Skip to main content
Skip table of contents

TLS security for Sybase ASE

SAP offers a method to configure Sybase ASE instances utilizing TLS, enhancing security for connections to the Sybase ASE database.

Starting with release 23.0.0.0, Delphix Continuous Data Engine has introduced support for Sybase ASE instances configured with TLS. JDBC connections established by Delphix Continuous Data Engine to Sybase ASE instances can now be TLS enabled.

Implementing TLS support in the Delphix Continuous Data Engine

This feature enables the TLS support that provides the encrypted JDBC connections between Delphix Continuous Data Engine and Sybase hosts.

Delphix Continuous Data Engine requires the following steps to be taken to support TLS for Sybase ASE instances:

  1. Disable all Sybase ASE dSources and VDBs running on the ASE instance to prevent connection failures during TLS setup.

  2. Configure the Sybase ASE instance with TLS, ensuring the use of TLSv1.2.

  3. If utilizing a self-signed certificate or a private PKI, you must include the signing certificate into the Delphix trust store. This can be accomplished by logging into Delphix Continuous Data Engine using the "sysadmin" user and adding the ASE instance's certificate in the setup application as instructed in the "Adding a certificate" section of the TrustStore settings page.

  4. Restart the Delphix Continuous Data Engine by selecting the Restart button available under the three dots (...) menu at the top of the page where the certificate was added.

  5. Access the CLI using the "admin" user and enable TLS support by setting the parameter enableTls to true for existing environments configured to use TLS following the above steps.

    CODE 
    ip-10-110-225-100> environment
ip-10-110-225-100 environment> select Src 
ip-10-110-225-100 environment 'Src'> update
ip-10-110-225-100 environment 'Src' update *> edit aseHostEnvironmentParameters
ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> ls
Properties
    type: ASEHostEnvironmentParameters
    credentials:
        type: PasswordCredential
        password: ********
    dbUser: sa
    enableTls: false
    skipServerCertificateValidation: false
ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> set enableTls=true
ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> commit
    Dispatched job JOB-39
    ENVIRONMENT_UPDATE job started for "Src".
    ENVIRONMENT_UPDATE job for "Src" completed successfully.

  6. Next, log in to the Delphix Continuous Data Engine UI using the "admin" user and initiate a refresh of the environment for which TLS support has been enabled. Upon successful completion of the environment refresh, navigate to the database tab on the environment page to locate the TLS port. If Delphix Continuous Data Engine encounters any issues discovering ASE instances (whether auto-discovered or manually added) running on the TLS port during the environment refresh operation, it will display an error or fallback to the TCP port if available, raising a corresponding fault.

  7. Re-enable the dSources and VDBs that were disabled in the initial step.

  8. If you want to create a new environment with TLS encryption enabled, you can do so by setting the parameter enableTls to true in ASEHostEnvironmentParameters.

    CODE 
    ip-10-110-225-100 environment create *> ls
Properties
    type: HostEnvironmentCreateParameters
    hostEnvironment:
        type: UnixHostEnvironment
        name: Src (*)
        aseHostEnvironmentParameters:
            type: ASEHostEnvironmentParameters (*)
            credentials:
                type: PasswordCredential (*)
                password: ******** (*)
            dbUser: sa (*)
            enableTls: true (*)
            skipServerCertificateValidation: (unset)
        description: (unset)
        logCollectionEnabled: false
    hostParameters:
        type: UnixHostCreateParameters
        host:
            type: UnixHost
            address: kanojis-centos-79-sybase-160-src.dlpxdc.co (*)
            dspKeystoreAlias: (unset)
            dspKeystorePassword: (unset)
            dspKeystorePath: (unset)
            dspTruststorePassword: (unset)
            dspTruststorePath: (unset)
            javaHome: (unset)
            nfsAddressList: (unset)
            oracleHostParameters: (unset)
            privilegeElevationProfile: (unset)
            sshPort: 22
            sshVerificationStrategy: (unset)
            toolkitPath: /work (*)
    logCollectionEnabled: false
    primaryUser:
        type: EnvironmentUser
        name: sybase (*)
        credential:
            type: PasswordCredential
            password: ******** (*)
        environment: (unset)
        groupId: (unset)
        userId: (unset)
ip-10-110-225-100 environment create *> commit
    `UNIX_HOST_ENVIRONMENT-15
    Dispatched job JOB-159
    ENVIRONMENT_CREATE_AND_DISCOVER job started for "Src".
    ENVIRONMENT_CREATE_AND_DISCOVER job for "Src" completed successfully.

  9. Do not set the parameter “skipServerCertificateValidation” to “true” until or unless you don’t want to add the certificate to Delphix Continuous Data Engine. Setting it to “true” will skip the Sybase ASE server certificate validation during the TLS handshake. Delphix strongly advises against this setting, as it will compromise the integrity and security of encrypted communication by exposing it to the risk of interception and impersonation. If you still choose to compromise TLS security by not adding the certificate into Delphix Continuous Data Engine and setting the parameter skipServerCertificateValidation to true, then you can skip adding the certificate & restart the Delphix Continuous Data Engine as outlined above. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close