SSL addcert failed

[Daniel Montero]

Hi.
I am trying to enable SSL for my new ASE 15.0.2. I've followed the
steps stated in the admin guide chapter 19, or at least I think so,
and I am getting an error when trying to do the sp_ssladmin addcert:

Command 'addcert' failed to add certificate path c:\sybase
\ASE-15_0\certificates\myserver.crt, system error: SSLDataNotFound.

I've googled but found nothing that enlightens me, neither I could
find that message in the docs.

What I have done so far:

REM CA & server certificate
certreq -F ca_info.txt -R ca_req.txt -K ca_pkey.txt -P donttell
certreq -F server_info.txt -R server_req.txt -K server_pkey.txt -P
donttell

REM Self sign ca_req & sign server_req
certauth -r -C ca_req.txt -Q ca_req.txt -K ca_pkey.txt -P donttell -T
365 -O trusted.txt
certauth -C trusted.txt -Q server_req.txt -K ca_pkey.txt -P donttell -
T 365 -O server.crt
rename server.crt myserver.crt

Any help will be appreciated.

[Mark A. Parsons]

Have you configured the dataserver to support SSL (sp_configure 'enable ssl',1)?

If you're running the Developer edition you should not need any additional licenses.

If you're not running the Developer edition then you'll also need to download and install a license from the SPDC. The
license option is called "ASE Security and Directory Services Package" (aka ASE_ASM).

If you still have problems could you bounce the dataserver and post the startup info from the dataserver's errorlog?
There are several SSL messages dumped into the errorlog so it may be possible to troubleshoot the issue with these
messages. I would suggest posting the entire errorlog from bootup until you start to see user databases being brought
online.

[Mark A. Parsons]

You may also want to post back here with the edition of the dataserver (ie, output from running 'sp_lmconfig'). The
last edition matrix I have shows SSL is only available in the Developer and Enterprise editions.

[Mark A. Parsons]

While I don't recall the error message, I do know you'll have a problem installing and/or using a certificate if it has
the wrong CN.

Sybase requires that the dataserver certificate (server_req.txt in this case) is setup with CN=<dataserver_name>, where
<dataserver_name> is a) the same as the stanza header in sql.ini and b) the same as @@servername. ("Duh, Mark!" ?)

[Daniel Montero]

On 28 ene, 03:24, "Mark A. Parsons"

It is a Developer Edition, I have already enabled ssl for this server
using sp_configure

sp_lmconfig:

Parameter Name Config Value
----------------- ------------
edition DE
license type DT
smtp host smtp
email recipients us...@2wire.net
email severity NONE
smtp port 25
email sender us...@2wire.net

License Name Version Quantity Status Expiry Date
--------------- ---------- -------- ------------ --------------------
ASE_HA null 0 not used null
ASE_JAVA null 0 not used null
ASE_ASM 2009.1231 1 OK Permanent
ASE_EFTS null 0 not used null
ASE_DIRS null 0 not used null
ASE_XRAY null 0 not used null
ASE_ENCRYPTION null 0 not used null
ASE_CORE 2009.1231 1 OK Permanent
ASE_PARTITIONS null 0 not used null
ASE_RLAC null 0 not used null
ASE_MESSAGING_TIBJMS null 0 not used
null
ASE_MESSAGING_IBMMQ null 0 not used
null
ASE_MESSAGING_EASJMS null 0 not used
null

Property Name Property Value
------------- --------------
PE DE
LT DT
ME 1
MC 25
MS null
MM null
CP 1
AS A

(1 row affected)

[Daniel Montero]

On 28 ene, 05:59, "Mark A. Parsons"

Yes, I double checked, and the req_commonname parameter in the
server_info.txt file used for certreq -F parameter, is the same as the
@@servername

[Neal Stack [Sybase]]

Hello,

It looks like you are trying to self-sign a certificate. Try these steps:

c:\temp > certreq
Choose certificate request type:
S - Server certificate request.
C - Client certificate request.
Q - Quit.
Please enter your request [Q] : S
Choose key type:
R - RSA key pair.
D - DSA with ephemeral Diffie-Hellman key exchange.
Q - Quit.
Please enter your request [Q] : R
Enter key length (512,768,1024 for DSA; 512-2048 for RSA) : 1024
Country: USA
State: CO
Locality: Aurora
Organization: Sybase
Organizational Unit: PSE
Common Name: stack1_125
Generating key pair (please wait)...
Enter password for private key (max 64 chars):
Enter file path to save request: stack1_125.req
Enter file path to save private key: stack1_125.pkey

c:\temp > certauth -r -C stack1_125.req -Q stack1_125.req -K stack1_125.pkey -O stack1_125.crt
-- Sybase Test Certificate Authority certauth/12.5.2/EBF 11790/P/Sun_svr4/OS 5.8/ase1252/1831/32-bit/OPT/Fri Apr 9 04:29:15 2004 --
Enter password for CA's private key (max 64 chars):
Certificate Validity:
startDate = Mon Sep 11 08:09:31 2006
endDate = Tue Sep 11 08:09:31 2007
CA sign certificate SUCCEED (0).

c:\temp > pwd
/remote/cases/11267000s/11267066/pseinfo-11/Repro/ASE-12_5/certificates/SELF

c:\temp > ls
stack1_125.crt stack1_125.pkey stack1_125.req

c:\temp > cat stack1_125.pkey >> stack1_125.crt

c:\temp > cp stack1_125.crt ..

c:\temp > cd ..

c:\temp > cp stack1_125.crt stack1_125.txt

**** ftp stack1_125.txt to client as trusted.txt

Regards,
Neal

[Daniel Montero]

Thanks. This did the trick:

c:\temp > cat stack1_125.pkey >> stack1_125.crt

I did read only the admin guide, chap 19, I think I missed it.

I also had to copy the trusted.txt as servername.txt, as instructed by
an error message in the server's log.

[Yang Li]

Hi Neal;

I followed your steps and successfully created a certificate file servername.crt and copy it to a servername.txt. I put both of them at C:\Sybase\ASE-15_0\certificates\ folder. The the sp_ssladmin 'addcert' without error, then enable ssl with sp_configure without error. Restart database service without error. Modified sql.ini to add ssl at end of master and query lines. Enabled console log in.

On the same server I still can't connect it with isql.

Also I need to setup jdbc over ssl connection for my application on another server. Is there any detail example I can follow? Where is my jks key store path should be put when connect the database?

Thanks for help.

Yang