Setup OTW/SSL and InterBase

From InterBase

Go Up to Main Page

Before you begin

  1. The setup process requires OpenSSL for windows, you can obtain a compiled version here or you can obtain the source files here. Once you have a compiled version of OpenSSL place the files on the c:\openssl folder in the InterBase server you plan to use.
  2. Download the file openssl.cnf here to self-sign the keys. Place the file on the c:\openSSL folder, backup and overwrite any existing file if necessary.
  3. Create a folder called c:\certs
  4. Create an environment variable OPENSSL_CONF=c:\openssl\openssl.cnf
  5. Stop the InterBase server.

Generating a key

  1. Run CMD as an Administrator.
  2. Using the command line go to c:\openssl
  3. To generate a private key with password run:
    openssl genrsa -aes256 -out c:\certs\key.pem 2048
  4. Type your password and verify it when asked.
  5. The file key.pem is created in the c:\certs folder.

Requesting a key

  1. To request a key, on the command line run:
    openssl req -new -key c:\certs\key.pem -out c:\certs\csr.pem -config openssl.cnf
  2. Type the password you set previously.
  3. When asked for information, you don't need to be specific.
    Note: use anything@somewhere.invalid as email because real emails can cause issues.
  4. The file csr.pem is created in the c:\certs folder.

Signing the key

  1. To sign the key request file with your private key, on the command line run:
    openssl req -x509 -days 3650 -key c:\certs\key.pem -in c:\certs\csr.pem -out c:\certs\ibservercafile.pem
  2. type the password you set before.
  3. The file ibservercafile.pem is created on the c:\certs folder. Use this file on your clients.

Creating the server side file

  1. On the command line, go to the c:\certs folder.
  2. Add ibservercafile to your private key file. On the command line run:
    copy /b ibservercafile.pem + key.pem ibservercafileserver.pem
  3. The file ibservercafileserver.pem is created on the c:\certs folder. Your server requires this file for performing OTW encryption.
  4. You can now close the CMD window.

Configuring InterBase

  1. Make sure the InterBase server is stopped.
  2. Search for the file ibss_config.default. For example: C:\ProgramData\Embarcadero\InterBase\gds_db\secure\server
  3. Open Notepad or other text editor as Administrator.
  4. Type the following text and use the password you set previously:
    Note: This example uses port 4000 instead of the standard port 3065 for security reasons, you can use any free port.
  5. Save the file as ibss_config.txt and place it in the same folder as ibss_config.default
  6. Go to the folder where ibss_config.txt is located and rename it to ibss_config (You may need to disable the "Hide extensions for known file types" option on the Windows folder settings)
  7. Open a text editor as Administrator and open the file services located in the c:\windows\system32\drivers\etc folder.
  8. Change gds_db 3050/TCP to gds_db 3051/TCP, port 3050 is non encrypted.
  9. Add the following line at the bottom:
     gds_ssl       4000/tcp          #InterBase SSL Server
    Note: Use the port number you set on previous steps.
  10. Save and close the file.
  11. Start InterBase server.

Note: On this example, port 3051 was closed on the firewall to prevent any unwanted unencrypted access and port 4000 was opened. Port 4000 is open only to IP addresses that needed it keeping it secure.

Remote connection with FireDAC

The following steps describe how to connect remotely with FireDAC in Delphi:

  1. Place ibservercafile.pem and gds32.dll in your Delphi application directory.
  2. Place TFDconnection and TFDPhysIBDriverLink on your form.
  3. Change the name of TFDPhysIBDriverLink to MyLink
  4. Change MyLink DriverID property to MYIB
  5. Change the FDconnection1 DriverName property to MYIB. Then put this in your form.create event. Don’t forget to change the name of your server(YOURSERVER) and database or database alias (YOURDATABASE):
procedure Tform1.FormCreate(Sender: Tobject);
AppFolder : string;
FDConnection1.Params.add(‘server=YOURSERVER/4000?ssl=true?serverPublicFile=”’+ AppFolder + ‘ibservercafile.pem”??’);
MyLink.VendorLib:=Appfolder + ‘gds32.dll’;