Informix client network encryption

Abstract

Following on from our recent article on InformixHQ network encryption, an update-to-date quick start guide for secure connections to Informix Dynamic Server (IDS) would also be useful, preventing network traffic from being exposed in plain text. This is generally known as SSL (Secure Sockets Layer), though strictly speaking it has been replaced by TLS (Transport Layer Security). A script is provided to run all the commands required to create server and client certificate keystores, and the remaining few steps are documented.

Content

Examples in this article were produced in a Rocky 9 container installed from Docker Hub using the following commands in Windows PowerShell with Docker Desktop already running:

Copy to Clipboard

Full option names are given for readability and documented here.

The port ranges above are for:

SSH
Informix HQ
TCP listeners
Mongo
REST
MQTT

Essential commands were then performed in the Docker console:

Copy to Clipboard

IDS Developer Edition 14.10.FC12W12 from IBM Fix Central was then installed.

Assuming your IDS instance is already running with a standard unencrypted TCP listener, the minimum simplest steps to enable SSL connections will now be described.

The main relevant IBM documentation pages for this are:

Configuring a server instance for secure sockets layer connections
Configuring a client for SSL connections

If you copied $INFORMIXDIR from another host instead of running the IDS installer, you must do this first as “root” to set up the correct IBM Global Security Kit:

Copy to Clipboard

Remaining commands in this guide should be run as user “informix”.

You then need to create server and client SSL keystores each containing one certificate. The following script does all of that, which you must run with a single argument containing a password which will be used for both keystores:

ssl_setup.sh

Copy to Clipboard

# Create Informix server+client SSL certificate keystores
# Doug Lawry, Oninit Consulting, October 2025

# User preferences:
LABEL=$INFORMIXSERVER

# Do not change:
SERVERDB=$INFORMIXSERVER.p12        # Server keystore
SERVERST=$INFORMIXSERVER.sth        # Server stash
CLIENTDB=$INFORMIXSERVER.client.p12 # Client keystore
CLIENTST=$INFORMIXSERVER.client.sth # Client stash
TEMPCERT=$INFORMIXSERVER.cert.pem   # Temporary file

if [ $# != 1 ]
then
    echo "Usage: $0 password" 2>&1
    exit 1
else
    PASSWORD=$1
fi

# Abort on error
set -e

# Create server keystore
gsk8capicmd_64 -keydb -create -db $SERVERDB \
    -pw $PASSWORD -type pkcs12 -pqc false -stash

# Create server self-signed certificate
gsk8capicmd_64 -cert -create -db $SERVERDB \
    -stashed -label $LABEL \
    -dn "CN=Informix Server $INFORMIXSERVER" \
    -size 4096 -ca true -sigalg SHA256WithRSA \
    -expire 7300 # 20 years, default is 1

if true

# Using IBM GSKit for client steps (recommended)
then

# Extract server certificate
    gsk8capicmd_64 -cert -extract -db $SERVERDB \
        -pw $PASSWORD -label $LABEL \
        -target $TEMPCERT -format ascii

# Create client keystore
    gsk8capicmd_64 -keydb -create -db $CLIENTDB \
        -pw $PASSWORD -type pkcs12 -pqc false -stash

# Add server certificate
    gsk8capicmd_64 -cert -add -db $CLIENTDB \
        -stashed -label $LABEL \
        -file $TEMPCERT -format ascii

# Using OpenSSL for client steps (not recommended)
else

# Extract server certificate
    openssl pkcs12 -in $SERVERDB \
        -passin pass:$PASSWORD \
        -out $TEMPCERT -nokeys

# Create client keystore
    openssl pkcs12 -export -out $CLIENTDB \
        -passout pass:$PASSWORD \
        -in $TEMPCERT -nokeys -caname $LABEL

# Create client stash file
    onkstash $CLIENTDB $PASSWORD

# Remove intermediate file
rm -f $TEMPCERT

# Set permissions and install
D1=$INFORMIXDIR/ssl
D2=$INFORMIXDIR/ssl_client
chmod 644 $INFORMIXSERVER.client.*
umask 022
[ -d $D1 ] || mkdir $D1
[ -d $D2 ] || mkdir $D2
mv $SERVERDB $SERVERST $D1
mv $CLIENTDB $CLIENTST $D2

# Create the client SSL configuration file
cd $INFORMIXDIR/etc
cat > conssl.cfg <<EOF
# Generated by $0 on $(date +%F)
SSL_KEYSTORE_FILE $D2/$CLIENTDB
SSL_KEYSTORE_STH  $D2/$CLIENTST
# Second line required prior to IDS 14.10.xC4W1
EOF

Certificates are labelled with the instance name $INFORMIXSERVER by default.
You can change that by editing the first declaration in the script.
PKCS 12 without PQC are the cryptography standards expected by IDS.
The certificate will expire in around 20 years (20 x 365 days).

At least in current versions, you do not need to set Informix configuration parameter SSL_KEYSTORE_LABEL as we have only one certificate in a server keystore (multiple instances require separate keystores):

Copy to Clipboard

Add an entry for your SSL instance alias in $INFORMIXDIR/etc/sqlhosts or the path name in environment variable $INFORMIXSQLHOSTS if set, for example:

sqlhosts
informix_ssl	onsocssl	*localhost	sqlexec-ssl

The first column is your preferred listener name conforming to Informix unquoted identifier
The second is “onsocssl” for native IDS connections or “drsocssl” for DRDA.
The third specifies the network interface, with an asterisk prefix denoting all.
The fourth is the port number or name from /etc/services, the standard entries being:

services
sqlexec	9088/tcp	# IBM Informix SQL Interface
sqlexec-ssl	9089/tcp	# IBM Informix SQL Interface - Encrypted

Append your new alias to DBSERVERALIASES in $INFORMIXDIR/etc/$ONCONFIG. Separate with a comma from any existing contents. In our example, this is as follows:

onconfig (mandatory)
DBSERVERALIASES	informix_ssl

To avoid restarting the instance, you can start the new listener thread with:

Copy to Clipboard

If not configured otherwise, Informix will start one SSL poll thread and one encryption VP automatically once SSL is in use. If you need to increase that on larger systems, you will probably want the same number of poll threads as you currently have for normal connections (assume 2 for this example), and a matching number of encryption VPs:

onconfig (optional)
NETTYPE	socssl,2,200,NET
VPCLASS	encrypt,num=2

To increased the number of VPs without restarting the instance:

Copy to Clipboard

You should now be able to connect via SSL:

Copy to Clipboard

The real purpose is when clients are on a separate host. If the applications connect via Informix Client SDK, simply copy the following recursively into $INFORMIXDIR on that machine:

Copy to Clipboard

Edit the path in the first file above if $INFORMIXDIR is not the same as on the database server.

For other APIs, refer to specific documentation, for example JDBC.

Some clients like AGS Server Studio require no set up at all: it detects whether SSL applies on the specified port, and downloads the required certificate automatically. However, if an Informix instance’s certificate changes, you will need to delete the following file on Windows for the new certificate to be downloaded:

Copy to Clipboard

Conclusion

Configuring Informix for network encryption is tricky, but this article should make it easier.

Caveats

Beware that there is a CPU overhead for encryption VPs with SSL connections: this should be tolerable on most systems, but we know of SSL implementations on large busy systems that had to be rolled back.

There have regularly been significant changes in this area over the years. While everything in this article should work on current versions, it might need adjustment for older or newer systems.

The “ssl_setup.sh” script and some other commands will not work without modification for IDS running on Windows, but WSL might help.

Disclaimer

Suggestions above are provided “as is” without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.