Manage the OpenEdge Database

Starting database brokers for TLS connections

Save PDF

Starting database brokers for TLS connections

Save PDF

Last Updated: March 30, 2020
2 minute read

OpenEdge
Version 12.2
Documentation

OpenEdge supports Transport Layer Security (TLS) connections to the database server. TLS connections provide authentication and data privacy between the database server and clients according to Public Key Infrastructure (PKI) standards.

For a database server to start up with TLS, it must have access to:

The private key that corresponds to the digital certificate the server uses to assert its identity to an TLS client
A valid digital certificate that asserts the server's identity and contains the Public Key corresponding to the private key

Note: TLS incurs heavy performance penalties, depending on the client, server, and network resources and load. For more information on TLS and the security features of OpenEdge, see OpenEdge Getting Started: Core Business Services - Security and Auditing.

Use the following command to start a broker that spawns TLS servers and accepts connections from TLS clients:


`proserve db-name -S service-name[-H host-name] -ssl [-keyalias key-alias-name] [-keyaliaspasswd password] [-nosessioncache][-sessiontimeout n]`

db-name: Specifies the database you want to start. If the database is not in the current directory, you must specify the full pathname of the database.
-S service-name: Specifies the broker process service name.
-H host-name: Specifies the machine where the database server runs.
-ssl: Specifies that all database and SQL client connections will use TLS.
-keyalias key-alias-name: Specifies the alias name of the TLS private key/digital certificate key-store entry to use. The default is default_server.
-keyaliaspasswd password: Specifies the TLS key alias password to use to access the server's private key/digital certificate key-store entry. The default is the encrypted value of password. If you use a value other than the default, it must be encrypted. You can use the genpassword utility, located in your installation's bin directory, to encrypt the password.
-nosessioncache: Specifies that TLS session caching is disabled. Session caching allows a client to reuse a previously established session if it reconnects before the session cache time-out expires. Session caching is enabled by default.
-sessiontimeout n: Specifies in seconds the length of time an TLS session will be held in the session cache. The default is 180 seconds.