|
|
|
File Camouflage has been restricted in V13.1.0. Calling ctSETENCRYPT() with options enabling File Camouflage now fails with error CAMO_NSUP_ERR(1210). Existing application files migrated from an earlier version may continue using Camouflage using the keyword ENABLE_CAMO YES. If file encryption is desired, it is suggested to enable the ADVANCED_ENCRYPTION YES configuration option and convert these files to AES encryption, which can be done using a faircom utility (ctcmpcif or ctcv67).
Several files used by Faircom may have Camouflage enabled, depending on the server configuration when the file was first created: FAIRCOM.FCS, SYSLOG*.FCS, SQL database dictionaries (e.g., ctreeSQL.fdd), and possibly Transaction logs (L*.FCS), Log Templates (L*.FCT), or Log Archives (L*.FCA). Transaction logs using Camouflage are no longer supported and must be removed before updating to V14. The other files will be checked at startup and converted to remove the Camouflage (FAIRCOM.FCS and SQL dictionaries require the ctscmp utility to be present in the process working directory for conversion to occur). Password hashes stored in FAIRCOM.FCS remain in a secure form.
The behavior of several related server configuration keywords has changed:
SYSLOG ENCRYPT
ADMIN_ENCRYPT
LOG_ENCRYPT
These keywords no longer produce Camouflaged files.
LOG_ENCRYPT and SYSLOG ENCRYPT are only allowed when ADVANCED_ENCRYPTION YES is enabled.
ADMIN_ENCRYPT is ignored unless ADVANCED_ENCRYPTION YES is enabled.
SQL database dictionaries are only encrypted if ADVANCED_ENCRYPTION YES is enabled.
If AES encryption is desired for these files, they must be recreated or converted using the ctscmp or ctcmpcif utilities, which have encryption-specific options. Transaction logs, Log templates, or Log Archives don't have an option to change the encryption of existing logs; these files must be removed.
The format of the tamper-resistant configuration file (ctsrvr.set) has changed. Existing ctsrvr.set files must be recreated using a current version of ctcfgset. Additionally, the following keywords are not allowed in ctsrvr.set: LOCAL_DIRECTORY, FIPS_ENCRYPTION, and MULTILINE_STATUS_LOG_MESSAGE
To remove camouflage from a superfile:
Use the superfile compact utility ctscmp with -cleartext option: ctscmp <myfile> -cleartext
To remove camouflage from a regular file:
Use the file compact utility ctcmpcif with -encrypt=none option: ctcmpcif <myfile> -encrypt=none
If using the server for conversions, you must first enable the following options:
ENABLE_CAMO YES
CHANGE_ENCRYPTION_ON_COMPACTYES
These can be removed following conversion.
