cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot connect to Sybase Server using the client

Former Member
0 Kudos

Hi,

I am using RedHat Linux, i configured Sybase Server for SSL, but client connection ISQL cannot connect to the server.

I followed the instruction from the below link:

SSL with Adaptive Server Enterprise (ASE) - Wiki Stage - SCN Wiki

Common Name for CA root Certificate is my ServerName(Eg: REDHATSERVER)

Common Name for Server Certificate is my ServerName(Eg: REDHATSERVER)

While starting server it seems started correctly:

ssl_getcertpath: Entered.

ssl_getcertdirpath: Entered.

ssl_gettrusedpath: Entered.

ssl_getcertdirpath: Entered.

sslcontextinit(0x4546f40) begin:

dh_configcontext(0x4546f40) begin:

dh_configcontext(0x4546f40), returning DH error 0

syb_3des_decrypt() entry.

getdes_decrypt() entry

getdes_decrypt() returns 0.

syb_3des_decrypt() error 0, returns 64.

ssl_verifyidentityfile() entry.

ssl_verifyidentityfile() returns 0.

00:00000:00001:2014/09/29 16:16:30.83 kernel  Certificate load from file `/home/sybase/sybase/ASE-15_0/certificates/REDHATSERVER.crt`: succeeded.

00:00000:00001:2014/09/29 16:16:30.83 kernel  Trusted root certificates loaded from file '//home/sybase/sybase/ASE-15_0/certificates/REDHATSERVER.txt': succeeded.

sslcontextinit(0x4546f40) return SUCCESS!

ssl_setciphersincontext(0x4546f40, 1): entered.

ssl_makecipherarray(0x487dd00, 0x487dd04) entry.

ssl_makecipherarray() returns (0).

ssl_setciphersincontext(0x4546f40, 1): exiting with return value 0

ssl_initmasterctxt(): returns success.

00:00000:00008:2014/09/29 16:16:30.84 kernel  network name REDHATSERVER, interface IPv4, address 172.20.136.43, type tcp, port 5000, filter NONE

ssl_ninit(0) entry

00:00000:00008:2014/09/29 16:16:30.84 kernel  network name REDHATSERVER, interface IPv4, address 172.20.136.43, type ssltcp, port 6006, filter ssl

ssl_listen(0) returns success 2, snflags 0x6

Below command to concat the certicate:

cat REDHATSERVER.txt >> $SYBASE/config/trusted.txt

Below Command to connect through ISQL:

isql -Usa -SREDHATSERVER:6006

Password:

CT-LIBRARY error:

ct_connect(): network packet layer: internal net library error: Net-Library operation terminated due to disconnect

Detailed Logs on connecting through ISQL:

ssl_nopen(2) entry

ssl_nopen(2) returns 14 soflags 0x0

ssl_nopen(2) entry

ssl_handshake(14) entry

ssl_readcb(0x4550688, 3, 0x4a078dc, 0x5b926c0) entry

ssl_readcb() returns sslerr 0, processed 3

ssl_readcb(0x455081d, 512, 0x4a078ec, 0x5b926c0) entry

ssl_readcb() returns sslerr 0, processed 512

ssl_writecb(0x45518dc, 7, 0x4a0794c, 0x5b926c0) entry

ssl_writecb() returns sslerr 0, processed 7

ssl_handshake(14) return err -2, sslerr -6996

ssl_nclose(0x5b926c0) entry

00:00000:00023:2014/09/29 16:16:47.33 kernel  ssl_close(14): SSLClose(0x451e3b0) failed (-6989).

ssl_nclose(0x5b926c0) return 0

I can't guess where i am wrong. I spent a day for this to work. Anyone help me on this.

Thanks,

Ganesan G

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

To determine if current connection is using SSL or not, I would run this query:

select @@ssl_ciphersuite

Now when it comes to debugging SSL connectivity, there is useful debugging facility in OCS libraries. Specifically, you can do this:

set SYBOCS_DEBUG_FLAGS=CS_DBG_SSL

set SYBOCS_DEBUG_LOGFILE=libsybfssl.log

isql –S my_ssl_server –U ... -x trusted_txt_path

and then examine the libsybfssl.log file for debugging information. Note that the interfaces file on isql machine must have an entry configured for my_ssl_server like below:

[my_ssl_server]

query=NLWNSCK,my_ssl_server,6006,ssl

ryan_hansen
Contributor
0 Kudos

This is correct:
select @@ssl_ciphersuite
will let you know what type of ssl connection you are running.

Also, put your ssl port number first this will be the first entry tried.

If this entry fails then it will go to the non ssl port ie next entry.

Former Member
0 Kudos

Hi,

On specifying ssl entry alone in interfaces file resolved the issue.

REDHATSERVER

        master tcp ether redhatserver 6006 ssl

        query tcp ether redhatserver 6006 ssl


Now i can connect using iSQL.

I faced another problem, i can't connect Sybase ASE server with SSL using jTDS driver.

Connection String :

jdbc:jtds:sybase://<hostName>:<port>/<database_name>;ssl=require


Stack Trace :

Caused by: java.sql.SQLException: I/O Error: Connection reset

  at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2387)

  at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:614)

  at net.sourceforge.jtds.jdbc.ConnectionJDBC2.<init>(ConnectionJDBC2.java:356)

  at net.sourceforge.jtds.jdbc.ConnectionJDBC3.<init>(ConnectionJDBC3.java:50)

  at net.sourceforge.jtds.jdbc.Driver.connect(Driver.java:185)

  at java.sql.DriverManager.getConnection(DriverManager.java:582)

  at java.sql.DriverManager.getConnection(DriverManager.java:185)

  ... 46 more

Caused by: java.net.SocketException: Connection reset

  at java.net.SocketInputStream.read(SocketInputStream.java:168)

  at java.io.DataInputStream.readFully(DataInputStream.java:178)

  at java.io.DataInputStream.readFully(DataInputStream.java:152)

  at net.sourceforge.jtds.jdbc.SharedSocket.readPacket(SharedSocket.java:851)

  at net.sourceforge.jtds.jdbc.SharedSocket.getNetPacket(SharedSocket.java:732)

  at net.sourceforge.jtds.jdbc.ResponseStream.getPacket(ResponseStream.java:477)

  at net.sourceforge.jtds.jdbc.ResponseStream.read(ResponseStream.java:114)

  at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2281)

  ... 56 more

Note: I need encryption alone without certification validation.

jTDS Driver Version : 1.2.8

JRE : 1.6.0_14


Thanks,

Ganesan G.

ryan_hansen
Contributor
0 Kudos

Java uses a different method to setup ssl.

I don't have much experience with jdbc.

Sybase Central (java tool) used a keystore to save ssl certificates.

Hopefully someone else can reply or you can create a new thread with a header on this new question.

Regards,

Ryan

Former Member
0 Kudos

From the jTDS\README.SSL file:

At this point it should be noted that the solution has been tested against SQL

Server 2000 (SQL2K), and nothing else. Everything in this section applies to SQL

Server 2000. Having said that, the changes made to support SSL will not affect

the behavior of jTDS with other products when using plain sockets.


So SSL is not supported for SAP ASE in jTDS.

Answers (1)

Answers (1)

ryan_hansen
Contributor
0 Kudos

Hi Ganesan G,

Is your ASE name REDHATSERVER?

Do you have an entry in your interfaces file?

REDHATSERVER
master tcp ether host port ssl

query tcp ether host port ssl

SSL will not work if you do not use the specific name of your ASE,
which should also be your CN or common name in the ssl certificate.

Try:
isql -Usa -SREDHATSERVER

If you add the port number in -S it will not work.

Regards,
Ryan

Former Member
0 Kudos

Hi Ryan,

Yes, my ASE name is REDHATSERVER.

In my interfaces file, i have entry as below:

REDHATSERVER

        master tcp ether redhatserver 5000

        query tcp ether redhatserver 5000

        master tcp ether redhatserver 6006 ssl

        query tcp ether redhatserver 6006 ssl

ISQL is connecting to server if the port number is not specfified. But how can i find, is it connected with encryption(6006 port) or plain text connection(5000 port).


isql is also connecting with port 5000 as below:

isql -Usa -SREDHATSERVER:5000

Common Name for CA root Certificate is REDHATSERVER

Common Name for Server Certificate is REDHATSERVER

Still the error persisit.

Regards,

Ganesan G.