1. Suhas Shravagi
  2. PowerBuilder
  3. Tuesday, 2 June 2020 10:50 AM UTC

Hi, I have a desktop application developed in PowerBuilder 2017 R3 with Sybase as a backend. Recently a vulnerability issue has been reported in the application where "the application does not implement encryption during transmission of data. This exposes the application to Man in the middle attacks and facilitates unauthorized exposure and modification of data transmitted between the client and the server. The database is transferring PII unencrypted." This has been reported when Retrieve() function of any datawindow is triggered.

The question is how to enforce the security on data transmission between database and client? Do we need to set any parameter for SQLCA.dbParm while connecting to database so that the communication will be in encrypted format? SQLCA.DBParm="Encrypt=1" is the property that works with SQL Server, but not sure whether it will work for Sybase database.

 

Please help.

 

--Thanks,

Suhas.

 

Accepted Answer
David Peace (Powersoft) Accepted Answer Pending Moderation
  1. Friday, 5 June 2020 13:45 PM UTC
  2. PowerBuilder
  3. # Permalink

Hi

I don't know enough about ASE, perhaps this link will help: http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc00075.1500/html/oledb/CIHDCGHC.htm

My guess is that you configure SSL at both the client & server SQL connect layer and PB just connects in the usual way. Certainly it's managed at the TCP/IP layer so perhaps not a PB config.

Sorry I cannot be more help.

Regards

David

 

Comment
  1. David Peace (Powersoft)
  2. Friday, 5 June 2020 13:48 PM UTC
OR this:

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc00170.1510/html/iqapgv1/Encryption.htm



This talks about connection parameters, you could try adding these to the DBParm
  1. Helpful
There are no comments made yet.
Suhas Shravagi Accepted Answer Pending Moderation
  1. Thursday, 17 September 2020 14:05 PM UTC
  2. PowerBuilder
  3. # 1

Thanks David,

 

Implementing the SSL certificate at both client and server level worked. No PowerBuilder changes are required for this. Only we need to make install the certificate at server level first, which is done by DBA team and so I am not aware how they configured. On client side, we need to make below two changes:

1) Add the certificate key in trusted.txt file of the Sybase Client installation directory

2) Modify the sql.ini file to append the ssl keyword at the end of master and query parameters for the database connection.

 

Thanks!

Comment
There are no comments made yet.
Suhas Shravagi Accepted Answer Pending Moderation
  1. Tuesday, 9 June 2020 14:55 PM UTC
  2. PowerBuilder
  3. # 2

As per online documentation for Appeon PowerBuilder, SQLCA.DBParm="Sec_Confidential=1" can be used to make the data transmission between client and server as encrypted. However, when I use the complete syntax to set DBParm SQLCA.dbParm="EncryptPassword='True';Release='15.7',Sec_Confidential=1", the application throws an error "Attempt to set CS_SEC_CONFIDENTIALITY connection property failed." Can someone help here? Do I need to install any plugins either on server or on client to get rid of this error? Or is there any syntax error?

 

Link for online documentation:

https://docs.appeon.com/appeon_online_help/pb2019/connection_reference/ch01s01.html#Sec_Confidential

 

Comment
  1. John Fauss
  2. Tuesday, 9 June 2020 18:24 PM UTC
It sounds from your description that OpenClient is unable to understand how the PB ASE driver is trying to establish the connection to the database.



What version of Sybase OpenClient is being used? Can you define and successfully use an encrypted connection between OpenClient and the Sybase ASE 15.7 RDBMS (temporarily take PB out of the picture, in other words)?
  1. Helpful
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 2 June 2020 12:38 PM UTC
  2. PowerBuilder
  3. # 3

Hi Suhas;

   Sybase ASE works basically the same as SS and provides both a client and DB encryption feature. The last time I used this feature was about 5 years ago. At that time, the encryption feature was not integrated within the base DBMS. Instead, it was an extra purchased option. Your best to check with SAP on the current status & requirements of this feature set.

Regards ... Chris

Comment
  1. Suhas Shravagi
  2. Friday, 5 June 2020 05:27 AM UTC
Hello Chris, could you please provide more information on this?
  1. Helpful
  1. Chris Pollach @Appeon
  2. Friday, 5 June 2020 14:51 PM UTC
Hi Suhas ... Your best to check with SAP on this ASE feature and its requirements.
  1. Helpful
There are no comments made yet.
Roland Smith Accepted Answer Pending Moderation
  1. Tuesday, 2 June 2020 12:06 PM UTC
  2. PowerBuilder
  3. # 4

Sybase makes several databases, which one are you using?

Comment
  1. Suhas Shravagi
  2. Friday, 5 June 2020 05:38 AM UTC
This is Sybase ASE 15.7 database that the application is using.
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.