Switch to standard view 
  Sybase logo
 
 
 



Abstract

  1. Requirements
  2. Architecture
  3. Configuring the client

Requirements

Set up

This document was created using the following:

Architecture

Introduction

M-Business Server is shipped with SSL libraries that are complaint with FIPS 140-2. This library automatically secures synchronization between an M-Business client and M-Business Server. This document, will focus on how to configure SSL using ECC to secure the synchronization process.

Important note:

M-Business Anywhere supports two types of SSL security type:

Configuring M-Business Anywhere For ECC

Configuration

The following steps are needed to configure ECC.

Requesting an ECC certificate

In order to request an ECC certificate from Sybase, you need to do the following:

  1. Open the command prompt
  2. Navigate to the conf folder, C:\M-BusinessAnywhereServer\conf
  3. Type the following command reqtool.exe
  4. You will see something like this below:
    C:\M-BusinessAnywhereServer\conf>reqtool.exe
    -- M-Business Anywhere Certificate Request Tool 2.0 --
    Generating key pair(please wait)...
    Enter your two-letter country code (e.g. US).
    Country:
  5. Here is a sample of what the screen should look like:
    C:\M-BusinessAnywhereServer\conf>reqtool
    -- M-Business Anywhere Certificate Request Tool 2.0 --
    Generating key pair(please wait)...
    Enter your two-letter country code (e.g. US).
    Country: CA
    Enter your state or province (e.g. California).
    State: Ontario
    Enter your locality name (e.g. San Mateo).
    Locality: Waterloo
    Enter Company or Organization name (e.g. AvantGo).
    Organization: iAnywhere Solutions
    Enter your organizational unit name (e.g. Internet Security Division).
    Organizational unit: Technical Support Department
    Enter the common name of your certificate (eg. avantgo.com).
    Common name: sybase.com
    Enter a password to protect your private key. This password must
    consist of fewer than 64 strictly alphanumeric characters (i.e., only
    A-Z, a-z, and 0-9 will be accepted).
    Password: 123456789
    Please enter your MBA Server license key. This step is not required,
    but it will help to expedite your certificate request.
    ServerLicense:
    Enter a filename for the request: ianywhere.req
    Enter a filename for the private key: ianywhere.priv
    C:\M-BusinessAnywhereServer\conf>
  6. To verify the file was generated, look for the file called ianywhere.req in the current directory where the tools were launched.
    You should see this:
    C:\M-BusinessAnywhereServer\conf>dir *.req
     Volume in drive C has no label.
     Volume Serial Number is 521C-B792
    Directory of C:\M-BusinessAnywhereServer\conf

    9/09/2009  06:02 PM               476 ianywhere.req
                  1 File(s)            476 bytes
                  0 Dir(s)  33,730,686,976 bytes free

  7. Next step is to email this request to Sybase using the following email address: cert_request@ianywhere.com
  8. Ensure the subject line reads Certificate Request

Installation

To install a new certificate received from Sybase, follow these steps:

  1. Append the private key that was generated, to the certificate was sent back to you.  
  2. Using the provided example, open ianywhere.priv (or whatever the name of your file is), using your favorite text editor. Note: It is important to use a text editor so no extra formatting can be applied.
  3. Copy the content of the file and paste it to the end of the certificate received from Sybase.
    Figure 1 Certificate received from Sybase without private key 
  4.          

    Figure 2 With private key being appended to the end of the certificate
     

  5. Save the text file
  6. Place the file in the default configuration directory for m-Business Anywhere. For example:  c:\m-BusinessAnywhereServer\conf

Enabling ECC Security setting

The following steps will enable SSL using ECC security:

  1. Using a text editor, open the sync.conf.default file located in the default installation of M-Business Anywhere Server. For the provided example, it can be found: C:\m-BusinessAnywhereServer\conf
  2. To enable ECC, you must follow each step carefully. If one step is missed, SSL security encryption will not work properly.

    1. Search for the following:
      #SSL:LoadFile "@@ServerRoot@@/bin/sslcommon.dll"

      Remove the #SSL: and it should now look like this: 
      LoadFile "@@ServerRoot@@/bin/sslcommon.dll"

    2. Search for the following:
    3. #SSL:SyncLoadFile "@@ServerRoot@@/bin/sslcommon.dll"

      Remove the #SSL: and it should now look like this:
      SyncLoadFile "@@ServerRoot@@/bin/sslcommon.dll"

    4. Search for the following:

      #SSL:LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"

      Remove the #SSL: and it should now look like this: 
      LoadModule sagd_module "@@ServerRoot@@/bin/agsagd.dll"

    5. Search for the following:
      #SSL:SyncPref AllowSecureClientConnect TRUE

      Remove the #SSL: and it should now look like this:
      SyncPref AllowSecureClientConnect TRUE

    6. Search for the following:

      #SSL:SyncPref ConnectSecureOnly FALSE

      Remove the #SSL: and it should now look like this:
      SyncPref ConnectSecureOnly FALSE

    7. Search for the following:

      #SSL:#ECC:Sagd_CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

      Remove the #SSL:#ECC: and it should now look like this:
      Sagd_CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

    8. Change sslecdsa.crt to use your certificate that you received from iAnywhere and you added the private key to it. Make sure the file name and path are correct. This should look like this now:

      Sagd_CertFileName "@@ServerRoot@@/conf/iany12809.crt"

    9. Search for the following:

      #SSL:#ECC:CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

      Remove the #SSL:#ECC: and it should now look like this:
      CertFileName "@@ServerRoot@@/conf/sslecdsa.crt"

    10. Change sslecdsa.crt to use your certificate that you received from iAnywhere and you added the private key to it. Make sure the file name and path are correct. This should look like this now:

      CertFileName "@@ServerRoot@@/conf/iany12809.crt"

                  Note: There is no double quotation around
      @@ServerRoot@@/conf/iany12809.crt

    11.  Search for the following:

      #SSL:#ECC:Sagd_KeyPassword  password

      Remove the #SSL:#ECC: and it should now look like this:
      Sagd_KeyPassword  password

    12. Replace the existing password with the password you created, when you generated the ECC request. In our case it was 123456789.

      This should look like this now:

      Sagd_KeyPassword  123456789

    13.  Search for the following:

      #SSL:Sagd_RandomPoolFilename "@@ServerRoot@@/conf/random.bin"

      Remove the #SSL: and it should now look like this:
      Sagd_RandomPoolFilename "@@ServerRoot@@/conf/random.bin"

    14. Search for the following:

      #SSL:SyncPref AllowHTTPSAlways FALSE

      Remove the #SSL: and it should now look like this:
      SyncPref AllowHTTPSAlways FALSE

    15. Search for the following:

      #SSL:SyncPref ServerSecuritySharedLibrary "@@ServerRoot@@/bin/sslrover.dll"

      Remove the #SSL: and it should now look like this:
      SyncPref ServerSecuritySharedLibrary "@@ServerRoot@@/bin/sslrover.dll"

    16. Search for the following:

      #SSL:SyncPref ServerCertFile "@@ServerRoot@@/conf/trusted.txt"

      Remove the #SSL: and it should now look like this:
      SyncPref ServerCertFile "@@ServerRoot@@/conf/trusted.txt"

    17. Search for the following:

      #SSL:SyncPref ServerRandFile "@@ServerRoot@@/conf/random.bin"

      Remove the #SSL: and it should now look like this:
      SyncPref ServerRandFile "@@ServerRoot@@/conf/random.bin"

    18.  Finally save your changes

Applying your configuration to your system

We need to apply our changes to the sync.conf and other configuration files in order for the server to pick up the new changes.

  1. Go to the default installation of M-Business Anywhere and navigate to the conf folder. e.g. c:\m-BusinessAnywhereServer\conf
  2. Double click on defaults_setup.bat
  3. This process will update your system configuration files
  4. Once complete, restart all m-Business Anywhere services:
    1. SQL Anywhere – AGDB
    2. M-Business Admin Server
    3. M-Business Soap Server
    4. M-Business Sync Server
  1. You are ready to test your system. If the sync service fails to start, please refer to the troubleshooting system to determine how to fix your problem

Testing the Certificate

Testing the Certificate using M-Business Client

After configuring the server, we need to test our secure server.

Using M-Business win32 client

Troubleshooting

How to troubleshoot a secure M-Business Server

There are some common issues administrators face when trying to configure M-Business Anywhere Server to support SSL.

Sync Server won’t start

After editing the sync.conf.default, running the batch file defaults_setup.bat and restarting all the M-Business services, the sync server won’t start.

Figure 5 Sync server service won't start

     In order to diagnose, we need to run a manual job

Client getting an SSL error when issuing a sync

Figure 6 SSL Error

If we look at figure 6, the client failed to connect to the M-Business sync server. This particular error has two possible solutions:
Solution A:

Solution B:



Back to Top
© Copyright 2010, Sybase Inc.