Skip to main content

Use TLS with FairCom's ISAM, CTDB, and SQL client drivers

FairCom client driver settings to connect securely to FairCom's ISAM, CTDB, and SQL APIs

FairCom’s ISAM, SQL ODBC, and SQL JDBC client libraries require putting a server certificate file in the client process' working directory. This file must be a PEM file containing the CA certificate (or self-signed server certificate).  By default, the file must be named ctsrvr.pem

Client software can use the following code to register a certificate other than ctsrvr.pem that FairCom's driver will use to validate the server's self-signed or CA certificate:

ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_SERVER_CERTIFICATE, "my server cert.pem");

If you want to establish TLS communications with a FairCom server but do not want to verify the server’s identity, use the following code to register an empty server certificate file name with FairCom’s client software. This approach is vulnerable to a man-in-the-middle attack.

ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_SERVER_CERTIFICATE, "");

If an error occurs when connecting using TLS, the connection attempt returns error 1104 (SSLCONN_ERR)

For troubleshooting, client software can use the following code to enable TLS logging to the specified file name:

ctSetCommProtocolOption(ctCOMMOPT_FSSLTCP_DEBUG_LOG, "ssldebug.log"); 

Alternatively, you can also set the environment variable CTSSL_DEBUG_LOG to the name of the SSL debug log file. 

You can use TLS security keywords to modify TLS behavior on a FairCom server.

  1. Navigate to and open the ctsrvr.cfg file in the <faircom>/config/ folder.

  2. Edit or add the SUBSYSTEM COMM_PROTOCOL SSL setting.

    Note

    The SUBSYSTEM COMM_PROTOCOL SSL setting normally exists in ctsrvr.cfg but is commented out with a semicolon at the beginning of the section. Uncomment it by removing the semicolon.

  3. If this setting does not exist, add it using the Default minimally secure configuration for COMM_PROTOCOL SSL example.

  4. Modify Default minimally secure configuration for COMM_PROTOCOL SSL example to match your desired TLS configuration options.

    Note

    The default setting is insecure because it is designed for maximum connectivity and compatibility while evaluating the server.

  5. Verify that the files you specified above actually exist at the specified locations on this server computer.

  6. Create and use a secure configuration for all your environments.

  7. If your FairCom server is already running, please restart it so the changes you have made to the ctsrvr.cfg file take effect.  This file is processed only at server startup time.

Examples

Default minimally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE serverCert.pem
  SSL_CONNECTIONS_ONLY NO
  SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
}

Maximally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE my_server_certificate.pem
  SERVER_PRIVATE_KEY_FILE my_server_key.key
  SSL_CONNECTIONS_ONLY YES
  SSL_CIPHERS AES256-SHA256:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
}

Use TLS to connect client software to FairCom's ISAM, CTDB, and SQL APIs

connect client softwareconnect software to FairComTLSconnect to ISAM APIconnect to CTDB APIconnect to SQL API