We strongly recommend enabling SSL to encrypt communications between a Windows computer running the DBC server driver and client computers running an ODBC or JDBC client driver in production environments. See how to install without SSL in test environments.
SSL is disabled by default in the latest versions of the Luminesce DBC server and ODBC client driver MSI installers. You should follow the instructions in this article to explicitly enable SSL from these versions:
Driver | SSL disabled from... |
DBC server | Finbourne.Luminesce.ODBCWin64.1.1.641.msi |
ODBC client | Finbourne.Luminesce.ODBCClientWin64.1.1.77.msi |
Generating a certificate set using OpenSSL
The following instructions are valid for Windows 10+.
- Ensure OpenSSL is installed. These instructions use the version of OpenSSL bundled with Git for Windows, in which case OpenSSL is available at
C:/Program Files/Git/user/bin/openssl.exe
. - Download or generate an openssl.cnf file and amend the default options if desired. Given Git for Windows, this is available at
C:/Program Files/Git/user/ssl/openssl.cnf
. - In Git Bash, run the following command to create a private key for the client certificate. For Powershell, adjust
/
to\
and ensureopenssl.exe
is in your PATH:openssl genrsa -des3 -out dbc_ca_key.pem 2048
- Run the following command to create the client certificate:
openssl req -new -key dbc_ca_key.pem -x509 -days 1000 -out dbc_ca_cert.pem
- Run the following command to create a private key for the server certificate:
openssl genrsa -out dbc_server_key.pem 2048
- Run the following command to create a signing request for the server certificate, passing in the path to an
openssl.cnf
file:openssl req -new -key dbc_server_key.pem -out signingReq.csr -config ./openssl.cnf
- Run the following command to create a server certificate matching the client certificate:
openssl x509 -req -days 365 -in signingReq.csr -CA dbc_ca_cert.pem -CAkey dbc_ca_key.pem -CAcreateserial -out dbc_server_cert.pem
The following files are created:
File | Destination |
dbc_server_key.pem | DBC server computer |
dbc_server_cert.pem | |
dbc_ca_cert.pem | Client computers |
dbc_ca_key.pem | N/A. Do not distribute. |
Installing the Luminesce DBC server driver with SSL
Follow these instructions, appending the SERVERUSESSL=REQUIRED
argument to the installation command for the DBC server driver MSI, for example:
msiexec /i Finbourne.Luminesce.ODBCWin64.<version>.msi SERVER=5 DOMAIN=acmecorp SERVERUSESSL=REQUIRED
For an installation in the default location, copy the server certificate and key pair as follows:
C:\Program Files\Finbourne\Luminesce ODBC\Certificates\SimbaSSL\dbc_server_cert.pem
C:\Program Files\Finbourne\Luminesce ODBC\Certificates\SimbaSSL\dbc_server_key.pem
Installing the Luminesce ODBC client driver with SSL
Follow these instructions, appending the USESSL=REQUIRED
argument to the installation command for the ODBC client driver MSI, for example:
msiexec /i Finbourne.Luminesce.ODBCClientWin64.<version>.msi USESSL=REQUIRED
For an installation to the default location, copy the client certificate as follows: C:\Program Files\Finbourne\Luminesce ODBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem
If you are using the default Luminesce Remote
DSN, the driver is automatically configured for the above location of the client certificate. If you need to adjust the certificate location, or you are using a different DSN, follow these instructions to configure the Luminesce Client ODBC Driver Configuration dialog appropriately:
Setting up Luminesce JDBC client driver connections with SSL
Follow these instructions to copy the Luminesce JDBC client driver JAR file to a suitable location.
Then, copy the client certificate to a suitable location, for example:
- Windows:
C:\Program Files\Finbourne\Luminesce JDBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem
- Mac:
/Users/youruser/dbc_ca_cert.pem
SSL is configured on a per-connection basis using the following JDBC connection properties:
- Either
UseSsl=Required
orUseSsl=Enabled
. SSLCACertfile
set to the path of the client certificate.SSLAllowHostMismatch=Yes
to allow for a client certificate generated without a specific host computer in mind.
For example, to connect from DBeaver you might specify the following in the JDBC URL field of the Connection Settings dialog:
jdbc:simba://[::1]:14264;UseSsl=Required;SSLCACertfile=C:\Program Files\Finbourne\Luminesce JDBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem;SSLAllowHostMismatch=Yes