How to Set Up Secure MobiLink Communications A whitepaper from Sybase iAnywhere
How to Set Up Secure MobiLink Communications A whitepaper from Sybase iAnywhere TABLE OF CONTENTS 1 Mobilink Synchronization 1 The Scenarios 1 TCP/IP Synchronization 2 HTTP Synchronization 2 HTTPS Synchronization 2 HTTP Synchronization Through a Web Server 3 Authenticated HTTP Synchronization Through a Web Server 3 HTTPS Synchronization Through a Web Server 4 Conclusion i MOBILINK SYNCHRONIZATION MobiLink is the data synchronization component of SQL Anywhere. It includes a highly scalable data synchronization server and a set of synchronization clients, which can be UltraLite or SQL Anywhere databases. The back-office system may be a relational database such as Oracle, Sybase SQL Anywhere, Microsoft SQL Server, Sybase Adaptive Server Enterprise or IBM DB2; it may also be a web service or other interface to ERP or application server. Clients may run on anything from Smartphones to server machines. Security concerns introduce numerous complexities into synchronization setups: • Encryption - Encrypting data over public networks requires the use of security certificates and HTTPS synchronization (using either RSA or ECC encryption). • Authentication - HTTP network access restrictions require HTTP authentication. • Firewalls - Limiting the number of holes in organizational firewalls requires that communication go through intermediate software such as a web server or specialist security software. To meet these needs you may use web servers, SSL hardware accelerators, and load balancers between the clients and server. Each of these intermediate modules may have their own security settings and capabilities. To cope with this variety of configurations, MobiLink provides a set of parameters that you can set to enable data synchronization through whatever firewalls and intermediate modules you provide, in a secure manner. This document is a walk-through of some of the most common scenarios, showing what parameters you need to set in order to get synchronization to work. THE SCENARIOS The scenarios use the SQL Anywhere 10.0.0 software. The database in use is the SQL Anywhere 10 CustDB sample included with the package. Each scenario lists a command line to start the MobiLink server, and then also lists a MobiLink client set of synchronization parameters. These are listed as a ulsync command line, but should be easily transferable to UltraLite applications, where the parameters are provided in the application. To create an UltraLite database that can act as a remote database in the synchronization, run the following command: ulinit -a "uid=dba;pwd=sql;dsn=SQL Anywhere 10 CustDB" -c dbf=custdb.udb –n custdb_tables Each command line uses a lot of options, but for compactness I’ll list only the network connection parameters. A typical MobiLink server command line needs to be entered with a connection string, verbosity settings, logging settings, and so on: start mlsrv10 -c "dsn=SQL Anywhere 10 CustDB" -dl -fr -ot mlserver.mls -zu+ -v+ -x tcpip(port=2439) but in this paper it will be abbreviated to show just the network connection parameters, like this: mlsrv10 … -x tcpip(port=2439) A typical ulsync command line is like this: ulsync -c "dbf=custdb.udb" -v -e Username=50 -e "Version=custdb 10.0" -k tcpip -x port=2439 and will be abbreviated to this: ulsync … -k tcpip –x port=2439 To carry out the examples, use the full command lines above, modifying the network portions to fit the specific example. TCP/IP synchronization TCP/IP is the default synchronization stream, and is simple to run. Start the MobiLink server, optionally specifying TCP/IP and the port number. The following line explicitly sets the port to 2439, which is the default TCP/IP setting: mlsrv10 … -x tcpip(port=2439) Synchronize from the client, again specifying TCP/IP and the port: ulsync … -k tcpip -x port=2439 http synchronization Start the MobiLink server, specifying HTTP and the port number. The following line explicitly sets the port to 80, which is the default HTTP setting: mlsrv10 … -x http(port=80) Synchronize from the client, again specifying TCP/IP and the port: ulsync … -k http -x port=80 https synchronization In a production environment, you would probably get a security certificate from a signing authority, but this example uses the gencert utility (createcert in 10.0.1 and later) as a convenient way to generate a security certificate for testing purposes. The following session illustrates the entries needed. For more comprehensive security, the certificate should be signed by an external signing authority, but that is beyond the scope of this document. > gencert Certificate Generation Tool Choose certificate type ((R)SA or (E)CC): R Enter key length (512-2048): 1024 Generating key pair... Country Code: CA State/Province: Ontario Locality: Waterloo Organization: Sybase Organizational Unit: iAnywhere Common Name: UltraLite Serial Number: 1 Certificate valid for how many years: 2 Enter file path of signer's certificate: Certificate will be a self-signed root Enter password to protect private key: private_key_password Enter file path to save certificate: rsa_public_cert.crt Enter file path to save private key: rsa_private_key.crt Enter file path to save server identity: rsa_server_identity.crt If you have the SQL Anywhere security option, you can choose ECC (E) instead of RSA. Start the MobiLink server, specifying HTTPS and the port number, and referencing the server identity together with the password to protect the private key. The following line explicitly sets the port to 443, which is the default HTTPS setting. The command is broken across lines for easier reading, but should be entered on a single line: mlsrv10 … -x https(port=444;tls_type=rsa;certificate=rsa_server_identity.crt; certificate_password=private_key_password) Synchronize from the client, again specifying HTTPS and the port number and referencing the public certificate, which must be deployed with the client. The following line explicitly sets the port to 443, which is the default HTTPS setting. ulsync -k https -x port=444;tls_type=rsa;trusted_certificates=rsa_public_cert.crt You can optionally store certificate inside the UltraLite database, for example by using the –t option on ulcerate, in which case you do not need to reference the certificate explicitly at synchronization time. http synchronization through a web server In this scenario, you set up a web server that uses the redirector to route synchronization traffic to the MobiLink server. The scenario illustrates how to use IIS, but the principles are the same for other web servers. It is common practice to use the redirector to minimize the impact on the organization firewall. Settings for other web servers follow the same principles, but are not described in this document. In IIS, open the web site properties, go to Directory Security, and ensure that anonymous HTTP access is permitted. You need to copy two files into the Scripts virtual directory of your web site. If you don’t have a virtual directory named Scripts in the web site you need to create one. The default file-system path for the virtual directory is C:\ Inetpub\Scripts. Make a copy of the redirector.config file that is in the MobiLink\redirector subdirectory of your SQL Anywhere installation and change your copy to point to the MobiLink server on your machine. Here is only line that matters for demonstration purposes: ML="host=<machine-name>;port=8081; Copy both this redirector.config file and MobiLink\redirector\IIS5\iaredirect.dll to your web site’s Scripts folder. With this setup, you can start MobiLink, making sure that the port number matches the setting in redirector. config: mlsrv10 … -x http(port=8081) To synchronize, you need to point the synchronization client to the IIS web server, but also provide a URL suffix so that it can locate the redirector. Here is the command line: ulsync … -k http -x port=80;url_suffix=Scripts/iaredirect.dll/ml/ authenticated http synchronization through a web server If your security requirements require HTTP authentication, you can build this into the synchronization client as well. Sometimes HTTP authentication may be required by a mid-tier security software such as a web access manager. You can also require it from your web server by unchecking the Anonymous Access checkbox in the Directory Security dialog (see above). The simplest way to test this on your own machine is to leave the authentication type as Basic and then to supply the same user ID and password you use to log on to your computer. HTTP authentication is a process that is carried out between the client and intermediate software, and so requires no changes at the MobiLink server. Here is a client command line providing HTTP authentication. As the –x option is now getting long, it is split over several lines for display purposes. Remember that it needs to be entered as a single line. ulsync … -k http -x port=80; url_suffix=Scripts/iaredirect.dll/ml/; http_userid=<HTTP_USERID>; http_password=<HTTP_PASSWORD> https synchronization through a web server This final example uses encrypted HTTPS synchronization between the client and the web server, and then unencrypted HTTP communication inside the firewall between the web server and the MobiLink server. To create a security certificate, you need to make a request for a server certificate from within IIS. You can then use the SQL Anywhere gencert utility (or createcert in 10.0.1 and later) to process the request. For more advanced security you can send the request to an external certificate signing authority instead of using gencert. To create the request, open the IIS Web Site Properties sheet and go to the Directory Security tab. In the bottom panel (Secure communications) click Server Certificate and let the Server Certificate wizard guide you to create a new certificate. You should choose to prepare the request now, but send it later. On the Name and Security Settings dialog, you can leave both checkboxes unchecked. After that, the questions are the same as those listed in the gencert session above. Once you have created a certificate request file, you can use gencert to process the request. Here is a sample session, using the private key from the previous gencert certificate to sign a certificate for IIS: >gencert -q certreq.txt Certificate Generation Tool Serial Number: 12345678 Certificate valid for how many years: 1 Enter file path of signer's certificate: rsa_public_cert.crt Enter file path of signer's private key: rsa_private_key.crt Enter password for signer's private key: private_key_password Effective expiry is Fri Mar 28 09:23:11 2008 Enter file path to save certificate: iis_certificate.cer Save entire chain (y/n): y You can then go back to the IIS Server Certificate wizard and install the certificate file (iis_certificate.cer in this case). Once the certificate is installed, you are ready to synchronize. The MobiLink server can be run as a plain HTTP server, as above. At the client you need to supply the certificate information, the IIS url suffix and, if you have authentication required, the http authentication user name and password. Here is a command line with the –x option split over several lines for display purposes. The IIS server is assumed to be accepting HTTPS communications on the default HTTPS port, which is 443. ulsync … -k https -x port=443; url_suffix=Scripts/iaredirect.dll/ml/; http_userid=<HTTP_USERID >; http_password=<HTTP_PASSWORD> ; tls_type=rsa;trusted_certificates=rsa_public_cert.crt conclusion The MobiLink synchronization server and clients provide the flexibility to operate in all common network environments. The security requirements of authentication, encryption, and limited firewall ports make the setup inevitably more complex, but this paper has shown that the necessary information can always be supplied by the MobiLink server and the synchronization client. Copyright © 2007 iAnywhere Solutions, Inc. All rights reserved. Sybase, Afaria, SQL Anywhere, MobiLink, UltRaLite, and M-Business Anywhere are trademarks of Sybase, Inc. All other trademarks are property of their respective owners.
© Copyright 2024