c-treeRTG V3 Update Guide

c-treeRTG applications can secure data in transit between c-tree network clients and FairCom DB Servers. Transport Layer Security (TLS, also commonly referred to as its predecessor SSL, Secure Sockets Layer) is a cryptographic protocol designed for secure network communications using public key cryptography for authentication of the communicating party. Symmetric cryptography is used to encrypt transmitted data over the wire. FairCom DB TLS relies on OpenSSL toolkit support (version 1.0.2g) and implements TLS protocol V1.2 exclusively, as earlier versions of TLS (and predecessor SSL) protocols contain known and exploited vulnerabilities. FairCom DB supports TLS via TCP/IP communications protocols (IPv4 and IPv6). (For more about TLS, see SSL/TLS in Wikipedia.)

Two modes of TLS connections are available: basic and peer authenticated. Basic TLS connections are encrypted using only a server-side certificate; there is no local certificate requirement for a client. This makes deployment and management of secured connections easy.

TLS Certificates

It is the server administrator’s responsibility to ensure a correct and valid certificate pair, as well as proper configuration of allowed TLS connections.

Creation and management of TLS certificates, as well as use of a Certification Authority (CA), is beyond the scope of this document. Consult OpenSSL and other TLS supporting documentation and be sure you firmly grasp all details regarding use of TLS for network security before deploying.

Server certificates may be created and provided as two separate files: a certificate and a key. They can also be combined into a single file. There is no required file naming convention. Certificate files are usually created and/or provided as Base64 encoded X.509 certificate files and denoted with a .pem extension (Privacy Enhanced Mail). They can be identified with this set of surrounding identifiers within the file:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The private key is likewise identified:

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

The private key is often included in the same certificate file or as a separate .key file.

A certificate key can be optionally passphrase protected. However, this then requires the passphrase to be presented at server startup. FairCom DB key store files provide this ability.

Always securely maintain key files. Store key files only in permissions protected server areas and never distribute.

Peer Authentication - TLS Connection with Server Certificate Validation

By default, a c-tree client requires a PEM file containing the server public certificate—ONLY the public certificate, not the server private key.

Important: The server private key should be securely maintained only at the FairCom Server location at all times.

By default, c-tree client libraries use the file ctsrvr.pem in the client process' working directory when connecting.

When the client does not use a server certificate, the connection is encrypted, but there is no guarantee that the client is connected to that specific server. This implies that a "man in the middle" attack could be possible.

Server-Side Configuration

To enable TLS (SSL), add a SUBSYSTEM COMM_PROTOCOL SSL section to ctsrvr.cfg containing your specified TLS configuration options. Supported options include:

SERVER_CERTIFICATE_FILE (required) - This is the name of a PEM-encoded certificate file containing FairCom DB Server's certificate. It can also optionally include the private key. The server certificate can be self-signed.
SERVER_PRIVATE_KEY_FILE (optional) - If the private key is in a different file than the certificate, use this option to indicate the name of the file containing the private key. If this option is not specified, the private key is expected to be found in the file whose name is specified by the SERVER_CERTIFICATE_FILE option.
SERVER_ENCRYPTED_STORE_FILE (optional) - If the private key is encrypted, use the ctcpvf utility to create an encrypted store file containing the passphrase used to decrypt the private key and specify the name of the encrypted store file with this option.
SSL_CONNECTIONS_ONLY (optional) - Default: NO. If this option is specified with a value of YES, only TCP/IP connections that use SSL are permitted to connect to FairCom DB Server. Otherwise, both unencrypted and SSL-enabled TCP/IP connections are allowed.
SSL_CIPHERS (optional) - Default: AES256-SHA256:AES256-GCM-SHA38:DHE-RSA-AES256-SHA256
If this option is specified, it sets the encryption ciphers that are allowed to be used for encrypting the SSL connection. The default specifies full AES 256-bit encryption. Ciphers are separated by a colon, (":"). An exclamation point ("!") symbol explicitly disables a cipher. @STRENGTH sorts the list in order of encryption algorithm key length. For more information, see https://www.openssl.org/.

Standard c-tree TCP/IP ports are used for connections regardless of TLS configuration. That is, a single ISAM port will handle both TLS encrypted and non-encrypted connections, and likewise for the SQL port. There is no need for separate port configurations.

Client-Side Configuration

TLS (SSL) communication support is enabled in c-treeRTG through two new attributes to the <instance> configuration element.

<instance ssl=""> specifies if a secure connection should be used to connect to c-treeRTG server. It accepts "yes" or "no" as possible values and defaults to "no".
<instance sslcert=""> specifies a server public certificate when server certificate validation enabled.

Example

...

</instance>

</config>

OpenSSL libraries are statically linked to the server binary requiring two shared libraries:

libcrypto.so.1.0.0
libssl.so.1.0.0

Current TLS support is OpenSSL 1.0.2

Support for TLS / SSL (1.2) is available for Windows, Linux, and Mac OS X. Others operating systems considered upon request.