Actian X 11.1 | Configure AES Encryption (Ingres Net and GCA Remote Access)

Security Guide > Security Guide > Using Secure Communications Encryption with AES > Configure AES Encryption (Ingres Net and GCA Remote Access)

Was this helpful?

Configure AES Encryption (Ingres Net and GCA Remote Access)

The mechanism and encryption must be configured properly for the server and client. By default, AES encryption is enabled in the config.dat file for Actian X 11.1 and later so that clients can connect successfully both to servers requiring encryption and to those that do not, without any client configuration changes.

To enable AES encryption

1. Add the AES mechanism to the installation mechanism list. In CBF, set this parameter (if not already set):

Security, System, mechanisms = aes

Name Server, mechanisms = default

Net Server, mechanisms = default

Data Access Server, mechanisms = default (only required if DAS connects with encryption to remote, rather than local, DBMS)

2. Turn on encryption on the client for either all or individual connections:

For all connections: Set the outbound encryption mode (for both the installation and Communications Server) to at least OPTIONAL or to PREFERRED or ON. In CBF, set these parameters:

On the client: Security, System, ob_encrypt_mode

On the client: Net Server, ob_encrypt_mode

For individual connections: Use the encryption_mode attribute in the vnode or connection string.

These settings allow the Communications Server to consider the use of all enabled mechanisms that support encryption, including AES and INGRES.

Additional settings can ensure that only the AES mechanism be used.

To ensure that ONLY the AES mechanism is used

1. (Optional) Add AES mechanism to Net Server mechanism list; otherwise leave as DEFAULT. In CBF, set this parameter:

Net Server, mechanisms = aes

2. (Optional) Add AES mechanism to Data Access Server mechanism list, but only in the non-typical case where a DAS is running in a client installation and will be connecting to a remote DBMS; otherwise leave as none. In CBF, set this parameter:

Data Access Server, mechanisms = aes

3. (Recommended) Set inbound and outbound encryption mechanisms as AES; otherwise leave as *. In CBF, set these parameters:

• On the client: Security, System, ob_encrypt_mech = aes

• On the client: Net Server, ob_encrypt_mech = aes

• On the server: Net Server, ib_encrypt_mech = *

4. Set inbound and outbound encryption mode. Default values are recommended. In CBF, set these parameters:

• On the client: Security, System, ob_encrypt_mode = optional

• On the client: Net Server, ob_encrypt_mode = optional

• On the server: Net Server, ib_encrypt_mode = optional (set to ON if AES encryption required)

Note: If the outbound encryption mode is set to ON, then the encryption_mode connection attribute can be used to turn off encryption if not needed.

To override outbound encryption mode configuration for an individual connection

Connection string:

@host,port;encryption_mode=on[user,password]::dbname

VNODE attribute:

encryption_mode = on

To override outbound encryption mechanism configuration for an individual connection

Overriding inbound and outbound encryption mechanism configuration is optional and typically not needed.

Connection string:

@host,port;encryption_mechanism=aes[user,password]::dbname

VNODE attribute:

encryption_mechanism = aes

INGRES Mechanism Configuration for Encryption

The INGRES security mechanism also supports encryption but is not cryptographically secure. The INGRES mechanism is always available and may end up providing encryption if the AES mechanism is not properly configured in either the client or server installations.

To ensure the INGRES mechanism will not provide encryption

Set the following parameter in CBF:

Security, System, Mechanisms, ingres, encryption_enabled = false

This setting indicates if the INGRES mechanism encryption capability is enabled (true) or disabled (false). The default is false.

AES Security Mechanism Configuration

Advanced settings for AES Encryption include the following in CBF. Typically, no changes are required. For more information on these parameters, see online help.

Security, System, Mechanisms, aes, enabled = true

Security, System, Mechanisms, aes, module = gcsaes

Security, System, Mechanisms, aes, entry = gcs_aes

Security, System, Mechanisms, aes, aes_key_size = 128

Security, System, Mechanisms, aes, rsa_key_size = 1024

Security, System, Mechanisms, aes, rsa_key_scope = process

Performance Impact of RSA Key Settings

RSA key generation for an AES encrypted connection can significantly impact the time required to make a new connection. Consider these settings:

• Using the rsa_key_scope=process option can reduce the amount of time for establishing subsequent connections when a process makes more than one connection.

• Increasing rsa_key_size may increase the security level but will likely cause longer connect times because larger RSA keys take longer to generate.

Note: RSA key settings do not affect performance after the connection is made.

Last modified date: 11/09/2022