Information
Sybase ASE supports SSL encryption as a means of ensuring confidentiality between clients and servers. SSL is a widely accepted standard for securing the transmission of sensitive information, such as credit card numbers, stock trades, and banking transactions over the Internet. It relies on public-key cryptography and allows the client and server to negotiate a mutually acceptable cipher.
Sybase ASE 15.0.2 also supports the NIST-approved AES algorithm and new options for setting cipher suite preference via the sp_ssladmin stored procedure.
SSL encryption of connections is disabled by default. When it is enabled, a client can potentially negotiate a cryptographically weak cipher suite. It is recommended that SSL support is enabled and that the cipher suite preference is set to strong (or FIPS if your organization mandates FIPS-compliance).
Rationale:
SSL encryption prevents passive sniffing attacking from capturing sensitive data that may be transmitted between client applications and the server such as credit cards and SSNs. A strong cipher suite is required to prevent cryptographic attacks on clients that force the server to use weak algorithms.
Solution
There are several steps involved to enable SSL. The information below is provided as an outline only; it is recommended that the System Security Officer consult the Sybase ASE 15.0 Administration Guide, Volume 1, Chapter 19 for detailed advice.
1. Generate a certificate for the server.
2. Create a trusted roots file.
3. Connect to the ASE server as a user with the sso_role and execute the following SQL statement to enable SSL:
exec sp_configure 'enable ssl' 1
4. Add the SSL filter to the interfaces file.
5. Use sp_ssladmin stored procedure to add a certificate to the certificates file. See Administering certificates.
6. Execute the following SQL statement to enforce strong cipher suites (note strong should be substituted for FIPS if your organization mandates the use of FIPS-compliant algorithms):
exec sp_ssladmin setcipher, 'strong'