PREVNEXTINDEX
 

14 Configuring the SequeLink® Proxy Server


This chapter describes how to configure the SequeLink Proxy Server.

Using the SequeLink® Proxy Server

Untrusted applets cannot open a connection to a machine other than the originating host. Therefore, if any JDBC Client will be used by an untrusted applet, your SequeLink Server software must be installed on the same machine as your Web server software. This is a Java restriction. To circumvent this restriction, SequeLink provides a component written in Java that you can install on your Web server host called the SequeLink Proxy Server.

Installing the SequeLink Proxy Server on the Web server from which your JDBC applets are downloaded allows untrusted applets to connect to SequeLink Servers on hosts other than the Web server, as shown in Figure 14-1.

Figure 14-1. SequeLink Proxy Server Installed on a Web Server

Figure illustrating how a SequeLink Proxy Server is installed on a Web server

The SequeLink Proxy Server maps incoming TCP/IP connection requests from the JDBC Client to outgoing TCP connections to other hosts. When the SequeLink Proxy Server receives a connection request on a particular TCP/IP port, the SequeLink Proxy Server establishes a TCP/IP connection to a remote host and transfers data packets between the SequeLink Java Client and the remote host.

In addition, you can use Secure Socket Layer (SSL) encryption with the proxy server to encrypt data between the SequeLink Proxy Server and the JDBC Client. You can also use SSL with a Java application running on your Intranet to secure data over your entire network by installing the SequeLink Proxy Server on the same machine as the SequeLink Server. For example, you may want to use SSL to encrypt the data sent between an application server and the data store serviced by a SequeLink Server on another machine. See "Using SSL Encryption" for more information about SSL.

Configuring the SequeLink® Proxy Server

Each SequeLink service serviced by the SequeLink Proxy Server must be described in a configuration file, service_name.cfg, where service_name is the name of the service. We recommend that the service name be the same as the SequeLink service it is servicing. Configuration files are stored in the proxy server directory and use the following keyword=value pairs:

Port
The incoming TCP/IP port. The JDBC applet or application must specify this TCP/IP port (and the IP address of the Proxy Server host) in the JDBC connection string.
ServerPort
The TCP/IP port of the service to which the final connection is made. This port must be the same port defined in the service configuration on the remote host. A default SequeLink service installation uses the port 19996.
Host
The IP address of the remote host or a symbolic host name.
AdminPort
The TCP/IP port on which the SequeLink Proxy Server listens for administration requests (for example, requests to stop the SequeLink Proxy Server).
NOTE: If you do not want the SequeLink Proxy Server to listen for administration requests, omit this keyword from the configuration file. For example, if the SequeLink Proxy Server is installed on a Web server that is accessible by the Internet, your firewall may be configured to block requests from the Internet to the proxy server administration port.

You can find a configuration file template (proxyserver.cfg) in the proxy server directory. The configuration file must be located in the directory from which you start or stop the SequeLink Proxy Server.

Configuration File Example:

Port=4000 
ServerPort=4003 
Host=189.23.5.132 
AdminPort=5000 

NOTES:

Starting and Stopping the SequeLink® Proxy Server

This section provides instructions for starting and stopping the SequeLink Proxy Server.

Starting the SequeLink® Proxy Server

On Windows:

Open a command-line window and change the working directory to the proxy server directory. Start the SequeLink Proxy Server by running the command appropriate for the JDK you are using:

JDK 1.3
proxyserver -s [-v jview] configfile
JDK 1.4 or higher
proxyserver14 -s [-v jview] configfile

where configfile is the name of the proxy server configuration file without the .CFG extension. By default, this batch file uses the JDK JVM. If you want to use the Microsoft Java Virtual Machine (JVM), specify the optional parameter -v jview as shown in the preceding example.

On UNIX:

Start the SequeLink Proxy Server by running the shell script: appropriate for the JDK you are using:

JDK 1.3
proxyserver.sh -s [-v jview] configfile
JDK 1.4 or higher
proxyserver14.sh -s [-v jview] configfile

where configfile is the name of the proxy server configuration file without the .CFG extension. The configuration file must be located in the directory from which you start or stop the SequeLink Proxy Server.

Stopping the SequeLink® Proxy Server

On Windows 200x/Windows XP:

Open a command-line window and change the working directory to the proxy server directory. Stop the SequeLink Proxy Server by running the command appropriate for the JDK you are using:

JDK 1.3
proxyserver -q [-v jview] configfile
JDK 1.4 or higher
proxyserver14 -q [-v jview] configfile

where configfile is the name of the proxy server configuration file without the .CFG extension. By default, this BAT file uses the JDK JVM. If you want to use the Microsoft JVM, specify the optional parameter -v jview as shown in the preceding example.

On UNIX:

Stop the SequeLink Proxy Server by running the shell script appropriate for the JDK you are using:

JDK 1.3
proxyserver.sh -q [-v jview] configfile
JDK 1.4 or higher
proxyserver14.sh -q [-v jview] configfile

where configfile is the name of the proxy server configuration file without the .CFG extension. The configuration file must be located in the directory from which you start or stop the SequeLink Proxy Server.

SequeLink® Proxy Server Logging

All messages generated by the SequeLink Proxy Server are written to a log file in the installdir/proxy/log/ directory, where installdir is your installation directory. The log file name has the format:

proxy_server_name.log

where proxy_server_name is the name of the SequeLink Proxy Server. Severe errors and information, such as server started or server stopped messages display on the screen also.

Using the SequeLink® Proxy Server as a Windows Service

Before you install the SequeLink Proxy Server as a Windows service, check the following requirements:

Installing the SequeLink Proxy Server as a Windows Service

  1. Create a proxy server configuration file.
  2. Open a Windows command window and change the working directory to the proxy subdirectory of the SequeLink Client for JDBC directory.
  3. Issue the following command:
  4. cmdsrvc -s service_name -c -r [-v jview]

    where service_name is the name of the proxy server configuration file. This command creates a Windows service for the SequeLink Proxy Server. Use the Windows Event Viewer to verify that the service was created successfully (in the Application log for the source cmdsrvc). By default, the JDK JVM is used. If you want to use the Microsoft JVM, specify the optional parameter -v jview as shown in the preceding example.

    The Windows service you created should have the following attributes:

    • Automatic startup
    • Log on as System Account
    • Allow service to interact with the desktop

    In addition, a Windows Event Viewer source is defined with the name of the SequeLink Proxy Server. The SequeLink Proxy Server logs start and stop messages to this source.

  5. Start the Windows service using the Windows Services control panel. Because the service is configured for automatic startup, it will also start when the Windows machine is initialized.

NOTE: Make sure that the following files located in the proxy/lib directory are added to the CLASSPATH definition of your JVM:

For a SequeLink Proxy Server running in...
Add this file to the CLASSPATH of your JVM...
Java 2 Platform JVM without SSL
slproxy.jar
Java 2 Platform JVM with SSL or data scrambling enabled (JDK 1.3)
slproxy.jar and slssl.jar
Java 2 Platform JVM with SSL or data scrambling enabled (JDK 1.4 or higher)
slproxy.jar, slssl14.jar, and iaik_jce_full.jar

Un-Installing the SequeLink® Proxy Server as a Window Service

Before you un-install the SequeLink Proxy Server as a Windows service, make sure that you have administrator rights.

To un-install the SequeLink Proxy Server:

  1. Stop the SequeLink Proxy Server Windows service using the Windows Services control panel.
  2. Open a Windows command-line window.
  3. Change the working directory to the proxy server subdirectory in the SequeLink for JDBC Client directory.
  4. Issue the following command:
  5. cmdsrvc -s service_name -d

Using SSL Encryption

If your SequeLink environment requires greater data privacy than that provided by fixed-key DES, fixed-key 3DES, or byteswap, you can use the Secure Socket Layer (SSL) to encrypt data exchanged between the SequeLink Client for JDBC and the SequeLink Proxy Server. This assumes that the communication between the SequeLink Proxy Server machine (for applets, the Web server from which the applets are downloaded) and the SequeLink Server machine is secure, meaning that:

NOTE: SequeLink data scrambling (fixed-key DES, fixed-key 3DES, and byteswap) can work with SSL, resulting in a completely secure combination between the SequeLink Client for JDBC and the SequeLink Proxy Server and between the SequeLink Proxy Server and the SequeLink Server.

Using SSL with a Java application running on your Intranet, you can secure data over your entire network by installing the SequeLink Proxy Server on the same machine as the SequeLink Server (as shown in Figure 14-2) and specifying localhost as the host name of the SequeLink Server in the proxy server configuration file. The cleartext messages that are sent between the SequeLink Proxy Server and the SequeLink Server do not leave the machine.

Figure 14-2. Using SSL with the SequeLink Proxy Server Installed on the SequeLink Server

A figure illustrating how to use SSL with the SequeLink Proxy Server installed on the SequeLink Server

NOTE: SequeLink uses the IETF TLS (Transport Layer Security) 1.0 standard, the successor to the SSL 3.0 protocol.

SSL Cipher Suites

SSL cipher suite definitions have the format:

SSL_KeyExchangeMethod_WITH_DataTranserCipher_DigestFunction

Table 14-1 lists the cryptographic strong SSL cipher suites supported by SequeLink.

Table 14-1. Strong SSL Cipher Suites Supported by SequeLink
Cipher Suite
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA

Cryptographic Characteristics of Key Exchange Algorithms

Table 14-2 lists the cryptographic characteristics of SSL key exchange algorithms, including a description, the key-size limit, and the type of situation for which specific algorithms are most appropriate.

Table 14-2. Cryptographic Characteristics of Key Exchange Algorithms 
Key Exchange
Algorithm

Description

When to Use
DH_anon
The Diffie-Hellman parameters are generated during session establishment.
When there is no risk of man-in-the-middle attacks.
DHE_DSS
The Diffie-Hellman parameters are generated during session establishment. They are signed by the DSS certificate.
When the DSS certificate of the server is used for signing only and not used for key exchange.
DHE_RSA
The Diffie-Hellman parameters are generated during session establishment. They are signed by the RSA certificate.
When the RSA certificate of the server is used for signing only and not used for key exchange.
RSA
The public key from the RSA certificate is used for key exchange.
When the server uses an RSA certificate.

Cryptographic Characteristics of Data Transfer Ciphers

Table 14-3 lists the cryptographic characteristics of data transfer ciphers, including the algorithm used and the effective key size.

Table 14-3. Cryptographic Characteristics of Data Transfer Ciphers
Data Transfer Cipher
Algorithm
Effective Key size
DES_CBC
DES in cipher block chaining mode
56
3DES_EDE_CBC
Triple DES in cipher block chaining mode
168
RC4
RC4 from RSA
128

Configuring SSL Encryption for the SequeLink® Proxy Server

You configure SSL encryption in the proxy server configuration file by adding the keyword=value pairs:

Network=ssl 
CipherSuites=value 

NOTES:

  1. The Network and CipherSuites keywords in the proxy server configuration file are case-sensitive.
  2. If you do not want to use SSL, specify Network=socket in the proxy server configuration file or omit the Network keyword from the configuration file.
  3. The value of the CipherSuites keyword is a list of cipher suites to use, in order of preference. The listed cipher suites are separated by commas with no blank spaces allowed. You must specify cipher suites that use the same type of certificate. For example, you cannot specify a combination of RSA cipher suites and DSS cipher suites. See "SSL Cipher Suites" for a list of supported cipher suites.
  4. For cipher suites that require a DSS or RSA certificate, you must specify the X.509 certificate (with the public key) and the corresponding private key in the proxy server configuration file. See Table 14-4 for a list of the keyword=value pairs you can specify in the proxy server configuration file for each key exchange algorithm.
  5. When the SequeLink Client for JDBC and the SequeLink Proxy Server agree on a cipher suite that requires a certificate, the SequeLink Client for JDBC must specify the certificate checker class that will be used to verify the certificate chain the SequeLink Proxy Server sends to the SequeLink Client for JDBC. See "Verifying the SequeLink® Proxy Server Certificate" for more information on certificate checker classes.

Table 14-4 lists the key exchange algorithms you can use and the keyword=value pairs you can specify in the proxy server configuration file when using a particular key exchange algorithm.

Table 14-4. Key Exchange Algorithms and Keyword/Value Pairs for
the SequeLink Proxy Server  
Key Exchange Algorithm

Keyword

Value
DHE_DSS
DSSCertificate
Name of the file with the DSS certificate in DER format or a PKCS #7 certificate chain.
 
DSSPrivateKey
Name of the file with the DSS private key in PKCS #8 encrypted format.
 
PassPhrase
Pass phrase with which the private key file is encrypted. If this keyword is unspecified, the Proxy Server will prompt for the pass phrase.
 
UsePassPhraseDialog
To be prompted for the pass phrase using the standard input/output instead of a dialog box, set this keyword to No. Remember that the pass phrase will be shown on the screen as you type.
DHE_RSA
RSACertificate
Name of the file with the RSA certificate in DER format or a PKCS #7 certificate chain.
 
RSAPrivateKey
Name of the file with the RSA private key in PKCS #8 encrypted format.
 
PassPhrase
Pass phrase with which the private key file is encrypted. If this keyword is unspecified, the Proxy Server will prompt for the pass phrase.
 
UsePassPhraseDialog
To be prompted for the pass phrase using the standard input/output instead of a dialog box, set this keyword to No. Remember that the pass phrase will be shown on the screen as you type.
RSA
RSACertificate
Name of the file with the RSA certificate in DER format or a PKCS #7 certificate chain.
 
RSAPrivateKey
Name of the file with the RSA private key in PKCS #8 encrypted format.
 
PassPhrase
Pass phrase with which the private key file is encrypted. If this keyword is unspecified, the Proxy Server will prompt for the pass phrase.
 
UsePassPhraseDialog
To be prompted for the pass phrase using the standard input/output instead of a dialog box, set this keyword to No. Remember that the pass phrase will be shown on the screen as you type.

Using Private Keys with the SequeLink® Proxy Server

The SSL cipher suites that use server authentication require a valid server certificate and associated private key. The SequeLink Proxy Server must access the private key from a private key file. Because it is not safe to store the private key as cleartext in a file, the SequeLink Proxy Server expects the private key to be stored in PKCS #8 format, which is a standard method of storing encrypted private keys when the encryption key is derived from a pass phrase.

Providing the Pass Phrase for the SequeLink® Proxy Server

The SequeLink Proxy Server requires the pass phrase to start. The private key can be retrieved in either of the following ways:

Storing the Private Key in PKCS #8 Format

If your private key is in cleartext format, you can use the encrypt.bat utility (on Windows) or the encrypt.sh shell script (on UNIX) to store the key in a file in PKCS #8 format.

The private keys are encrypted with triple DES with a 168-bit key derived from the pass phrase using a one-way hash function (SHA).

To provide sufficient randomness in the generated keys, you must provide sufficient randomness in the pass phrase. The English language has approximately 1.3 bits of randomness for each character; therefore, to provide 168 random bits for the two keys, you must have 130 characters (conservatively) of English text. Using punctuation characters and a mix of upper and lowercase letters, you can construct pass phrases that have more randomness with fewer characters.

Using the Encryption Tool

On Windows 200x/Windows XP:

encrypt [-v virtual_machine] infile outfile 

where:

virtual_machine
is the executable name of the JVM that is installed on the machine where you encrypt the key. By default, this BAT file uses the JDK JVM. If you want to use the Microsoft JVM, specify the optional parameter -v jview.
infile
is the name of the cleartext file.
outfile
is the name of the encrypted file.

On UNIX:

encrypt.sh infile outfile 

where:

infile
is the name of the cleartext file.
outfile
is the name of the encrypted file.

You may want to run the encryption tool on a machine other than the one running the SequeLink Proxy Server and transfer the encrypted file to the SequeLink Proxy Server host to avoid writing a copy of the private key in cleartext on the SequeLink Proxy Server host. Make sure that you transfer the complete proxy/lib directory to the machine on which you want to run the encryption tool.

The proxy server installation directory also contains a decryption tool that can be used to decrypt a file that has been encrypted with the encryption tool. The encryption and decryption tools prompt for the pass phrase and show it on the screen as you type, so make sure that you close the terminal session window after you have encrypted or decrypted the file to prevent unauthorized people from viewing it.

Using the Decryption Tool

On Windows 200x/Windows XP:

decrypt [-v virtual_machine] infile outfile 

where:

virtual_machine
is the executable name of the JVM that is installed on the machine where you encrypt the key. By default, this BAT file uses the JDK JVM. If you want to use the Microsoft JVM, specify the optional parameter -v jview.
infile
is the name of the encrypted file.
outfile
is the name of the cleartext file.

On UNIX:

decrypt.sh infile outfile 

where:

infile
is the name of the encrypted file.
outfile
is the name of the cleartext file.

Verifying the SequeLink® Proxy Server Certificate

When you use a cipher suite that specifies server authentication, the SSL handshake protocol ensures that the server knows the private key that corresponds to the public key in the certificate. Subsequently, the client application must verify that the server is indeed the server with which it wants to communicate by verifying that the received certificate is the certificate that it expects from the server.

The JDBC application or applet provides the SequeLink Client for JDBC with a class that implements the com.ddtek.sequelink.cert.CertificateCheckerInterface interface. If you do not supply a class that implements this interface, the connection will be refused.

This interface is defined as:

package com.ddtek.sequelink.cert; 
public interface CertificateCheckerInterface 
   {  
   public void CheckCertificate(byte [][] certChain) 
      throws SecurityException; 
   } 

The JDBC driver calls this method and passes the X.509 certificate chain that it received during the SSL handshake to the method. All certificates are DER encoded and the server certificate is the first certificate in the array. The checkCertificate method must verify that the received certificate is trusted and is, for example, signed by a trusted authority. If the certificate is not trusted, the method must throw a Security Exception. You specify the name of the class that implements this interface in the certificateChecker keyword in the JDBC connection URL or the data source.

The driver/examples subdirectory contains the Java source files listed in Table 14-5 as examples of classes that implement CertificateCheckerInterface.

Table 14-5. Java Source Files Implementing CertificateCheckerInterface
Java Source File
Description
CheckAgainstCertificateFromJar.java
Adapt and use for downloaded applets.
CheckAgainstCertificateFromFile.java
Adapt and use for Java applications on a client machine.
KeyStoreCertificateChecker.java
Adapt and use for Java applications that use a Java 2 keystore to verify that the provided certificate chain is trusted.

These classes retrieve the server certificate from a JAR file, or local file, and compare it with the certificate that is passed as the first element of the certChain parameter to the checkCertificate method. You can change these files as appropriate for your environment.

Coding the certificate you want to compare other certificates against in the downloaded applet is safe only if no one tampers with the applet while it is being downloaded from your Web server. You must use signed applets and you must configure your Web browser to explicitly check the signer of downloaded applets. Alternatively, you can use a secure and authenticated SSL connection to the web server when downloading the applet.

Using the Demo Certificates, Certificate Checker, and Private-Key Format Conversion Tool

SequeLink provides some demo applications in the installdir/proxy/demos directory, where installdir is your installation directory, that allow you to create or convert certificates.

Demo Certificates

The demo certificates that SequeLink provides are intended for testing purposes only and cannot be used to provide secure connections. Table 14-6 lists the private key files and describes the corresponding certificates.

Table 14-6. Demo Certificates  
File
Descriptions
demo-DSA-CA.cer
Demo Certificate Authority with a DSS X.509 certificate. This certificate is self signed.
demo-DSA-CA.pk8
Corresponding (PKCS #8 encrypted) private key of the public key provided by the certificate demo-DSA-CA.cer.
demo-DSA-server.p7b
Demo DSS server X.509 certificate signed with the public key provided by the certificate demo-DSA-CA.cer.
demo-DSA-server.pk8
Corresponding (PKCS #8 encrypted) private key of the public key provided by the certificate demo-DSA-server.cer.
demo-RSA-CA.cer
Demo Certificate Authority with an RSA X.509 certificate. This certificate is self signed.
demo-RSA-CA.pk8
Corresponding (PKCS #8 encrypted) private key of the public key provided by the certificate demo-RSA-CA.cer.
demo-RSA-server.p7b
Demo RSA server X.509 certificate signed with the public key provided by the demo-RSA-CA.cer.
demo-RSA-server.pk8
Corresponding (PKCS #8 encrypted) private key of the public key provided by the certificate demo-RSA-server.cer.

NOTES:

The following examples show how to use the demo certificates:

Example A: Using SSL with an RSA Server Certificate

  1. Start the SequeLink Proxy Server with the following configuration:
  2. Port=9500

    AdminPort=9600

    Host=SequeLinkhost

    ServerPort=SequeLinkport

    Network=ssl

    CipherSuites=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_
    DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_
    SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,
    SSL_RSA_WITH_RC4_128_SHA

    RSACertificate=cert/demo-RSA-server.p7b

    RSAPrivateKey=cert/demo-RSA-server.pk8

    PassPhrase=Demo Pass Phrase

    where SequeLinkhost is the TCP/IP host name or address of the SequeLink Server and SequeLinkport is the port on which the SequeLink Server is listening for connection requests.

  3. Make a connection to the SequeLink Server, for example, using JDBC Test:
  4. jdbc:sequelink:ssl://proxyserverhost:9500;
    cipherSuites=SSL_RSA_WITH_RC4_128_MD5;
    certificateChecker=com.ddtek.sequelink.cert.
    AcceptAllCertificateChecker

    where proxyserverhost is the IP address or symbolic host name of your proxy server host.

    If successful, the following message appears:

    Certificate accepted by

    AcceptAllCertificateChecker.

    *** ONLY FOR TESTING PURPOSES ***

    Certificate chain:

    1: O=SequeLink Demo Certificates, OU=Demo RSA

    Server Certificate, CN=demo.ddtek.sequelink.com

    2: O=SequeLink Demo Certificates, CN=Demo RSA CA

    Certificate

Example B: Using SSL with a DSS Server Certificate

  1. Start the proxy server with the following configuration:
  2. Port=9500

    AdminPort=9600

    Host=SequeLinkhost

    ServerPort=SequeLinkport

    Network=ssl

    CipherSuites=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_

    DHE_DSS_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_RC4_128_SHA

    DSSCertificate=cert/demo-DSA-server.p7b

    DSSPrivateKey=cert/demo-DSA-server.pk8

    PassPhrase=Demo Pass Phrase

    where SequeLinkhost is the TCP/IP host name or address of the SequeLink Server and SequeLinkport is the port on which the SequeLink Server is listening for connection requests.

  3. Make a connection to the SequeLink Server, for example, using JDBC Test:
  4. jdbc:sequelink:ssl://proxyserverhost:9500;
    cipherSuites=SSL_DHE_DSS_WITH_DES_CBC_SHA;
    certificateChecker=com.ddtek.sequelink.cert.
    AcceptAllCertificateChecker

    where proxyserverhost is the IP address or symbolic host name of your proxy server host.

    If successful, the following message appears:

    Certificate accepted by

    AcceptAllCertificateChecker.

    *** ONLY FOR TESTING PURPOSES ***

    Certificate chain:

    1: O=SequeLink Demo Certificates, OU=Demo DSA

    Server Certificate, CN=demo.sequelink.ddtek.com

    2: O=SequeLink Demo Certificates, CN=Demo DSA CA

    Certificate

Example C: Using SSL with Anonymous Cipher Suites (No Server Authentication)

  1. Start the proxy server with the following configuration:
  2. Port=9500

    AdminPort=9600

    Host=sequeLinkhost

    ServerPort=sequelinkport

    Network=ssl

    CipherSuites=SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_

    DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5

    where sequeLinkhost is the TCP/IP host name or address of the SequeLink Server and sequelinkport is the port on which the SequeLink Server is listening for connection requests.

  3. Make a connection to the SequeLink Server, for example, using JDBC Test:
  4. jdbc:sequelink:ssl://proxyserverhost:9500;
    cipherSuites=SSL_DH_anon_WITH_DES_CBC_SHA

    where proxyserverhost is the IP address or symbolic host name of your proxy server host.

Demo Certificate Checker

SequeLink provides a demo certificate checker that accepts all server certificates. It displays on the screen a warning and a description of the certificate the client received from the server through the SSL handshake. This certificate checker is implemented by the com.ddtek.sequelink.cert.AcceptAllCertificateChecker class.

Demo Private-Key Format Conversion Tool

SequeLink provides a private-key format conversion tool that can perform the following tasks:

The private-key format conversion tool is a command-line tool that uses the following syntax:

java.com.ddtek.sequelink.demo.KeyTool 
[-keystore keystore] 
[-alias alias] 
-certfile certfile 
-keyfile keyfile 
[-storetype storetype] 
[-storepass storepass] 
[-keypass keypass] 

where:


Parameter
Java 2 Platform Keystore Export
PKCS #12 File Export

Description
keystore
X
X
 
The file name of the Java 2 Platform keystore or the PKCS #12 file.
alias
X
 
The alias in the Java 2 Platform keystore. If supplied, it is assumed that the keystore parameter is a Java 2 Platform keystore.
certfile
X
X
 
The DER-encoded X.509 certificate file.
keyfile
X
X
The PKCS #8 encoded private key. The private key ends with the same password as the Java 2 Platform keystore or the PKCS #12 file.
storetype
X
X
The type of Java 2 Platform keystore. The default is jks. This parameter is optional.
storepass
X
The password used to protect the Java 2 Platform keystore or the PKCS #12 file. If omitted, you will be prompted for this password.
keypass
X
 
The password that protects the Java 2 Platform key entry. This parameter is required when the password for the key entry is different from the keystore password.

To use the demo private-key format conversion tool, you must add slssl.jar (if you are using JDK 1.3) or slssl14.jar and iaik_jce_full.jar (if you are using JDK 1.4 or higher) to your CLASSPATH variable.


PREVNEXTINDEX