OpenSSL is supported with the solidDB ODBC Driver and the solidDB data management tools, except for the solidDB SA API based solidDB Speed Loader (solload). When using OpenSSL, use the solidDB ODBC API based (solloado).
If OpenSSL is available, the solidDB server listens for SSL connections (that use the protocol name 'tls') on the TCP port or ports that are defined in the [Com] section of the solid.ini file:
[Com] Listen = tls 1315, tls 2315
Using an untrusted certificate
If the solidDB server is started without specifying a server certificate and private key, a one-time self-signed certificate and corresponding private key is generated by the server for each incoming SSL client connection. The generated key is a 2048 bit RSA key and the generated certificate acts as a container for the public key.
This method does not protect against a ‘man-in-the-middle’ attack and should not be used for sensitive, public communications as the client might establish a connection with an untrustworthy solidDB server.
Using a signed (trusted) certificate
You can protect against a man-in-the-middle attack by creating your own self-signed certificate or using a certificate that is signed by a certificate authority (CA). In this case, the client certificate validation routine can refuse the connection if no valid server certificate is returned.
In this setup, files that contain the server certificate and private key must exist. By default, these files are expected to be named server.crt and server.key, respectively, in the server working directory. You can specify other file names and locations and, if the private key is password protected, a file that contains the password, by using the following server-side solid.ini settings:
A copy of the self-signed certificate or CA public certificate must be stored on each ODBC client. By default, this file is expected to be named client-ca.crt, in the client working directory. You can specify a different file name by using the following client-side solid.ini setting:
To use the certificate complete the following steps:
▪ Copy both the self-signed certificate and the private key to the locations that are specified in the server-side solid.ini parameters Com.ServerCertificate and Com.ServerPrivateKey respectively, or rename the files to server.crt and server.key and save them to the solidDB working directory.
▪ If the private key is password-protected, add the password to a file and then specify the file by using the Com.ServerPrivateKeyPwdFile parameter.
▪ Copy the self-signed certificate to the location that is specified in the client-side solid.ini parameter Com.ClientCAStorePath, or rename the file to client-ca.crt and save it in the client working directory.
Create a private key and public certificate request
For example, the following command creates a private key (myprivate.key) and certificate request (mycertificaterequest.csr) that are valid for one year:
In this example, the private key is protected with the password mypassword, but a password is not compulsory.
Send the certificate request (not the private key) to your certificate authority for signing and you will get the signed public certificate and the CA public certificate in return.
To use the certificates complete the following steps:
▪ Copy the CA-signed certificate and the private key to the locations that are specified in the server-side solid.ini parameters Com.ServerCertificate and Com.ServerPrivateKey respectively, or rename the files to server.crt and server.key and save them to the solidDB working directory.
▪ If the private key is password-protected, add the password to a file and then specify the file by using the Com.ServerPrivateKeyPwdFile parameter.
▪ Copy the CA public certificate to the location that is specified in the client-side solid.ini parameter Com.ClientCAStorePath, or rename the file to client-ca.crt and save it in the client working directory.