Securing your SSL Configuration Files using Secuconf
When you set up SSL for UniVerse and UniData servers, or for ODBC or OLEDB clients, you need to let the UniData and UniVerse server or client know where to find the SSL properties that will be used during SSL session establishment. For servers, the configuration is determined by the .unisecurity file under the unishared directory. For clients, the configuration is determined by the uci.config file under C:\U2\UniDK\Config directory. For both cases, you need to specify an SSL property container (SCR or SPL) name and its password.
By default, these configuration files are clear-text files (filed which have not been subjected to encryption and are not meant to be encrypted). As more stringent system security and compliance requirements are forthcoming, you may find it desirable to make the configuration files more secure so that passwords are not exposed in clear-text. UniVerse and UniData provide a utility, secuconf, for just such a purpose.
The secuconf utility gives you the capability to encrypt, decrypt or edit the two configuration files. Secuconf uses strong standard cryptographical algorithms to perform the encryption. To encrypt a clear-text configuration file, you must log in as root (or Administrator on Windows), then run the command like the following:
$UVBIN/secuconf -encrypt /disk1/unishared/.unisecurity
C:\U2\UV\bin\secuconf -encrypt C:\U2\UniDk\Config\uci.config
Once a configuration file is encrypted, it can be decrypted by UniVerse or UniData servers or clients transparently when it is accessed during SSL processing. UniVerse and UniData can automatically handle the configuration files in either clear-text or encrypted format. You encrypt the file once then you can forget about it until you need to make a change to it. You can modify an encrypted configuration file either through the secuconf utility or the XAdmin tool. You can also encrypt or decrypt the configuration file through XAdmin. To do this, you just need to start XAdmin, connect to the server where you want to make a change, then click the “SSL Configuration” on the Admin Tasks pane. A new window will pop up. Click on the Server Configuration tab. Encrypt/Decrypt option buttons will be enabled according to the current configuration file format.
For testing purposes, you may want to try the command to produce a test file first, then work on it to familiarize yourself with its many features:
secuconf -encrypt -out mycfg /disk1/unishared/.unisecurity
An encrypted version of the .unisecurity file will be saved to the mycfg file. If you examine it you will find its content is base64 encoded cipher text. To decrypt it:
secuconf -decrypt -out mycfg.clear mycfg
For additional security, you can add a password when you encrypt the file. Once you do this, the file can only be decrypted if you provide the correct password. Note that, when UniVerse or UniData accesses the file during SSL processing, the password is not needed. The password is needed only when you run secuconf or XAdmin to manage the encrypted configuration file. The following are examples of adding or using password:
To add a password:
secuconf -encrypt -newpass mycfg
To edit the file using the password:
secuconf -edit -pass mycfg
The secuconf utility will prompt you for the password. Note that you can put the password on the command line if you like. If you want to change the password of an encrypted file, you must first decrypt it then re-encrypt it with the new password.
To prevent a configuration file from being moved to and misused on another machine, you can add a machine tag to the file. You achieve this by running secuconf with the tag option:
secuconf -encrypt -tag mycfg
Now if the file is moved to another machine, it cannot be used by UniVerse or UniData. There is a retag option for secuconf that you can use to make the copied file usable again.
You can also check if a file is already encrypted by the secuconf utility:
secuconf -isencrypted mycfg
In summary, the secuconf utility can help you protect your assets and satisfy your business compliance requirements. Currently, only the above mentioned two configuration files can be protected in such a way that UniVerse and UniData can automatically access them in both formats.