Setting up the Server Side
Go Up to Encrypting Network Communication
After you have enabled the client side for OTW, you must change the configuration parameters in the SSL configuration file called “ibss_config.” This file is located in “<install_directory>\secure\server” directory. The configuration file contains information required by the server. Instructions on how to set up this file are provided below.
In addition, the InterBase server requires two DH (Diffie-Hellman) parameter files to operate. For more information about the dhparameter files, see Generating the dhparameter files.
Changing the ibss_config file
Following is sample ibss_config file:
IBSSL_SERVER_HOST_NAME=localhost IBSSL_SERVER_PORT_NO=3065 IBSSL_SERVER_PHASSPHRASE=serverkey IBSSL_SERVER_clientCertFile=<install_directory>/secure/server/ibserver.pem #IBSSL_SERVER_PASSPHRASEFILE=c:/secure/pass.txt #example comment line #only needed for client verification #IBSSL_SERVER_VERIFY_CLIENT #IBSSL_SERVER_CAFILE=<install_directory>/secure/server/root.pem
The following table provides a description of each parameter in the sample above.
| Parameter | Description |
|---|---|
|
IBSSL_SERVER_PORT_NO and IBSSL_SERVER_HOST_NAME |
Port number and the hostname of the SSL port number and SSL machine name (can be localhost) of the InterBase server the InterBase Server is running on. The defaults are machine name or host name and '3065.' In most cases, the IBSSL_SERVER_HOST_NAME need not be set. |
|
IBSSL_SERVER_CERTFILE |
Location of the private key stored in a file.This will be used by the server for encryption. (Default location and filename: will the <install_directory>/secure/server/ibserver.pem. The IBSSL_SERVER_CERTFILE must be in PEM format and must contain both the private key and the certificate. |
|
IBSSL_SERVER_PASSPHRASEFILE |
Location of the file containing the passphrase. This must be secure. Make sure you have the correct permissions for this file; the server only needs read access to the file during start up time. The log file will indicate via a message that the passphrase is not loaded. This means you can have the pass phrase on a removable media and once the server has started the media (and hence the passphrase) maybe safely removed. |
|
IBSSL_SERVER_PASSPHRASE |
Contains the server pass phrase to be used in conjunction with the server certificate file. Use this instead of the IBSSL_SERVER_PASSPHRASEFILE. If both are set the IBSSL_SERVER_PASSPHRASE is used instead of IBSSL_SERVER_PASSPHRASEFILE. If both are not set, InterBase assumes that the private key does not contain a pass phrase. |
|
IBSSL_SERVER_VERIFY_CLIENT |
If this parameter is set, then the server will ensure that the client has sent us a certificate. This certificate will be verified against the file specified in the IBSSL_SERVER_CAFILE (or the directory specified in the IBSSL_SERVER_CAPTH). |
|
IBSSL_SERVER_CAFILE |
Location of the file containing the CA file, which can be used to verify the client certificate.There is no default for this file. However, it is recommended that you locate the file in <install_directory>/secure/server/ and call it ibrootcert.pem. The file must be in PEM format and is needed only if the IBSSL_SERVER_VERIFY_CLIENT flag is set. |
|
IBSSL_SERVER_CAPATH |
Used for the same purpose as the IBSSL_SERVER_CAFILE. However, in this case, the parameter points to a directory containing the CA certificates in PEM format. The files each contain one CA certificate and are only needed if the IBSSL_SERVER_VERIFY_CLIENT flag is set. The files are looked up by the CA subject name hash value, which must be available. See About the “c_rehash” command for information about this command, which can be used to convert multiple PEM files into a IBSSL_SERVER_CAPATH-accessible directory. |
In addition, InterBase following information is assumed about the ibss_config file:
- General format of the file is <parameter_name>=value.
- Lines starting with “#” are assumed to be comments.
- Lines greater than 1023 characters are truncated to 1023 characters.
- Spaces at the end of the line are considered part of the name or number, so do not put spaces at the end of a line. In case of a filename, enclose the filename in straight quotation marks to avoid problems with unseen space characters at the end of the line.
Generating the dhparameter files
As mentioned above, to use OTW, the server also requires two DH (Diffie-Hellman) parameter files. These are located at <install_directory>/secure/server and are called dh512.pem and dh1024.pem, respectively. InterBase uses the DH key exchange protocol to establish a SSL connection, be it DSA- or RSA-based. InterBase also uses ephemeral mode to ensure forward secrecy.
You are encouraged to generate your own DH parameter files, if you want these files to be unique to your installation. Otherwise, the default ones provided by InterBase will be used. In order for the InterBase server to make successful SSL connections, these files are required.
To create the dhparameter files, use the following commands:
openssl dhparam -check -text -5 512 -out dh512.pem openssl dhparam -check -text -5 1024 -out dh1024.pem
After generating the files, copy them to the <install_directory>/secure/server directory.