Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

Shared Memory Performance Enhancement for all Unix Platforms

A shared memory performance enhancement has been enabled for all Unix platforms, starting with the base c-treeACE V11.6 line. The following changes have now been well proven in production use since late fall of 2017.

The Unix/Linux shared memory communication protocol has been changed to improve performance by improving the internal spin operation to be more efficient, especially for relatively short database operations.

Compatibility Note: It is important to recompile the client due to this shared memory change. A server that uses this modified shared memory protocol only supports shared memory connections from clients that also use this new enhanced protocol. If an older client (pre-V11.6) attempts to connect, it will fail with error SHMC_ERR (841) and the server will log the following message to CTSTATUS.FCS:
Fri May 26 12:13:07 2017
- User# 00016 FSHAREMM: The client's shared memory version (3) is not compatible with the server's shared memory version (4)

Previous Topic

Next Topic

SUBSYSTEM COMM_PROTOCOL Keywords

SUBSYSTEM COMM_PROTOCOL SSL section to ctsrvr.cfg containing your specified TLS configuration options. Supported options include:

  • SERVER_CERTIFICATE_FILE (required) - This is the name of a PEM-encoded certificate file containing the FairCom DB server certificate. It can also optionally include the private key. The server certificate can be self-signed.
  • SERVER_PRIVATE_KEY_FILE (optional) - If the private key is in a different file than the certificate, use this option to indicate the name of the file containing the private key. If this option is not specified, the private key is expected to be found in the file whose name is specified by the SERVER_CERTIFICATE_FILE option.
  • SERVER_ENCRYPTED_STORE_FILE (optional) - If the private key is encrypted, use the ctcpvf utility to create an encrypted store file containing the passphrase used to decrypt the private key and specify the name of the encrypted store file with this option.
  • SSL_CONNECTIONS_ONLY (optional) - Default: NO. If this option is specified with a value of YES, only TCP/IP connections that use SSL are permitted to connect to the FairCom DB Server. Otherwise, both unencrypted and SSL-enabled TCP/IP connections are allowed.
  • SSL_CIPHERS (optional) - Default: AES256-SHA256:AES256-GCM-SHA38:DHE-RSA-AES256-SHA256
    If this option is specified, it sets the encryption ciphers that are allowed to be used for encrypting the SSL connection. The default specifies full AES 256-bit encryption. Ciphers are separated by a colon, (":"). An exclamation point ("!") symbol explicitly disables a cipher. @STRENGTH sorts the list in order of encr
  • VERIFY_CLIENT_CERTIFICATE { YES | NO } - default NO. Server requires the client to supply a x509 certificate. Unless x509_AUTHENTICATION is enabled, a username and password must still be supplied by the client.
  • x509_AUTHENTICATION { YES | NO } - default NO. If the client provides an x509 certificate at login, use it for authentication and database authorization rather than a username/password. By default, the only trusted CA is the root CA of the SERVER_CERTIFICATE_FILE. So the client x509 certificate must be signed by the same root CA as the server. Combine this option with VERIFY_CLIENT_CERTIFICATE YES to make the x509 mandatory.

    If x509_AUTHENTICATION is enabled, the following keywords are used to extract a username from the subject field of a successfully authenticated client x509 certificate.

    • x509_PATH: Mandatory. Specifies which relative distinguished name (RDN) component of the full distinguished name (DN) to parse. This should be specified using the short form name, such as CN.
    • x509_PREFIX: Optional. If specified the value found in x509_PATH must contain this prefix, which is removed when forming the username.
    • x509_DELIMITER: Optional. If specified the value found in x509_PATH must contain this suffix, which is removed when forming the username.
    • x509_REQUIREMENT_PATH: Optional. If specified, the DN must contain this RDN.
    • x509_REQUIREMENT: Optional. If specified, the RDN specified by x509_REQUIREMENT_PATH must match this value.

NOTE: all name matching is case insensitive, as is the resulting user name used for login.
Example:
If the server has the following configuration:
x509_AUTHENTICATION YES
x509_PATH CN
x509_REQUIREMENT_PATH O
x509_REQUIREMENT faircom inc
A valid certificate would resolve the user name as "John Doe" with the following subject:
Subject: C=US, ST=Missouri, O=FairCom Inc, OU=R&D, CN=John Doe/emailAddress=john.doe@faircom.com
It would NOT resolve the user name as “admin" using the following subject, because "Acme Inc" does not match the x509_REQUIREMENT “FairCom Inc”, and an error would be returned.
Subject: C=US, ST=Missouri, O=Acme Inc, OU=R&D, CN=admin/emailAddress=john.doe@gmail.com
Use the SUBSYSTEM COMM_PROTOCOL SSL keyword DEBUG_LOG = <log file> to aid in debugging certificate name matching.

TOCIndex