TLS security for Sybase ASE

SAP offers a method to configure Sybase ASE instances utilizing TLS, enhancing security for connections to the Sybase ASE database.

Starting with release 23.0.0.0, Delphix Continuous Data Engine has introduced support for Sybase ASE instances configured with TLS. JDBC connections established by Delphix Continuous Data Engine to Sybase ASE instances can now be TLS enabled.

Implementing TLS support in the Delphix Continuous Data Engine

This feature enables the TLS support that provides the encrypted JDBC connections between Delphix Continuous Data Engine and Sybase hosts.

Delphix Continuous Data Engine requires the following steps to be taken to support TLS for Sybase ASE instances.

TLS Configuration Steps

The following steps are required for both existing environment updates and new environment creation:

Step 1: Configure Sybase ASE Instance

  1. Configure the Sybase ASE instance with TLS, ensuring the use of TLSv1.2.

  2. Verify the ASE instance's certificates are available in the certificates directory (example):

    Copy 
    $ ls -la $SYBASE/$SYBASE_ASE/certificates 
    -rw-------.  1 sybase sybase 6410 Dec  3 2024 NEALRH83.crt 
    -rw-rw-r--.  1 sybase sybase 1497 Dec  3 2024 NEALRH83.txt 

Step 2: Add Certificate to Delphix Trust Store (if utilizing a self-signed certificate or a private PKI)

  1. If utilizing a self-signed certificate or a private PKI, you must include the signing certificate into the Delphix trust store.

  2. The ASE instance's certificates (e.g., NEALRH83.crt and NEALRH83.txt) need to be added in Delphix engine.

    Certificate names may vary depending on your ASE instance configuration

  3. Log into Delphix Continuous Data Engine using the sysadmin user.

  4. Add the ASE instance's certificate in the setup application as instructed in the "Adding a certificate" section of the TrustStore settings page.

Step 3: Restart Delphix Continuous Data Engine

  1. Restart the Delphix Continuous Data Engine by selecting the Restart button available under the three dots (...) menu at the top of the page where the certificate was added.

Enable TLS for Existing ASE Environment

Follow these steps to enable TLS support for an existing Sybase ASE environment:

  1. Disable ASE dSources and VDBs

    1. Disable all Sybase ASE dSources and VDBs running on the ASE instance to prevent connection failures during TLS setup

  2. Complete TLS Configuration Steps

    1. Follow Steps 1-3 from the "TLS Configuration Steps" section above

  3. Enable TLS Support via CLI

    1. Access the CLI using the "admin" user

    2. Enable TLS support by setting the parameter enableTls to true for existing environments configured to use TLS following the above steps.

      Copy 
      ip-10-110-225-100> environment
      ip-10-110-225-100 environment> select Src 
      ip-10-110-225-100 environment 'Src'> update
      ip-10-110-225-100 environment 'Src' update *> edit aseHostEnvironmentParameters
      ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> ls
      Properties
          type: ASEHostEnvironmentParameters
          credentials:
              type: PasswordCredential
              password: ********
          dbUser: sa
          enableTls: false
          skipServerCertificateValidation: false
      ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> set enableTls=true
      ip-10-110-225-100 environment 'Src' update aseHostEnvironmentParameters *> commit
          Dispatched job JOB-39
          ENVIRONMENT_UPDATE job started for "Src".
          ENVIRONMENT_UPDATE job for "Src" completed successfully.

  4. Refresh Environment

    1. Log in to the Delphix Continuous Data Engine UI using the "admin" user.

    2. Initiate a refresh of the environment for which TLS support has been enabled.

    3. Upon successful completion of the environment refresh, navigate to the database tab on the environment page to locate the TLS port.

    4. If Delphix Continuous Data Engine encounters any issues discovering ASE instances (whether auto-discovered or manually added) running on the TLS port during the environment refresh operation, it will display an error or fallback to the TCP port if available, raising a corresponding fault.

  5. Re-enable dSources and VDBs

    1. Re-enable the dSources and VDBs that were disabled in the initial step.

Create ASE Environment with TLS Support

If you want to create a new environment with TLS encryption enabled, you can do so by setting the parameter ‘enableTls’ to ‘true’ in ‘ASEHostEnvironmentParameters’.

Configuration Steps

  1. Complete TLS Configuration Steps

    1. Follow Steps 1-3 from the " TLS Configuration Steps" section above

  2. Create Environment with TLS Enabled

    1. Access the CLI and configure the environment with TLS support:

    Copy 
    ip-10-110-225-100 environment create *> ls
    Properties
        type: HostEnvironmentCreateParameters
        hostEnvironment:
            type: UnixHostEnvironment
            name: Src (*)
            aseHostEnvironmentParameters:
                type: ASEHostEnvironmentParameters (*)
                credentials:
                    type: PasswordCredential (*)
                    password: ******** (*)
                dbUser: sa (*)
                enableTls: true (*)
                skipServerCertificateValidation: (unset)
            description: (unset)
            logCollectionEnabled: false
        hostParameters:
            type: UnixHostCreateParameters
            host:
                type: UnixHost
                address: kanojis-centos-79-sybase-160-src.dlpxdc.co (*)
                dspKeystoreAlias: (unset)
                dspKeystorePassword: (unset)
                dspKeystorePath: (unset)
                dspTruststorePassword: (unset)
                dspTruststorePath: (unset)
                javaHome: (unset)
                nfsAddressList: (unset)
                oracleHostParameters: (unset)
                privilegeElevationProfile: (unset)
                sshPort: 22
                sshVerificationStrategy: (unset)
                toolkitPath: /work (*)
        logCollectionEnabled: false
        primaryUser:
            type: EnvironmentUser
            name: sybase (*)
            credential:
                type: PasswordCredential
                password: ******** (*)
            environment: (unset)
            groupId: (unset)
            userId: (unset)
    ip-10-110-225-100 environment create *> commit
        `UNIX_HOST_ENVIRONMENT-15
        Dispatched job JOB-159
        ENVIRONMENT_CREATE_AND_DISCOVER job started for "Src".
        ENVIRONMENT_CREATE_AND_DISCOVER job for "Src" completed successfully.

    Important Security Considerations

    Do not set the parameter “skipServerCertificateValidation” to “true” until or unless you don’t want to add the certificate to Delphix Continuous Data Engine. Setting it to “true” will skip the Sybase ASE server certificate validation during the TLS handshake.

    Delphix strongly advises against this setting, as it will compromise the integrity and security of encrypted communication by exposing it to the risk of interception and impersonation.

    If you still choose to compromise TLS security by not adding the certificate into Delphix Continuous Data Engine and setting the parameterskipServerCertificateValidationto true, then you can skip adding the certificate & restart the Delphix Continuous Data Engine as outlined above.