The forum will be down for scheduled maintenance on Saturday, March 4 beginning at 10am EST. Actual downtime is unknown but may be several hours.

We've received a wild-card certificate for our domain, say .aaa.bbb.cc from our service provider.
(This file is in a
.pfx format).

When I try to start my database using HTTPS:

-x TCPIP -xs https(identity="C:\xxxx\yyyy.pfx";identity_password="zzzz";port=443), Sybase fails to start with the message 'Unable to open certificate file "C:\xxxx\yyyy.pfx"'

Any advice? Am I supposed to do something with the original certificate before it can be used in this context?

asked 20 Jun '14, 09:14

Liam's gravatar image

Liam
36191118
accept rate: 0%


You need to convert your certificate from PFX format to PEM format.

To do this you can use the openssl tools. E.g. see here for a description.

HTH

permanent link

answered 20 Jun '14, 09:39

Mark%20Culp's gravatar image

Mark Culp
22.5k9129264
accept rate: 40%

Hi Mark

Thank you. I followed your link and converted the certificate from .pfx to .pem

Starting my database with -x TCPIP -xs https(identity="C:\Certs____.pem";identity_password="xxxx";port=443) still results in a "Unable to open certificate file 'C:\Certs____.pem' "

(23 Jun '14, 04:54) Liam
Replies hidden

Just another point: I've run the converted ____.pem through a validation routine at http://www.sslshopper.com/certificate-decoder.html and everything came back fine. Which means it eliminates the points in the help documents here: http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.0/saerrors/mlcommerr33.html

(23 Jun '14, 06:06) Liam

How are you starting your server? If running as a service then make sure that the service (user) has permission to the certificate file.

(23 Jun '14, 07:44) Mark Culp

Mark, calling it from the command-line with admin priviledges: C:\OpenSSL-Win32\bin>dbsrv12 "PW12.db" -x TCPIP -xs https(identity="C:\Certs___.pem";identity_password="___")

(24 Jun '14, 03:32) Liam
Replies hidden

I repro'ed your issue using the command line that you have given ... and your problem is that you need to remove the quotes (the server is including the quote characters as part of the name to the file and as part of the password) - the quotes are not needed since the fields are semicolon delimited. Example, try using:

dbsrv12 "PW12.db" -x TCPIP -xs https(identity=C:\Certs___.pem;identity_password=___)
(24 Jun '14, 09:29) Mark Culp

Mark, I really appreciate your help. My password starts with an '@' character. Without quotes in the identity_password parameter, it won't accept the line and comes up with the help screen for dbsrv12 usage :-(

Seems like I've painted myself into a corner.

(26 Jun '14, 07:04) Liam
Replies hidden

Try putting the whole -xs switch value in quotes: -xs "https(identity=C:\Certs___.pem;identity_password=___)"

(26 Jun '14, 07:27) Graeme Perrow
2

Correct, I have confirmed that if you quote the entire -xs options string then v12 will start up. Example:

dbsrv12 -n foo -xs "https(identity=myid.pem;identity_password=@secret)"
(26 Jun '14, 08:46) Mark Culp

Thanks guys. I'm convinced the problem lies in my password. It contains & and @ as characters. Say the password is @aaa&123

When I try to test the certificate with Sybase's viewcert utility:

  1. viewcert -ip @aaa&123 accsys.pem, the response is '123' is not recognized as an internal or external command,operable program or batch file. - Which means the '&' is messing things up.

  2. viewcert -ip "@aaa&123" accsys.pem, the response is Can't open file aaa&123 - Which means it's throwing away the '@' in the beginning.

(26 Jun '14, 10:10) Liam
Replies hidden
2

'&' is a special character for many Windows and Unix shells so I would highly recommended that you never use it in passwords nor user names or file names, etc. (also included in this list of non-recommended characters - and this is just my opinion, not an 'official' SQLA recommendation - would be semicolons ';', commas ',', dollar signs '$', percent '%', and leading '@' characters. Using these characters just leads you into troubles like the one that you are having).

'@' at the beginning of a field is a special character for SQL Anywhere - it tells SQLA that the following string (e.g. @abc) is a name of a file that contains command line options. See http://dcx.sybase.com/index.html#sa160/en/dbadmin/dbutilities-s-5613446.html for more info.

A solution for you is to put your command line options (for viewcert or dbsrv12 or any other SQLA command) into a file (e.g. 'viewcert_opts.txt') and then run your command using

viewcert @viewcert_opts.txt accsys.pem

. The contents of this file, in your case, would be:

-p @aaa&123

(26 Jun '14, 10:27) Mark Culp
showing 5 of 10 show all flat view
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×28
×20
×10

question asked: 20 Jun '14, 09:14

question was seen: 939 times

last updated: 26 Jun '14, 10:52