Certificate locations (Linux/Unix)
On Linux and Unix, the TLS protocol implementation is provided by the OpenSSL libraries. The OpenSSL libraries used in Actian applications are provided by Actian. Actian applications do not use the OpenSSL runtime libraries that are installed with the operating system.
Actian OpenSSL libraries are distributed in:
$II_SYSTEM/ingres/lib as libcrypto-act.so and libssl-act.so
This also applies to the existing implementation of AES encryption.
OpenSSL is capable of using different types of locations for certificates and keys (files and directories). The OpenSSL source code has default values for them. They are based on the OPENSSLDIR setting. The default file is OPENSSLDIR/cert.pem, the default directory is OPENSSLDIR/certs.
OPENSSLDIR is not a name of an environment variable or other runtime setting (as one might assume), but is the name of a configuration setting used when building the OpenSSL product from its source code. This means that the OPENSSLDIR setting depends on the provider of then OpenSSL libraries and executables.
The built-in default value for OPENSSLDIR in OpenSSL source code is /usr/local/ssl. Therefore the default file and directory names in the Actian OpenSSL build are /usr/local/ssl/cert.pem and /usr/local/ssl/certs, respectively, since we are not changing the default value for OPENSSLDIR.
Typically, Linux/Unix OS providers change the setting for OPENSSLDIR, but they use individual values. For example:
• RedHat uses ‘/etc/pki/tls’
• Debian-based systems (Ubuntu) use ‘/usr/lib/ssl’
• AIX uses ‘/var/ssl’
• Solaris uses ‘/etc/openssl’
• MacOS uses ‘/usr/local/etc/openssl@3’
This means, unlike on Windows, that there is no consistent location for the operating system provided set of root CA certificates across the different Linux and Unix distributions. The actual value of the OPENSSLDIR setting, and therefore the location of the root CA certificates provided by your operating system, can be looked up by running command ‘openssl version -d’.
Note: The openssl command is provided by the OpenSSL package of your operating system. This means that the output of ‘openssl version -d’ can be different on each operation system.
Since the Actian products do not ship an openssl executable, there is no direct way to verify the OPENSSLDIR setting of the OpenSSL libraries provided in Actian products. Actian does not change the OPENSSLDIR setting, therefore the default values apply.
In our TLS communications, these default locations are allowed for root CA or intermediate CA certificates:
/usr/local/ssl/certs.pem (file)
/usr/local/ssl/certs (directory)
To use the operating system root certificate locations in Actian client applications, you can create symbolic links (e.g. for RedHat system):
$ ls -l /usr/local/ssl
total 0
lrwxrwxrwx. 1 root root 21 6. Jun 14:45 cert.pem -> /etc/pki/tls/cert.pem
lrwxrwxrwx. 1 root root 18 15. Apr 13:08 certs -> /etc/pki/tls/certs
Additional locations for certificate lookup are:
$II_SYSTEM/ingres/files/tls (directory)
$II_SYSTEM/ingres/files/tls/client.crt (file)
These can be used if adding certificates to the system wide location is not desired or allowed.
Note: When providing individual certificate files in directories, it is required to create symbolic links using the openssl rehash command (c_rehash script).
To speed up the lookup process of certificate chain verification, the OpenSSL implementation calculates a hash value from the issuer information of the to-be-verified certificate. This value plus an appended .0 (or .1 or .2) is used as a file name to locate the certificate of the issuer in the allowed directories.
For example, two certificate files are existing in the client's $II_SYSTEM/ingres/files/tls directory, one for a root CA and one for an intermediate CA.
Without symbolic links the verification fails:
$ ls -l $II_SYSTEM/ingres/files/tls
total 16
-rw-rw-rw-. 1 ingres ingresqa 4506 6. Jun 12:12 root-ca.crt
-rw-rw-rw-. 1 ingres ingresqa 4528 6. Jun 12:12 signing-ca.crt
$ echo "select count(*) from iitables\g"|sql '@<hostname>,tls,<port>[<user name>,<password>]::<database>'
INGRES TERMINAL MONITOR Copyright 2025 Actian Corporation
E_LC0001 GCA protocol service (GCA_REQUEST) failure.
Internal service status E_GC0090 -- TLS failed - SSL_connect() failed
with error 0A000086 - certificate verify failed - unable to get local
issuer certificate.
E_LQ0001 Failed to connect to DBMS session.
Create symbolic links and rerun, the verification succeeds:
$ openssl rehash $II_SYSTEM/ingres/files/tls
$ ls -l $II_SYSTEM/ingres/files/tls
total 16
lrwxrwxrwx. 1 ingres ingresqa 11 6. Jun 14:56 b50f273e.0 -> root-ca.crt
lrwxrwxrwx. 1 ingres ingresqa 14 6. Jun 14:56 fadd0f36.0 -> signing-ca.crt
-rw-rw-rw-. 1 ingres ingresqa 4506 6. Jun 12:12 root-ca.crt
-rw-rw-rw-. 1 ingres ingresqa 4528 6. Jun 12:12 signing-ca.crt
$ echo "select count(*) from iitables\g"|sql '@<hostname>,tls,<port>[<user name>,<password>]::<database>'
INGRES TERMINAL MONITOR Copyright 2025 Actian Corporation
Actian X Linux Version II 12.0.1 (a64.lnx/00) login
Fri Jun 6 05:58:39 2025
continue
Executing . . .
┌────────────────┐
│col1 │
├────────────────┤
│ 195│
└────────────────┘
(1 row)
continue