Sample Security Scenarios

This document describes various sample SSL scenarios using Encryption for Entire Net-Work.

For each scenario described in this section, the client-side alterations you need to make to your Kernel and Entire Net-Work Client access and connection definitions are given.

The scenarios that are described are:


Simple Encryption

Start of instruction setTo configure simple encryption for an Entire Net-Work Client:

  1. If the database access URL for the target database is written to the Directory Server by an LUW Entire Net-Work configured for SSL access, no configuration for the client is required. The client will load SSL once it finds the protocol SSL in the URL and communication will be encrypted.

  2. If the database access is manually configured in the Entire Net-Work Client configuration, set the target access entry to "SSL" using Adabas Manager by using the protocol drop-down menu and save the entry.

Start of instruction setTo configure simple encryption for an Entire Net-Work Server:

  1. Access the Entire Net-Work Server Kerne lAccess definitions in the Adabas Manager.

  2. For each Server Access definition that needs to support SSL, verify that the Protocol type for the entry is SSL and that appropriate port numbers are specified.

  3. Edit the definition and specify valid values for the SSL CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:

    &CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
    
  4. Save the definition.

Other Authentication Scenarios

Note:
In all the following scenarios, the Client Authentication parameters are best configured manually by first configuring an Adabas Client Access definition to the database target. Use Adabas Manager to add the entry and edit the entry as described in the following sections.

Client-Only Authentication

Start of instruction setTo perform client-only authentication for an Entire Net-Work Client:

  1. Access the Entire Net-Work Client access definition to Adabas databases in Adabas Manager.

  2. Ensure the Protocol field in the Host address line is SSL.

  3. Specify values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. For example:

    &CERT_FILE=testcert.pem&KEY_FILE=testkey.pem&CERT_PSSWD=pempswd
    
  4. Save the definition.

Start of instruction setTo perform client-only authentication for an Entire Net-Work Server:

  1. Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.

  2. For each Client Access definition that needs to support SSL client-only authentication, verify that the Protocol type is SSL and that an appropriate port number is specified.

  3. In the Additional Parameters field for the entry, specify valid values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. The VERIFY parameter must be set to "3" for client authentication.

  4. Save the definition.

Server-Only Authentication

Start of instruction setTo perform server-only authentication for an Entire Net-Work Client:

  1. Access the Entire Net-Work Client Access definition to Adabas databases in Adabas Manager. Find the appropriate Connection definition.

  2. Ensure the Protocol type is SSL..

  3. Specify values for the CAFILE, CAPATH, and VERIFY parameters in the Additional Parameters field. For example:

    &CAFILE=cacert.pem&CAPATH=path&VERIFY=1
    
  4. Save the definition.

Start of instruction setTo perform server-only authentication for a Kernel to Kernel connection:

  1. Access the Kernel Access definitions in Adabas Manager. Find the appropriate Connection definition.

  2. Ensure the Protocol type is SSL.

  3. Specify values for the CAFILE, CAPATH, and VERIFY parameters in the Additional Parameters field. For example:

    &CAFILE=cacert.pem&CAPATH=path&VERIFY=1
    
  4. Save the definition.

Start of instruction setTo perform server-only authentication for an Entire Net-Work Server:

  1. Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.

  2. For each Client Access definition that needs to support SSL server-only authentication, verify that Protocol type is SSL and that an appropriate port number is specified.

  3. In the Additional Parameters field for the entry, specify valid values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, where xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:

    &CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
    
  4. Save the definition.

Client and Server Authentication

Start of instruction setTo perform client and server authentication for an Entire Net-Work Client:

  1. Access the Entire Net-Work Client Access definitions in Adabas Manager.

  2. Ensure the Protocol field in the Host address line is SSL.

  3. Specify values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. For example:

    &CAFILE=cacert.pem&CAPATH=path&CERT_FILE=xxcert.pem&KEY_FILE=xxkey.pem&CERT_PSSWD=pempswd&VERIFY=1
    
  4. &CERT_FILE=testcert.pem&KEY_FILE=testkey.pem&CERT_PSSWD=pempswd
    
  5. Save the definition.

Start of instruction setTo perform client and server authentication for an Entire Net-Work Server:

  1. Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.

  2. For each Access definition that needs to support SSL client and server authentication, verify that either the Protocol type is SSL and that appropriate port numbers are specified.

  3. For Server Access, specify valid values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:

    &CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
    
  4. For E-business SSL Client Access, specify valid values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. The VERIFY parameter must be set to "3" for client authentication.

  5. Save the definition.

Authentication with Certificates Elsewhere

Start of instruction setTo perform client or server authentication from a client or a server when the certificates and certificate authorities are not in the current directory:

  • Complete the authentication steps described in other scenarios in this section, but specify the path to the certificate authority and certificate files in the CAFILE, CERT_FILE, and KEY_FILE parameters.

    Note:
    If parameter CAFILE includes path information, the value of CAPATH should be ".".

Authentication with a Hidden Password

Start of instruction setTo perform client or server authentication from a client or a server without specifying the Public Encryption Method password directly in the URL:

  • Complete the authentication steps described in other scenarios in this section, but specify the fully-qualified file name of a file that contains the password in the CERT_PSSWD parameter. For example:

    &CAFILE=cacert.pem&CAPATH=path&CERT_FILE=xxcert.pem&KEY_FILE=xxkey.pem&CERT_PSSWD=FILE://C:/certs/certpswd.txt&VERIFY=3