Informix SSL is an important piece of your security setup when running a relational database.
The Informix server is still set up to use GSKit from IBM to handle the internal server keystore. Clients are free to use openssl. In this article we are going to cover step by step how to set up SSL using a key generated from an external certificate authority (CA) rather than doing self-signed ones generated by the local server. All of the examples here are assuming a 64bit Linux system. Windows will use the same method and 32bit systems will have a different gsk8capicmd tool.
Settings for this example:
INFORMIXSERVER=informix4
INFORMIXDIR=/opt/informix
Primary listener: informix4 onsoctcp 9088
SSL Listener: informix4_ssl onsocssl 9089
SSL_KEYSTORE_LABEL: test_ssl_label
Keystore Password: my_password
The first step is to go to $INFORMIXDIR/ssl and create your empty keystore using GSKit. Note that it has to be named the same as the DBSERVERNAME
gsk8capicmd_64 -keydb -create -db informix4.kdb -pw my_password -type cms -stash
Next use GSKit to generate a CSR (certificate request file)
gsk8capicmd_64 -certreq -create -db informix4.kdb -stashed -label test_ssl_label -dn "CN=xdbsystems.com" -size 2048 -sigalg SHA256_WITH_RSA -target informix4.csr
Use that file to request a new public/private keypair from your CA. Different systems will handle this differently so talk to your security administrators.
Next Add the management chain certificates to the keystore
gsk8capicmd_64 -cert -add -db informix4.kdb -pw my_password -file ManagementCA-chain.pem
Next import the new server certificate you received from the certificate request
gsk8capicmd_64 -cert -receive -db informix4.kdb -stashed -file informix4.pem
Validate the keys are there
gsk8capicmd_64 -cert -list -db informix4.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "O=EJBCA Container Quickstart,CN=ManagementCA,UID=c-0fno0f82c4y4p6umb"
- test_ssl_label
Bring the engine up, you should see the following
Forking 1 'soctcp' listener threads...succeeded
Forking 1 'socssl' listener threads...succeeded
Next set up a client, on the client system create a keystore, make sure clientsdk is installed with the option to use openssl. This creates the keystore and loads in the root CA chain
openssl pkcs12 -export -nokeys -in /opt/informix/ssl/ManagementCA-chain.pem -caname "O=EJBCA Container Quickstart,CN=ManagementCA,UID=c-0fno0f82c4y4p6umb" -passout pass:my_password -out client1.p12
Create the stash file
onkstash client1.p12 my_password
Set up the client to have conssl.cfg in $INFORMIXDIR/etc:
SSL_KEYSTORE_FILE /opt/informixcsdk/ssl/client1.p12
SSL_KEYSTORE_STH /opt/informix/ssl/client1.sth
Now you can validate that the client only needs the CA information to validate the certificates, note there is no Informix server specific key, just the CA chain.
openssl pkcs12 -nokeys -info -in client1.p12 -passin pass:my_password
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
friendlyName: O=EJBCA Container Quickstart,CN=ManagementCA,UID=c-0fno0f82c4y4p6umb
subject=UID = c-0fno0f82c4y4p6umb, CN = ManagementCA, O = EJBCA Container Quickstart
issuer=UID = c-0fno0f82c4y4p6umb, CN = ManagementCA, O = EJBCA Container Quickstart
-----BEGIN CERTIFICATE-----
MIIEszCCAxugAwIBAgIUZ3v7iIk5DxAxtF8jMELOef9Lp3cwDQYJKoZIhvcNAQEL
BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGZubzBmODJjNHk0cDZ1bWIxFTATBgNV
BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr
c3RhcnQwHhcNMjQwOTEwMjEwNDE4WhcNMzQwOTEwMjEwNDE3WjBhMSMwIQYKCZIm
iZPyLGQBAQwTYy0wZm5vMGY4MmM0eTRwNnVtYjEVMBMGA1UEAwwMTWFuYWdlbWVu
dENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ
KoZIhvcNAQEBBQADggGPADCCAYoCggGBAJv+MpjjAHh5msYkw8KwSJ5HSW79jofS
Mt9ruk7A85Ac+xFEA3IM9i1T9PISdwWzopCz/d1T3JYEpngKyUex9DANOLoKqTyp
XDm6Yyj6YH0vxNLEroQJBpvw6SCHKBO6EjZkAAecCOnYmT95QPdF2w5u5Kk1X7yg
VV59HIYxVd3xZVW2llrHH+u4pIeNruSotvRalpEddXdve1Ym0uoexRc5q4z44wwz
0uWwOaQZv7vGmTkfNT6nUqCqw/M6STJpyadNVMEyUeXHfuNNQbJ6UqyWAKH4fFGZ
V6jjKMENEC2f5I8BR5xB1hjWbVsOHuGCKLeRuP0Hq14B3JCaUFK7CLtpXVlLEWJ1
3Cm2SbNWUmVveEMXEN6L8BVwGdyyFtM2AsP/RNcKWSMiInGe39Hr4XpVN1tPqHCm
gh8ug/7v3n96aC2138oIjcrWVtGdAuo4Cb9N9/cOBnnyOp/Yof4Hlru9wyTSxMTo
yDQToNw6xk3/w5ueJDkAlMQD715lknEp8QIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
AQH/MB8GA1UdIwQYMBaAFG4HtnbBN31dyfzLpmqyLgveCnl+MB0GA1UdDgQWBBRu
B7Z2wTd9Xcn8y6Zqsi4L3gp5fjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL
BQADggGBACHAeek2OHKhrHW80t0hWWa83sXNFbKFc1hxb5H9GcT4UueTeKirfy+U
mW3sY5L5MzFTVUoqHpdg7mYH7GGszyUZPnZL6iCZJwZs4QDraDl1cuxHa4JQRQtV
LLMDVGL40Qc2p3bhkw3HOcJHD4wDVg4bazoLizyrsMk1rKNWvjQnHI7Ci/AcN7r0
8Yt8OWQjYdlSHLKBj0H03vZXPGzlr5j+aJGEXorGRHXkiMEntaUM2XZeyL5y1uSo
NnegwX7WvrT/LFx7EYN3LCNbnlph7BCoeF8TNdPVFOIFx/zxJDiIdYuB7nop3ZHN
SABgCxVKTzetHlt//DC/NIa5pfVXwRTKFuMvqjk/Zri4bXGjf/GaS9hRqLI43KoF
Urq3oLtIJPTbF8AxgFXxEaa863nNAta8yEO05ulDrQF9uGiGKjenTlsTY+bor8nr
FM/jwVNwGTFaddsWPcVNak5ayMQioSNn2/GWE52LyWhNaIBAZy05/5VrAJTnVWZL
whKy/ea4hQ==
-----END CERTIFICATE-----
Note with the Informix CSDK. As of newer Linux versions, the older libssl.1.1 it expects is no longer available. You may need to install a libssl compat library to get the libraries needed. You may also need to symlink $INFORMIXDIR/lib/libisi_o11.so.3.0 to $INFORMIXDIR/lib/libisi.so.3 if it returns an error that the file is missing. Hopefully this will be corrected in the next edition of Informix to support the newer openssl libraries that are standard.
Thomas Beebe
tom@xdbsystems.com
IBM Data Champion