cancel
Showing results for 
Search instead for 
Did you mean: 

Using HTTPS for web services

Former Member
3,860

We've received a wild-card certificate for our domain, say .aaa.bbb.cc from our service provider.
(This file is in a
.pfx format).

When I try to start my database using HTTPS:

-x TCPIP -xs https(identity="C:\\xxxx\\yyyy.pfx";identity_password="zzzz";port=443), Sybase fails to start with the message 'Unable to open certificate file "C:\\xxxx\\yyyy.pfx"'

Any advice? Am I supposed to do something with the original certificate before it can be used in this context?

Accepted Solutions (0)

Answers (1)

Answers (1)

MarkCulp
Participant

You need to convert your certificate from PFX format to PEM format.

To do this you can use the openssl tools. E.g. see here for a description.

HTH

Former Member
0 Kudos

Hi Mark

Thank you. I followed your link and converted the certificate from .pfx to .pem

Starting my database with -x TCPIP -xs https(identity="C:\\Certs____.pem";identity_password="xxxx";port=443) still results in a "Unable to open certificate file 'C:\\Certs____.pem' "

Former Member
0 Kudos

Just another point: I've run the converted ____.pem through a validation routine at http://www.sslshopper.com/certificate-decoder.html and everything came back fine. Which means it eliminates the points in the help documents here: http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.0/saerrors/mlcom...

MarkCulp
Participant
0 Kudos

How are you starting your server? If running as a service then make sure that the service (user) has permission to the certificate file.

Former Member
0 Kudos

Mark, calling it from the command-line with admin priviledges: C:\\OpenSSL-Win32\\bin>dbsrv12 "PW12.db" -x TCPIP -xs https(identity="C:\\Certs___.pem";identity_password="___")

MarkCulp
Participant
0 Kudos

I repro'ed your issue using the command line that you have given ... and your problem is that you need to remove the quotes (the server is including the quote characters as part of the name to the file and as part of the password) - the quotes are not needed since the fields are semicolon delimited. Example, try using:

dbsrv12 "PW12.db" -x TCPIP -xs https(identity=C:\\Certs___.pem;identity_password=___)
Former Member
0 Kudos

Mark, I really appreciate your help. My password starts with an '@' character. Without quotes in the identity_password parameter, it won't accept the line and comes up with the help screen for dbsrv12 usage 😞

Seems like I've painted myself into a corner.

graeme_perrow
Advisor
Advisor
0 Kudos

Try putting the whole -xs switch value in quotes: -xs "https(identity=C:\\Certs___.pem;identity_password=___)"

MarkCulp
Participant

Correct, I have confirmed that if you quote the entire -xs options string then v12 will start up. Example:

dbsrv12 -n foo -xs "https(identity=myid.pem;identity_password=@secret)"
Former Member
0 Kudos

Thanks guys. I'm convinced the problem lies in my password. It contains & and @ as characters. Say the password is @aaa&123

When I try to test the certificate with Sybase's viewcert utility:

  1. viewcert -ip @aaa&123 accsys.pem, the response is '123' is not recognized as an internal or external command,operable program or batch file. - Which means the '&' is messing things up.

  2. viewcert -ip "@aaa&123" accsys.pem, the response is Can't open file aaa&123 - Which means it's throwing away the '@' in the beginning.

MarkCulp
Participant

'&' is a special character for many Windows and Unix shells so I would highly recommended that you never use it in passwords nor user names or file names, etc. (also included in this list of non-recommended characters - and this is just my opinion, not an 'official' SQLA recommendation - would be semicolons ';', commas ',', dollar signs '$', percent '%', and leading '@' characters. Using these characters just leads you into troubles like the one that you are having).

'@' at the beginning of a field is a special character for SQL Anywhere - it tells SQLA that the following string (e.g. @abc) is a name of a file that contains command line options. See http://dcx.sybase.com/index.html#sa160/en/dbadmin/dbutilities-s-5613446.html for more info.

A solution for you is to put your command line options (for viewcert or dbsrv12 or any other SQLA command) into a file (e.g. 'viewcert_opts.txt') and then run your command using

viewcert @viewcert_opts.txt accsys.pem
. The contents of this file, in your case, would be:
-p @aaa&123