Specifying network encryption options in concsm.cfg

You can modify encryption communication support module (CSM) options by specifying libraries and encryption tags.

Informix® provides the following shared libraries for use as CSMs. The paths and fixed file names are:
  • $INFORMIXDIR/lib/client/csm/iencs11a.so (UNIX™ and Linux™)
  • %INFORMIXDIR%\bin\client\iencs11a.dll (Windows™)
The shared libraries also have version-specific names that can be used in place of the fixed names. If you use the version-specific name, and the server is updated, you must update the concsm.cfg file.
Note: Specifying encryption options directly in the concsm.cfg file is usually more difficult than specifying libraries and tags in an encryption parameters file because of syntax specifications. A sample file concsm.example is available in $INFORMIXDIR/etc (UNIX and Linux).

To configure the CSM for network encryption, use the following syntax to add a line to $INFORMIXDIR/etc/concsm.cfg (UNIX and Linux) or %INFORMIXDIR%\etc\concsm.cfg (Windows).

Figure 1: concsm.cfg entry Syntax
(1)
Cipher options

1  cipher [ 
2.1! all
2.1   allbut : < + , cipher >
2.1 + , cipher : mode
1 ]
MAC options

1  mac [  levels : <1
2.1+ ,
2.1 high
2.1! medium
2.1 low
2.1 off
1 >  files : < 
2.1! builtin
2.1  + , file_name ,? builtin > ]
Switch options

1   switch [
2.1+ ,
2.1? 1 cipher : negotiation_interval
2.1?  key : negotiation_interval
1 ]
Notes:
  • 1 Use each path no more than once.
Option Description
all Include all available ciphers and all available modes, except ECB mode.
allbut Include all ciphers except the ones listed.
builtin The default MAC key file provided by Informix. The builtin file provides limited message verification that received messages have come from the HCL Informix client or server).
cipher Include the specified cipher.
client_library The path and name of the shared library that is the CSM on the client computer.
csm_library The path and name of the shared library that is the CSM if the CSM is shared by both the database server and the client computers.
files The comma-separated list of the full path names of MAC key files.
key Message authentication code (MAC) keys used for message encryption.
key_file The path and file name of the MAC key files.
levels Specifies a comma-separated list of MAC generation levels that the connection supports.
high
Use SHA1 MAC generation on all messages.
medium
Use SHA1 MAC generation for all messages greater than 20 bytes long and XOR folding on smaller messages.
low
Use XOR folding on all messages.
off
Do not use MAC generation.
mode Use the specified cipher mode.
ecb
Electronic Code Book
cbc
Cipher Block Chaining
cfb
Cipher Feedback
ofb
Output Feedback
name The name that you assign to the CSM.
negotiation_interval The minutes between renegotiations.
parameter_file The path and file name of the file in which the encryption parameters are defined.
Important: If the file does not exist at the specified path, then default parameter values are used. No error is returned.
server_library The full path and name of the shared library that is the CSM on the database server.

Examples of using encryption tags

The following configuration string states to use all available ciphers except for any of the Blowfish ciphers, and to not use any cipher in ECB mode:

ENCCSM($INFORMIXDIR/lib/csm/iencs11a.so,
 cipher[allbut:<ecb,bf>])
The following configuration string states:
  • Use the DES/CBC-mode, EDE/OFB-mode, and DESX/CBC-mode ciphers for this connection.
  • Use either SHA1 MAC generation or XOR folding on all messages.
  • Use mac1.dat, mac2.dat, or the builtin MAC key file for encrypting messages.
  • Switch the cipher being used every 120 minutes and renegotiate the secret key every 15 minutes.
ENCCSM(/$INFORMIXDIR/lib/csm/iencs11a.so,
   cipher[des:cbc,ede:ofb,desx:cbc],
   mac[levels:<high,low>,files:</usr/local/bin/mac1.dat,
   /usr/local/bin/mac2.dat,builtin>],
   switch[cipher:120,key:15])