How to Set Up Secure MobiLink Communications A whitepaper from Sybase iAnywhere

How to Set Up Secure MobiLink
Communications
A whitepaper from Sybase iAnywhere
TABLE OF CONTENTS
1 Mobilink Synchronization
1 The Scenarios
1 TCP/IP Synchronization
2 HTTP Synchronization
2 HTTPS Synchronization
2 HTTP Synchronization Through a Web Server
3 Authenticated HTTP Synchronization Through a Web Server
3 HTTPS Synchronization Through a Web Server
4 Conclusion
i
MOBILINK SYNCHRONIZATION
MobiLink is the data synchronization component of SQL Anywhere. It includes a highly scalable data
synchronization server and a set of synchronization clients, which can be UltraLite or SQL Anywhere databases. The
back-office system may be a relational database such as Oracle, Sybase SQL Anywhere, Microsoft SQL Server, Sybase
Adaptive Server Enterprise or IBM DB2; it may also be a web service or other interface to ERP or application server.
Clients may run on anything from Smartphones to server machines.
Security concerns introduce numerous complexities into synchronization setups:
• Encryption - Encrypting data over public networks requires the use of security certificates and HTTPS
synchronization (using either RSA or ECC encryption).
• Authentication - HTTP network access restrictions require HTTP authentication.
• Firewalls - Limiting the number of holes in organizational firewalls requires that communication go through intermediate software such as a web server or specialist security software.
To meet these needs you may use web servers, SSL hardware accelerators, and load balancers between the clients
and server. Each of these intermediate modules may have their own security settings and capabilities.
To cope with this variety of configurations, MobiLink provides a set of parameters that you can set to enable data
synchronization through whatever firewalls and intermediate modules you provide, in a secure manner.
This document is a walk-through of some of the most common scenarios, showing what parameters you need to
set in order to get synchronization to work.
THE SCENARIOS
The scenarios use the SQL Anywhere 10.0.0 software. The database in use is the SQL Anywhere 10 CustDB sample
included with the package.
Each scenario lists a command line to start the MobiLink server, and then also lists a MobiLink client set of
synchronization parameters. These are listed as a ulsync command line, but should be easily transferable to
UltraLite applications, where the parameters are provided in the application.
To create an UltraLite database that can act as a remote database in the synchronization, run the following
command:
ulinit -a "uid=dba;pwd=sql;dsn=SQL Anywhere 10 CustDB" -c dbf=custdb.udb –n custdb_tables
Each command line uses a lot of options, but for compactness I’ll list only the network connection parameters.
A typical MobiLink server command line needs to be entered with a connection string, verbosity settings, logging
settings, and so on:
start mlsrv10 -c "dsn=SQL Anywhere 10 CustDB" -dl -fr -ot mlserver.mls -zu+ -v+
-x tcpip(port=2439)
but in this paper it will be abbreviated to show just the network connection parameters, like this:
mlsrv10 … -x tcpip(port=2439)
A typical ulsync command line is like this:
ulsync -c "dbf=custdb.udb" -v -e Username=50 -e "Version=custdb 10.0" -k tcpip
-x port=2439
and will be abbreviated to this:
ulsync … -k tcpip –x port=2439
To carry out the examples, use the full command lines above, modifying the network portions to fit the specific
example.
TCP/IP synchronization
TCP/IP is the default synchronization stream, and is simple to run. Start the MobiLink server, optionally specifying
TCP/IP and the port number. The following line explicitly sets the port to 2439, which is the default TCP/IP setting:
mlsrv10 … -x tcpip(port=2439)
Synchronize from the client, again specifying TCP/IP and the port:
ulsync … -k tcpip -x port=2439
http synchronization
Start the MobiLink server, specifying HTTP and the port number. The following line explicitly sets the port to 80,
which is the default HTTP setting:
mlsrv10 … -x http(port=80)
Synchronize from the client, again specifying TCP/IP and the port:
ulsync … -k http -x port=80
https synchronization
In a production environment, you would probably get a security certificate from a signing authority, but this
example uses the gencert utility (createcert in 10.0.1 and later) as a convenient way to generate a security certificate
for testing purposes. The following session illustrates the entries needed. For more comprehensive security, the
certificate should be signed by an external signing authority, but that is beyond the scope of this document.
> gencert
Certificate Generation Tool
Choose certificate type ((R)SA or (E)CC): R
Enter key length (512-2048): 1024
Generating key pair...
Country Code: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase
Organizational Unit: iAnywhere
Common Name: UltraLite
Serial Number: 1
Certificate valid for how many years: 2
Enter file path of signer's certificate:
Certificate will be a self-signed root
Enter password to protect private key: private_key_password
Enter file path to save certificate: rsa_public_cert.crt
Enter file path to save private key: rsa_private_key.crt
Enter file path to save server identity: rsa_server_identity.crt
If you have the SQL Anywhere security option, you can choose ECC (E) instead of RSA.
Start the MobiLink server, specifying HTTPS and the port number, and referencing the server identity together with
the password to protect the private key. The following line explicitly sets the port to 443, which is the default HTTPS
setting. The command is broken across lines for easier reading, but should be entered on a single line:
mlsrv10 … -x https(port=444;tls_type=rsa;certificate=rsa_server_identity.crt;
certificate_password=private_key_password)
Synchronize from the client, again specifying HTTPS and the port number and referencing the public certificate,
which must be deployed with the client. The following line explicitly sets the port to 443, which is the default HTTPS
setting.
ulsync -k https -x port=444;tls_type=rsa;trusted_certificates=rsa_public_cert.crt
You can optionally store certificate inside the UltraLite database, for example by using the –t option on ulcerate, in
which case you do not need to reference the certificate explicitly at synchronization time.
http synchronization through a web server
In this scenario, you set up a web server that uses the redirector to route synchronization traffic to the MobiLink
server. The scenario illustrates how to use IIS, but the principles are the same for other web servers. It is common
practice to use the redirector to minimize the impact on the organization firewall. Settings for other web servers
follow the same principles, but are not described in this document.
In IIS, open the web site properties, go to Directory Security, and ensure that anonymous HTTP access is permitted.
You need to copy two files into the Scripts virtual directory of your web site. If you don’t have a virtual directory
named Scripts in the web site you need to create one. The default file-system path for the virtual directory is C:\
Inetpub\Scripts.
Make a copy of the redirector.config file that is in the MobiLink\redirector subdirectory of your SQL Anywhere
installation and change your copy to point to the MobiLink server on your machine. Here is only line that matters for
demonstration purposes:
ML="host=<machine-name>;port=8081;
Copy both this redirector.config file and MobiLink\redirector\IIS5\iaredirect.dll to your web site’s Scripts folder.
With this setup, you can start MobiLink, making sure that the port number matches the setting in redirector.
config:
mlsrv10 … -x http(port=8081)
To synchronize, you need to point the synchronization client to the IIS web server, but also provide a URL suffix so
that it can locate the redirector. Here is the command line:
ulsync … -k http -x port=80;url_suffix=Scripts/iaredirect.dll/ml/
authenticated http synchronization through a web server
If your security requirements require HTTP authentication, you can build this into the synchronization client as
well. Sometimes HTTP authentication may be required by a mid-tier security software such as a web access manager.
You can also require it from your web server by unchecking the Anonymous Access checkbox in the Directory Security
dialog (see above). The simplest way to test this on your own machine is to leave the authentication type as Basic
and then to supply the same user ID and password you use to log on to your computer.
HTTP authentication is a process that is carried out between the client and intermediate software, and so requires
no changes at the MobiLink server. Here is a client command line providing HTTP authentication. As the –x option is
now getting long, it is split over several lines for display purposes. Remember that it needs to be entered as a single
line.
ulsync … -k http -x port=80;
url_suffix=Scripts/iaredirect.dll/ml/;
http_userid=<HTTP_USERID>;
http_password=<HTTP_PASSWORD>
https synchronization through a web server
This final example uses encrypted HTTPS synchronization between the client and the web server, and then
unencrypted HTTP communication inside the firewall between the web server and the MobiLink server.
To create a security certificate, you need to make a request for a server certificate from within IIS. You can then use
the SQL Anywhere gencert utility (or createcert in 10.0.1 and later) to process the request. For more advanced security
you can send the request to an external certificate signing authority instead of using gencert.
To create the request, open the IIS Web Site Properties sheet and go to the Directory Security tab. In the bottom
panel (Secure communications) click Server Certificate and let the Server Certificate wizard guide you to create a
new certificate. You should choose to prepare the request now, but send it later. On the Name and Security Settings
dialog, you can leave both checkboxes unchecked. After that, the questions are the same as those listed in the
gencert session above.
Once you have created a certificate request file, you can use gencert to process the request. Here is a sample
session, using the private key from the previous gencert certificate to sign a certificate for IIS:
>gencert -q certreq.txt
Certificate Generation Tool
Serial Number: 12345678
Certificate valid for how many years: 1
Enter file path of signer's certificate: rsa_public_cert.crt
Enter file path of signer's private key: rsa_private_key.crt
Enter password for signer's private key: private_key_password
Effective expiry is Fri Mar 28 09:23:11 2008
Enter file path to save certificate: iis_certificate.cer
Save entire chain (y/n): y
You can then go back to the IIS Server Certificate wizard and install the certificate file (iis_certificate.cer in this
case).
Once the certificate is installed, you are ready to synchronize. The MobiLink server can be run as a plain HTTP
server, as above. At the client you need to supply the certificate information, the IIS url suffix and, if you have
authentication required, the http authentication user name and password. Here is a command line with the –x
option split over several lines for display purposes. The IIS server is assumed to be accepting HTTPS communications
on the default HTTPS port, which is 443.
ulsync … -k https -x port=443;
url_suffix=Scripts/iaredirect.dll/ml/;
http_userid=<HTTP_USERID >;
http_password=<HTTP_PASSWORD> ;
tls_type=rsa;trusted_certificates=rsa_public_cert.crt
conclusion
The MobiLink synchronization server and clients provide the flexibility to operate in all common network
environments. The security requirements of authentication, encryption, and limited firewall ports make the setup
inevitably more complex, but this paper has shown that the necessary information can always be supplied by the
MobiLink server and the synchronization client.
Copyright © 2007 iAnywhere Solutions, Inc. All rights reserved. Sybase, Afaria,
SQL Anywhere, MobiLink, UltRaLite, and M-Business Anywhere are trademarks of Sybase, Inc. All other trademarks are
property of their respective owners.