Close menu

SQL/R A.04.00 Encrypted Communication

SQL/R A.04.00 supports encryption of the communication between the driver (running on the client system) and the ODBC backend (running on the server).

The ODBC server defines which connection uses encryption. This may be configured specific to the client IP address or per data source.

When using an encrypted connection, the server uses an RSA public/private key pair to distribute an AES key that is used to encrypt the actual communication. The encryption keys are replaced periodically.

Backwards compatibility

The SQL/R A.04.00 release is upwards compatible with previous SQL/R ODBC releases. Previous configuration files on the server are accepted and older A.02.XX driver versions can connect to the server.

If encryption is required for a connection, a previous A.02.XX driver will fail.

The A.04.XX ODBC driver is not compatible with a previous A.02.XX server version unless the driver protocol is switched to be A02 compatible.

Consequently, deployment of the new SQLR ODBC version should be started on the server side. This allows to gradually update the driver versions. Enabling encryption will then stop any access from older driver versions.

Configuration directives

The ODBC server defines which connection uses encryption. This may be configured for a client IP address (or range) or per data source.

The following config items may be specified:

[encryption] RsaExchangeKeySize
Specifies the size of the RSA key (in bits) that is used to encrypt the AES session key. Valid values must be a multiple of 512. The default is 1024.
The default should only be changed if generating the RSA key is found to be a performance issue.

[encryption] KeyRefreshInterval
Specifies the interval after which a new RSA key is generated. The default is 60 minutes.

[encryption] AesSessionKeySize
Specifies the length (in bits) of the AES key that is used to encrypt the driver communication. Valid values are: 128, 192, 256 The default is 128 bits.
The [encryption] section also allows to specify the IP addresses that use encrypted communication. In addition, a data source may be configured to require an encrypted connection.

The following syntax is supported:

{on|off} = {All | ip-address [/ [netmask | addrbits]]}

If the client IP address is not covered by a config rule an unencrypted connection is used. The On = All directive may be used to specify encrypted communication to be used by default and to specify the exceptions separately. By default, clients do not use encryption.

In addition, the Encryption config item may be used in a data source to require an encrypted connection.


Platform dependencies

HP-UX

The OpenSSL software is used on HP-UX for cryptographic functions. It must be installed to use encrypted communication.

To use encryption, the server process or the driver dynamically loads the libcrypto.sl (PA-RISC) or libcrypto.so (Itanium) library.

The SQL/R specific lib directory has precedence in locating the library. The SHLIB_PATH and LD_LIBRARY_PATH environment variables may be used to select a specific library to be loaded. Otherwise the system default is used.

The HP-UX HP OpenSSL software may be obtained from the HPE Software Center web site https://myenterpriselicense.hpe.com/cwp-ui/free-software/OPENSSL11I.

For HP-UX 11i v1 it is recommended to install the KRNG kernel support for strong random numbers in addition. It is available HPE Software Center web site https://myenterpriselicense.hpe.com/cwp-ui/free-software/KRNG11I.

Linux

The OpenSSL software is used on Linux for cryptographic functions. It must be installed to use encrypted communication. The OpenSSL package (0.9.7 or newer) must be installed.

To use encryption, the server process dynamically loads a libcrypto.so library. The SQL/R specific lib directory has precedence in locating the library. The LD_LIBRARY_PATH environment variable may be used to select a specific library to be loaded. Otherwise the system default is used.

Windows

The builtin cryptographic functionality is used. No additional software needs to be installed.