Views:

We strongly recommend enabling SSL to encrypt communications between a Windows computer running the DBC server driver and client computers running an ODBC or JDBC client driver in production environments. See how to install without SSL in test environments.

SSL is disabled by default in the latest versions of the Luminesce DBC server and ODBC client driver MSI installers. You should follow the instructions in this article to explicitly enable SSL from these versions:

DriverSSL disabled from...
DBC serverFinbourne.Luminesce.ODBCWin64.1.1.641.msi
ODBC clientFinbourne.Luminesce.ODBCClientWin64.1.1.77.msi

Generating a certificate set using OpenSSL

The following instructions are valid for Windows 10+.

  1. Ensure OpenSSL is installed. These instructions use the version of OpenSSL bundled with Git for Windows, in which case OpenSSL is available at C:/Program Files/Git/user/bin/openssl.exe.
  2. Download or generate an openssl.cnf file and amend the default options if desired. Given Git for Windows, this is available at C:/Program Files/Git/user/ssl/openssl.cnf.
  3. In Git Bash, run the following command to create a private key for the client certificate. For Powershell, adjust / to \ and ensure openssl.exe is in your PATH:
    openssl genrsa -des3 -out dbc_ca_key.pem 2048
  4. Run the following command to create the client certificate:
    openssl req -new -key dbc_ca_key.pem -x509 -days 1000 -out dbc_ca_cert.pem
  5. Run the following command to create a private key for the server certificate:
    openssl genrsa -out dbc_server_key.pem 2048
  6. Run the following command to create a signing request for the server certificate, passing in the path to an openssl.cnf file:
    openssl req -new -key dbc_server_key.pem -out signingReq.csr -config ./openssl.cnf
  7. Run the following command to create a server certificate matching the client certificate:
    openssl x509 -req -days 365 -in signingReq.csr -CA dbc_ca_cert.pem -CAkey dbc_ca_key.pem -CAcreateserial -out dbc_server_cert.pem

The following files are created:

FileDestination
dbc_server_key.pemDBC server computer
dbc_server_cert.pem
dbc_ca_cert.pemClient computers
dbc_ca_key.pemN/A. Do not distribute.

Installing the Luminesce DBC server driver with SSL

Follow these instructions, appending the SERVERUSESSL=REQUIRED argument to the installation command for the DBC server driver MSI, for example:

msiexec /i Finbourne.Luminesce.ODBCWin64.<version>.msi SERVER=5 DOMAIN=acmecorp SERVERUSESSL=REQUIRED

For an installation in the default location, copy the server certificate and key pair as follows:

  • C:\Program Files\Finbourne\Luminesce ODBC\Certificates\SimbaSSL\dbc_server_cert.pem
  • C:\Program Files\Finbourne\Luminesce ODBC\Certificates\SimbaSSL\dbc_server_key.pem

Installing the Luminesce ODBC client driver with SSL

Follow these instructions, appending the USESSL=REQUIRED argument to the installation command for the ODBC client driver MSI, for example:

msiexec /i Finbourne.Luminesce.ODBCClientWin64.<version>.msi USESSL=REQUIRED

For an installation to the default location, copy the client certificate as follows: 
C:\Program Files\Finbourne\Luminesce ODBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem

If you are using the default Luminesce Remote DSN, the driver is automatically configured for the above location of the client certificate. If you need to adjust the certificate location, or you are using a different DSN, follow these instructions to configure the Luminesce Client ODBC Driver Configuration dialog appropriately:

Setting up Luminesce JDBC client driver connections with SSL

Follow these instructions to copy the Luminesce JDBC client driver JAR file to a suitable location.

Then, copy the client certificate to a suitable location, for example:

  • Windows: C:\Program Files\Finbourne\Luminesce JDBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem
  • Mac: /Users/youruser/dbc_ca_cert.pem

SSL is configured on a per-connection basis using the following JDBC connection properties:

  • Either UseSsl=Required or UseSsl=Enabled.
  • SSLCACertfile set to the path of the client certificate.
  • SSLAllowHostMismatch=Yes to allow for a client certificate generated without a specific host computer in mind.

For example, to connect from DBeaver you might specify the following in the JDBC URL field of the Connection Settings dialog:

jdbc:simba://[::1]:14264;UseSsl=Required;SSLCACertfile=C:\Program Files\Finbourne\Luminesce JDBC Client\Certificates\SimbaSSL\dbc_ca_cert.pem;SSLAllowHostMismatch=Yes