|
We've received a wild-card certificate for our domain, say .aaa.bbb.cc from our service provider. When I try to start my database using HTTPS: -x TCPIP -xs https(identity="C:\xxxx\yyyy.pfx";identity_password="zzzz";port=443), Sybase fails to start with the message 'Unable to open certificate file "C:\xxxx\yyyy.pfx"' Any advice? Am I supposed to do something with the original certificate before it can be used in this context? |
|
You need to convert your certificate from PFX format to PEM format. To do this you can use the openssl tools. E.g. see here for a description. HTH Hi Mark Thank you. I followed your link and converted the certificate from .pfx to .pem Starting my database with -x TCPIP -xs https(identity="C:\Certs____.pem";identity_password="xxxx";port=443) still results in a "Unable to open certificate file 'C:\Certs____.pem' "
(23 Jun '14, 04:54)
Liam
Replies hidden
Just another point: I've run the converted ____.pem through a validation routine at http://www.sslshopper.com/certificate-decoder.html and everything came back fine. Which means it eliminates the points in the help documents here: http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.0/saerrors/mlcommerr33.html
(23 Jun '14, 06:06)
Liam
How are you starting your server? If running as a service then make sure that the service (user) has permission to the certificate file.
(23 Jun '14, 07:44)
Mark Culp
Mark, calling it from the command-line with admin priviledges: C:\OpenSSL-Win32\bin>dbsrv12 "PW12.db" -x TCPIP -xs https(identity="C:\Certs___.pem";identity_password="___")
(24 Jun '14, 03:32)
Liam
Replies hidden
I repro'ed your issue using the command line that you have given ... and your problem is that you need to remove the quotes (the server is including the quote characters as part of the name to the file and as part of the password) - the quotes are not needed since the fields are semicolon delimited. Example, try using: dbsrv12 "PW12.db" -x TCPIP -xs https(identity=C:\Certs___.pem;identity_password=___)
(24 Jun '14, 09:29)
Mark Culp
Mark, I really appreciate your help. My password starts with an '@' character. Without quotes in the identity_password parameter, it won't accept the line and comes up with the help screen for dbsrv12 usage :-( Seems like I've painted myself into a corner.
(26 Jun '14, 07:04)
Liam
Replies hidden
Try putting the whole -xs switch value in quotes:
(26 Jun '14, 07:27)
Graeme Perrow
2
Correct, I have confirmed that if you quote the entire -xs options string then v12 will start up. Example: dbsrv12 -n foo -xs "https(identity=myid.pem;identity_password=@secret)"
(26 Jun '14, 08:46)
Mark Culp
Thanks guys. I'm convinced the problem lies in my password. It contains & and @ as characters. Say the password is @aaa&123 When I try to test the certificate with Sybase's viewcert utility:
(26 Jun '14, 10:10)
Liam
Replies hidden
2
'&' is a special character for many Windows and Unix shells so I would highly recommended that you never use it in passwords nor user names or file names, etc. (also included in this list of non-recommended characters - and this is just my opinion, not an 'official' SQLA recommendation - would be semicolons ';', commas ',', dollar signs '$', percent '%', and leading '@' characters. Using these characters just leads you into troubles like the one that you are having). '@' at the beginning of a field is a special character for SQL Anywhere - it tells SQLA that the following string (e.g. @abc) is a name of a file that contains command line options. See http://dcx.sybase.com/index.html#sa160/en/dbadmin/dbutilities-s-5613446.html for more info. A solution for you is to put your command line options (for viewcert or dbsrv12 or any other SQLA command) into a file (e.g. 'viewcert_opts.txt') and then run your command using viewcert @viewcert_opts.txt accsys.pem . The contents of this file, in your case, would be: -p @aaa&123
(26 Jun '14, 10:27)
Mark Culp
|
