Certificate Authentication in ASE
With 15.0.1, ASE added confidentiality of data with its SSL implementation and server certificate validation in ctLib and JConnect clients. This covers the majority of use cases when a business feels the need to protect its data in movement. The real question I have for the user base out there is:
Does ASE need to have User Certificate Authentication?
With the advancement of our LDAP authentication mechanism in 15.0.3 to include SSL and failover connection management, there seems to be an evolution in our security strategy, but within Sybase, there are still no concrete plans to add this type of functionality.
What I talked about just last week with a customer was that they wanted the authentication to be on SSL, then the rest of the session on an open stream, due to the 40% bandwidth impact that SSL has on data packets. This also translates in to needing more than 40K more per client connection on the server, even if they only use SSL for authentication. These two issues usually make SSL a limited use technology in client server applications, which should be on protected switched networks anyway, so even sniffing data transmissions are difficult.
So, the point of this post is just to get some comments from those reading here about their needs, and uses, for SSL in ASE.
Thanks, and Have a SAFE and Happy 4th weekend (in the States).
Rob Verschoor is a Technical Director and Data Management Evangelist at Sybase, located in EMEA. Rob's focus is on Adaptive Server Enterprise, ASE Cluster Edition, Replication Server, and Sybase IQ; he has a true passion for query performance and stressing ASE to its limits.
Disclaimer: The individuals who post here work at Sybase.
3 responses so far ↓
1 Matt // Jul 2, 2009 at 4:51 am
I think this is a reasonable request and one I’d like to see implemented. I wouldn’t put it on my top priority list but I wouldn’t file it and forget either
2 SteveH // Jul 2, 2009 at 2:33 pm
While SSL authentication may be of limited value, not having it puts Sybase at a disadvantage vs Oracle for security minded customers. Whether or not it truly adds value is often a moot point – it simply becomes a box that Oracle can check off and Sybase cannot. Those implementing (or more often mandating) the use of such features are very often not concerned with the impact to the system. It’s a “security” feature and systems not implementing it are viewed as being less secure.
3 JeffP // Jul 6, 2009 at 6:32 am
Steve, too true, and it drives me nuts thinking how a policy person will tell a dba to make an app secure, but then the performance degrades to an unacceptable point, forcing that same person to order the removal of the security… quite funny.
I hear you on the check box for competition though, which is why this is something that is a target for effort.