cfg pointing to it. All of this worked fine on FC3.

    The support rep has replicated all of these issues. The support ticket number is TS003986256 for reference.


    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 4.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 9 days ago
    Hi Tom,
    As you know from CSDK 4.50.xC4 onward OpenSSL support is introduced. This support currently requires INFORMIXDIR to be set on "System Environment", it doesn't honor INFORMIXDIR setting in the registry using SETNET32. It should work without needing to set INFORMIXDIR in the "System Environment". Defect idsdb00106353 has been opened to address the above issue. Kindly follow up with your Tech Support contact on the latest status. Once the issue is addressed, the behavior should be same as FC3. Until you get the fix, you can workaround the problem by setting INFORMIXDIR in the System Environment.

    Thanks
    -Shesh


    ------------------------------
    Sheshnarayan Agrawal
    ------------------------------



  • 5.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 6 days ago

    Shesh:

    That resolves the dll problem, which I was already able to work around on my own; it does NOT resolve the SSL keystore/stash problem, which is the much larger issue.



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 6.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 6 days ago
    Tom,
    We have found some steps in the documentation is missing with respect to setting up client side OpenSSL. Which is also being fixed in the documentation. Tech support engineer should be able to help you on the same as well, as part of the case you have already opened.

    Thanks
    -Shesh

    ------------------------------
    Sheshnarayan Agrawal
    ------------------------------



  • 7.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 6 days ago

    Shesh:

    But the old GSKit way should still work, and does not. IBM/HCL don't really want to force clients to do a massive redeploy of SSL as part of a minor CSDK revision, do they?

    I fully support a transition to OpenSSL support, but that transition should break existing configurations.



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 8.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 6 days ago
    With 4.50.xC4W1 and onwards, GSKit is no longer included with the IBM Informix Client SDK product package.

    IBM Informix Client SDK now should use OpenSSL instead of GSKit. Since OpenSSL (contrary to GSKit) is publicly available, the user (you) are expected to have it installed already. The biggest advantage of this is that you have more control over which version of OpenSSL is used, where it is installed and how it is configured. Also, you are normally able to update your OpenSSL release version as new (security) fixes become available, without the need to wait for a new Informix Client SDK release and upgrade it.

    OpenSSL uses and requires a keystore that conforms to the PKCS#12 standard. It does not know anything about the GSKit proprietary "CMS" format of the so-called "*.kdb" keystore files, and therefore cannot use them in any way. Nor can anyone (besides GSKit itself) know and use a stashed password in a GSKit-specific "*.sth" file, because the encryption and format of it is secret (fortunately).

    With that, it is necessary to either manually convert an existing "*.kdb" keystore to the PKCS#12 format (i.e. a "*.p12" file), or to re-create the keystore "from scratch" (e.g. using original PEM files). And as there is no way to retrieve the password from a GSKit password stash file, it is necessary to create a new password stash file, named "*.stl", using the new utility "onkstash" that is supplied with 4.50.xC4W1. For the latter it is necessary to either know the password, or change the password using GSKit tools like "gsk8capicmd" to a known value.

    Here's some information that may be helpful:
    --------------------------
        If you have existing keystores for your database clients SSL connections
        to the database server, you may need to migrate such client keystores.
        Please see sub-chapter "Configuring a client for SSL connections" in
        the "Security" manual for more information.
     
        When keystore migration is necessary and what steps to perform:

        - If your database client installation is co-located with the database
          server installation, the database client continues to use GSKit as
          encryption library. In this case, keystore migration is not necessary.

        - If your database client installation is stand-alone, it will use
          OpenSSL as encryption library.

          - If your client keystore has the GSKit-proprietary format "CMS"
            (usually with file extension "*.kdb"), then this keystore needs
            to be converted to a PKCS#12 keystore:

              As the CMS format is GSKit-specific, you need the GSKit command
              "gsk8capicmd" (or "gsk7capicmd") in order to convert the keystore.
              Use a command like:

              gsk8capicmd -keydb -convert -db KEYSTOREFILE.kdb -pw PASSWORD
                -old_format cms -new_db KEYSTOREFILE.p12 -new_pw PASSWORD
                -new_format pkcs12

          - Create a stash file with the keystore password for use with OpenSSL.
            Use the utility onkstash to stash the keystore password:

            onkstash KEYSTOREFILE.p12 PASSWORD

            (This step is also needed in case your keystore already had the
            PKCS#12 format.)
    --------------------------

    In fact, I thought that this was included in the documentation for 14.10.xC4W1,
    but admit that currently I cannot locate it. I will find it or see to it that it gets included.

    Regards, Martin

    --
    Martin Fuerderer
    Informix Development Germany


    HCL Technologies Germany GmbH
    Frankfurter Ring 17
    80807 Munich, Germany
    http://www.hcltech.com/de
    --DISCLAIMER--
    ------------------------------------------------------------------------------------------------------------
    This document is intended for transmission to the named recipient only. If you are not that person, you should note that legal rights reside in this document and you are not authorized to access, read, disclose, copy, use or otherwise deal with it and any such actions are prohibited and may be unlawful. The views expressed in this document are not necessarily those of HCL Technologies Ltd. Notice is hereby given that no representation, contract or other binding obligation shall be created by this e-mail, which must be interpreted accordingly. Any representations, contractual rights or obligations shall be separately communicated in writing and signed in the original by a duly authorized officer of the relevant company.
    ------------------------------------------------------------------------------------------------------------

    ::DISCLAIMER::

    The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.






  • 9.  RE: Major Issues with Windows CSDK4.50.FC4W1

    Posted 6 days ago
    Getting rid of GSKit and going to an entitlement-free version of the SDK is a laudable goal, to be sure. But did nobody at IBM/HCL think that abruptly yanking GSKit support wouldn't be a problem?

    Because of the INFORMIXDIR issue I've also found here, we've decided for the moment to revert to FC3. When a future release of FC4 (or later) has the INFORMIXDIR issue fixed, I'll try again with the OpenSSL keystore.

    ------------------------------
    TOM GIRSCH
    ------------------------------