Abstract

1. Requirements
2. Architecture
3. Configuring the client

Requirements

Set up

This document was created using the following:

• ECC certificate for M-Business Anywhere 7.x
  • 4 Gig of RAM
  • CPU 3.2 Dual( Intel ) hyper threaded
• The client machine used M-Business Anywhere win32 client running on a Dell E6500 laptop.
• The operating system used was Windows 2003 Server Enterprise Edition with Sp1

Architecture

Introduction

M-Business Server is shipped with SSL libraries that are complaint with FIPS 140-2. This library automatically secures synchronization between an M-Business client and M-Business Server. This document, will focus on how to configure SSL using ECC to secure the synchronization process.

Important note:

• Upgrading the server – If you have already enabled SSL in an earlier version of M-Business server, then you must upgrade your certificate if you are going to use M-Business 7.x.

M-Business Anywhere supports two types of SSL security type:

• ECC – Elliptic Curve Cryptography uses elliptic curves to create keys for encrypting data. ECC is faster than RSA because it creates keys with shorter length than RSA which also makes it more efficient.
• RSA   – A public key encryption technology more widely supported than ECC. RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.

Configuring M-Business Anywhere For ECC

Configuration

The following steps are needed to configure ECC.

Requesting an ECC certificate

In order to request an ECC certificate from Sybase, you need to do the following:

1. Open the command prompt
2. Navigate to the conf folder, C:\M-BusinessAnywhereServer\conf
3. Type the following command reqtool.exe
4. You will see something like this below:
   C:\M-BusinessAnywhereServer\conf>reqtool.exe
   -- M-Business Anywhere Certificate Request Tool 2.0 --
   Generating key pair(please wait)...
   Enter your two-letter country code (e.g. US).
   Country:
5. Here is a sample of what the screen should look like:
   C:\M-BusinessAnywhereServer\conf>reqtool
   -- M-Business Anywhere Certificate Request Tool 2.0 --
   Generating key pair(please wait)...
   Enter your two-letter country code (e.g. US).
   Country: CA
   Enter your state or province (e.g. California).
   State: Ontario
   Enter your locality name (e.g. San Mateo).
   Locality: Waterloo
   Enter Company or Organization name (e.g. AvantGo).
   Organization: iAnywhere Solutions
   Enter your organizational unit name (e.g. Internet Security Division).
   Organizational unit: Technical Support Department
   Enter the common name of your certificate (eg. avantgo.com).
   Common name: sybase.com
   Enter a password to protect your private key. This password must
   consist of fewer than 64 strictly alphanumeric characters (i.e., only
   A-Z, a-z, and 0-9 will be accepted).
   Password: 123456789
   Please enter your MBA Server license key. This step is not required,
   but it will help to expedite your certificate request.
   ServerLicense:
   Enter a filename for the request: ianywhere.req
   Enter a filename for the private key: ianywhere.priv
   C:\M-BusinessAnywhereServer\conf>
   
6. To verify the file was generated, look for the file called ianywhere.req in the current directory where the tools were launched.
   You should see this:
   C:\M-BusinessAnywhereServer\conf>dir *.req
    Volume in drive C has no label.
    Volume Serial Number is 521C-B792
   Directory of C:\M-BusinessAnywhereServer\conf

   9/09/2009  06:02 PM               476 ianywhere.req
                 1 File(s)            476 bytes
                 0 Dir(s)  33,730,686,976 bytes free

7. Next step is to email this request to Sybase using the following email address: cert_request@ianywhere.com
8. Ensure the subject line reads Certificate Request

Installation

To install a new certificate received from Sybase, follow these steps:

1. Append the private key that was generated, to the certificate was sent back to you.  
2. Using the provided example, open ianywhere.priv (or whatever the name of your file is), using your favorite text editor. Note: It is important to use a text editor so no extra formatting can be applied.
3. Copy the content of the file and paste it to the end of the certificate received from Sybase.
   Figure 1 Certificate received from Sybase without private key 

         

Figure 2 With private key being appended to the end of the certificate
 

4. Save the text file
5. Place the file in the default configuration directory for m-Business Anywhere. For example:  c:\m-BusinessAnywhereServer\conf

Enabling ECC Security setting

The following steps will enable SSL using ECC security:

1. Using a text editor, open the sync.conf.default file located in the default installation of M-Business Anywhere Server. For the provided example, it can be found: C:\m-BusinessAnywhereServer\conf
2. To enable ECC, you must follow each step carefully. If one step is missed, SSL security encryption will not work properly.
   
   
   1. Search for the following:
      #SSL:LoadFile "@@ServerRoot@@/bin/sslcommon.dll"
      
      Remove the #SSL: and it should now look like this: 
      LoadFile "@@ServerRoot@@/bin/sslcommon.dll"
   
   
   2. Search for the following:

   #SSL:SyncLoadFile "@@ServerRoot@@/bin/sslcommon.dll"
   
   Remove the #SSL: and it should now look like this:
   SyncLoadFile "@@ServerRoot@@/bin/sslcommon.dll"
   

   3. Search for the following:

      #SSL:LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"
      
      Remove the #SSL: and it should now look like this: 
      LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"

   4. Search for the following:
      #SSL:SyncPref AllowSecureClientConnect TRUE

      Remove the #SSL: and it should now look like this:
      SyncPref AllowSecureClientConnect TRUE

   5. Search for the following:

      #SSL:SyncPref ConnectSecureOnly FALSE

      Remove the #SSL: and it should now look like this:
      SyncPref ConnectSecureOnly FALSE

   6. Search for the following:

      #SSL:#ECC:Sagd_CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

      Remove the #SSL:#ECC: and it should now look like this:
      Sagd_CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

   7. Change sslecdsa.crt to use your certificate that you received from iAnywhere and you added the private key to it. Make sure the file name and path are correct. This should look like this now:

      Sagd_CertFileName "@@ServerRoot@@/conf/iany12809.crt"

   8. Search for the following:

      #SSL:#ECC:CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

      Remove the #SSL:#ECC: and it should now look like this:
      CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

   9. Change sslecdsa.crt to use your certificate that you received from iAnywhere and you added the private key to it. Make sure the file name and path are correct. This should look like this now:

      CertFileName "@@ServerRoot@@/conf/iany12809.crt"

                  Note: There is no double quotation around
      @@ServerRoot@@/conf/iany12809.crt

   10.  Search for the following:

       #SSL:#ECC:Sagd_KeyPassword  password

       Remove the #SSL:#ECC: and it should now look like this:
       Sagd_KeyPassword  password

   11. Replace the existing password with the password you created, when you generated the ECC request. In our case it was 123456789.

       This should look like this now:

       Sagd_KeyPassword  123456789

   12.  Search for the following:

       #SSL:Sagd_RandomPoolFilename "@@ServerRoot@@/conf/random.bin"

       Remove the #SSL: and it should now look like this:
       Sagd_RandomPoolFilename "@@ServerRoot@@/conf/random.bin"

   13. Search for the following:

       #SSL:SyncPref AllowHTTPSAlways FALSE

       Remove the #SSL: and it should now look like this:
       SyncPref AllowHTTPSAlways FALSE

   14. Search for the following:

       #SSL:SyncPref ServerSecuritySharedLibrary "@@ServerRoot@@/bin/sslrover.dll"

       Remove the #SSL: and it should now look like this:
       SyncPref ServerSecuritySharedLibrary "@@ServerRoot@@/bin/sslrover.dll"

   15. Search for the following:

       #SSL:SyncPref ServerCertFile "@@ServerRoot@@/conf/trusted.txt"

       Remove the #SSL: and it should now look like this:
       SyncPref ServerCertFile "@@ServerRoot@@/conf/trusted.txt"

   16. Search for the following:

       #SSL:SyncPref ServerRandFile "@@ServerRoot@@/conf/random.bin"

       Remove the #SSL: and it should now look like this:
       SyncPref ServerRandFile "@@ServerRoot@@/conf/random.bin"

   17.  Finally save your changes

Applying your configuration to your system

We need to apply our changes to the sync.conf and other configuration files in order for the server to pick up the new changes.

1. Go to the default installation of M-Business Anywhere and navigate to the conf folder. e.g. c:\m-BusinessAnywhereServer\conf
2. Double click on defaults_setup.bat
3. This process will update your system configuration files
4. Once complete, restart all m-Business Anywhere services:
   1. SQL Anywhere – AGDB
   2. M-Business Admin Server
   3. M-Business Soap Server
   4. M-Business Sync Server

5. You are ready to test your system. If the sync service fails to start, please refer to the troubleshooting system to determine how to fix your problem

Testing the Certificate

Testing the Certificate using M-Business Client

After configuring the server, we need to test our secure server.

Using M-Business win32 client

• Click on Start -> All Programs
• Click on m-Business Client folder
• Click on m-Business Client
• Once the is client open, click on Tools and select Server Options
• If you already have a server profile defined, highlight and click on the properties tab
• Click on the Test button. In order to enable the secure connection checkbox this is required.
• Click on “Connect to this server using secure protocol”
  Figure 3 Checking secure connection
  
• Click on the Test button. If everything is configured correctly, you should see the following
  message

  Figure 4 Success connection
  

• Click on OK. You are now ready to sync securely.

Troubleshooting

How to troubleshoot a secure M-Business Server

There are some common issues administrators face when trying to configure M-Business Anywhere Server to support SSL.

Sync Server won’t start

After editing the sync.conf.default, running the batch file defaults_setup.bat and restarting all the M-Business services, the sync server won’t start.

Figure 5 Sync server service won't start

     In order to diagnose, we need to run a manual job

• Go to the DOS command prompt
• Navigate to the following folder bin folder under m-Business installation. Example: c:\m-BusinessAnywereServer\bin. Execute the following command: agd -d C:\M-BusinessAnywhereServer -f C:\M-BusinessAnywhereServer\conf\sync.conf –X
• You should see the following result
  

  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/expat.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/openssl/bin/libeay32.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/ASA/win32/dblib10.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agcommon.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agnet.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agprotocol.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agservercommon.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agserverlicense.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agdatastore.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/asadatastore.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/entprovider.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agserverconduit.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/rover.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/agsync.dll
  SyncLoadFile is C:\M-BusinessAnywhereServer/bin/sslcommon.dll
  Syntax error on line 881 of c:/m-businessanywhereserver/conf/sync.conf:
  Invalid command 'Sagd_CertFileName', perhaps mis-spelled or defined by a module
  not included in the server configuration

• What we are interested in is the error which is “Syntax error on line 881…”. As you can see it is complaining that command Sagd_CertFileName is an invalid command. This means, we have failed to load a particular modual in order for Apachee to understand this command - “Sagd_CertFileName”.
• To resolve this error, open the sync.conf.default and search for this line:
  LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"
• This line should be uncommented, if it has a comment before it should look like this one, #SSL:LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll" remove  #SSL:
• After removing the comment, you should now have
  LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"
• Save the file
• Execute defaults_setup.bat
• Restart all your services
• If this was the only error, then everything should start successfully

Client getting an SSL error when issuing a sync

Figure 6 SSL Error

If we look at figure 6, the client failed to connect to the M-Business sync server. This particular error has two possible solutions:
Solution A:

• You must have M-Business Anywhere 7.x with EBF 2 or higher.
• Contact Sybase Technical Support and request the EBF to be sent to you

Solution B:

• The certificate the server is loading is not for version 7.x.
• Send it back to the M-Business Anywhere support team and ask them to verify if the certificate is made for version 7.x.
• Create a new request and indicate in the email, that your server is version 7.