Configure AES Encryption (Ingres Net and GCA Remote Access)
The mechanism and encryption must be configured properly for the server and client. By default, AES encryption is enabled in the config.dat file for Actian X 11.1 and later so that clients can connect successfully both to servers requiring encryption and to those that do not, without any client configuration changes.
To enable AES encryption
1. Add the AES mechanism to the installation mechanism list. In CBF, set this parameter (if not already set):
Security, System, mechanisms = aes
Name Server, mechanisms = default
Net Server, mechanisms = default
Data Access Server, mechanisms = default (only required if DAS connects with encryption to remote, rather than local, DBMS)
2. Turn on encryption on the client for either all or individual connections:
For all connections: Set the outbound encryption mode (for both the installation and Communications Server) to at least OPTIONAL or to PREFERRED or ON. In CBF, set these parameters:
On the client: Security, System, ob_encrypt_mode
On the client: Net Server, ob_encrypt_mode
or
For individual connections: Use the encryption_mode attribute in the vnode or connection string.
These settings allow the Communications Server to consider the use of all enabled mechanisms that support encryption, including AES and INGRES.
Additional settings can ensure that only the AES mechanism be used.
To ensure that ONLY the AES mechanism is used
1. (Optional) Add AES mechanism to Net Server mechanism list; otherwise leave as DEFAULT. In CBF, set this parameter:
Net Server, mechanisms = aes
2. (Optional) Add AES mechanism to Data Access Server mechanism list, but only in the non-typical case where a DAS is running in a client installation and will be connecting to a remote DBMS; otherwise leave as none. In CBF, set this parameter:
Data Access Server, mechanisms = aes
3. (Recommended) Set inbound and outbound encryption mechanisms as AES; otherwise leave as *. In CBF, set these parameters:
• On the client: Security, System, ob_encrypt_mech = aes
• On the client: Net Server, ob_encrypt_mech = aes
• On the server: Net Server, ib_encrypt_mech = *
4. Set inbound and outbound encryption mode. Default values are recommended. In CBF, set these parameters:
• On the client: Security, System, ob_encrypt_mode = optional
• On the client: Net Server, ob_encrypt_mode = optional
• On the server: Net Server, ib_encrypt_mode = optional (set to ON if AES encryption required)
Note: If the outbound encryption mode is set to ON, then the encryption_mode connection attribute can be used to turn off encryption if not needed.
To override outbound encryption mode configuration for an individual connection
Connection string:
@host,port;encryption_mode=on[user,password]::dbname
VNODE attribute:
encryption_mode = on
To override outbound encryption mechanism configuration for an individual connection
Overriding inbound and outbound encryption mechanism configuration is optional and typically not needed.
Connection string:
@host,port;encryption_mechanism=aes[user,password]::dbname
VNODE attribute:
encryption_mechanism = aes
INGRES Mechanism Configuration for Encryption
The INGRES security mechanism also supports encryption but is not cryptographically secure. The INGRES mechanism is always available and may end up providing encryption if the AES mechanism is not properly configured in either the client or server installations.
To ensure the INGRES mechanism will not provide encryption
Set the following parameter in CBF:
Security, System, Mechanisms, ingres, encryption_enabled = false
This setting indicates if the INGRES mechanism encryption capability is enabled (true) or disabled (false). The default is false.
AES Security Mechanism Configuration
Advanced settings for AES Encryption include the following in CBF. Typically, no changes are required. For more information on these parameters, see online help.
Security, System, Mechanisms, aes, enabled = true
Security, System, Mechanisms, aes, module = gcsaes
Security, System, Mechanisms, aes, entry = gcs_aes
Security, System, Mechanisms, aes, aes_key_size = 128
Security, System, Mechanisms, aes, rsa_key_size = 1024
Security, System, Mechanisms, aes, rsa_key_scope = process
Performance Impact of RSA Key Settings
RSA key generation for an AES encrypted connection can significantly impact the time required to make a new connection. Consider these settings:
• Using the rsa_key_scope=process option can reduce the amount of time for establishing subsequent connections when a process makes more than one connection.
• Increasing rsa_key_size may increase the security level but will likely cause longer connect times because larger RSA keys take longer to generate.
Note: RSA key settings do not affect performance after the connection is made.