Configure AES Encryption
By default, AES encryption is not enabled. The mechanism and encryption must be configured properly for the server and client.
To enable AES encryption
1. Add the AES mechanism to the installation mechanism list. In CBF, set this parameter:
Security, System, mechanisms = aes
2. Turn on encryption on the client for either all or individual connections:
For all connections: Set the outbound encryption mode (for both the installation and Communications Server) to at least OPTIONAL or to PREFERRED or ON. In CBF, set these parameters:
On the client: Security, System, ob_encrypt_mode
On the client: Net Server, ob_encrypt_mode
or
For individual connections: Use the encryption_mode attribute in the vnode or connection string.
These settings allow the Communications Server to consider the use of all enabled mechanisms that support encryption, including AES and INGRES.
Additional settings can ensure that only the AES mechanism be used.
To ensure that ONLY the AES mechanism is used
1. (Optional) Add AES mechanism to Net Server mechanism list; otherwise leave as DEFAULT. In CBF, set this parameter:
Net Server, mechanisms = aes
2. (Recommended) Set inbound and outbound encryption mechanisms as AES; otherwise leave as *. In CBF, set these parameters:
• On the client: Security, System, ob_encrypt_mech = aes
• On the client: Net Server, ob_encrypt_mech = aes
• On the server: Net Server, ib_encrypt_mech = *
3. Set inbound and outbound encryption mode. Default values are recommended. In CBF, set these parameters:
• On the client: Security, System, ob_encrypt_mode = off
• On the client: Net Server, ob_encrypt_mode = off
• On the server: Net Server, ib_encrypt_mode = optional
Note: If the outbound encryption mode is set to ON, then the encryption_mode connection attribute can be used to turn off encryption if not needed.
To override outbound encryption mode configuration for an individual connection
Connection string:
@host,port;encryption_mode=on[user,password]::dbname
VNODE attribute:
encryption_mode = on
To override outbound encryption mechanism configuration for an individual connection
Overriding inbound and outbound encryption mechanism configuration is optional and typically not needed.
Connection string:
@host,port;encryption_mechanism=aes[user,password]::dbname
VNODE attribute:
encryption_mechanism = aes