Wednesday, December 22, 2010

Connection Options for Strong Encryption

Strong encryption is a new option available as an add-on that you can purchase for Advantage 10.1 and newer. This post will discuss the new connection options that are available for connecting to data that is encrypted with the strong encryption option.

The new connection options are listed below, these options are only available when using the new AdsConnect101 connection API. Currently only the Advantage Delphi Client and the ACE API implement this new functionality. Additional clients will be updated to include this new functionality soon.

  • FIPS
  • EncryptionType
  • DDPassword
  • TLSCertificate
  • TLSCiphers
  • TLSCommonName

When FIPS mode is specified the client will only open dictionary and tables that are encrypted using an approved FIPS 140-2 encryption mechanism (AES). TLS communication is also enforced when FIPS mode is specified. An error will be returned if either of these conditions is not met. FIPS mode must also be specified on the server using the FIPS configuration setting.

The EncryptionType option is used to specify the type of encryption to use when encrypting tables. This option is ignored for any table that is already associated with a data dictionary. The TLS* options are used when using TLS communications and will be discussed in a separate post.

The DDPassword is used to specify the AES encryption password when connecting to a dictionary encrypted with strong encryption. This password is required in addition to the dictionary user password. Note that the dictionary password does not allow access to the dictionary. Instead it is used to generate keys for working with the data dictionary. Access permissions are controlled by the dictionary username and password.

Dictionary encryption passwords can also be stored on the server using the SE_PASSWORDS configuration option with the remote server. Using this option allows the Advantage server to generate and store the keys necessary for opening AES encrypted data dictionaries upon startup. A password must be specified for each dictionary, for example: c:\data\sampledb\sample.add=strongpassword. This option is more efficient since the keys for accessing the encrypted data only have to be generated once and will be stored until the server is restarted. If the DDPassword option is used the keys will be generated each time the application connects which will add some overhead to the connections. This will be most noticeable with an application which connects and disconnects frequently.

The TLS* options are used to configure secure communication options. The TLSCertificate option specifies the full path to the name of the server public certificate. The TLSCiphers option specifies the allowed combination of TLS cipher suites. The TLSCommonName option specifies the “common name” of the server you are connecting to.

In my next post I will be walking through creating a TLS connection to dictionary using strong encryption.

Monday, December 20, 2010

Using Strong Encryption with Data Dictionaries

Strong encryption is a new option available as an add-on that you can purchase for Advantage 10.1 and newer. This post will walk through the steps of creating a new data dictionary using the strong encryption and then converting an existing data dictionary to use strong encryption. I would recommend that you read my previous post Advantage Strong Encryption Overview or review the various encryption topics in the help file prior to reading through this post.

Creating a Strongly Encrypted Data Dictionary

StrongEncrypt_ErrorWhen creating a data dictionary with strong encryption you must specify an additional password to encrypt the database. This password is in addition to any user passwords or a table encryption password. This password is also required when connecting to the dictionary. You also must specify the encryption type to be used. These two new options have been added to the CREATE DATABASE statement and the new AdsDDCreate101 ACE function. These options are also available when using Advantage Data Architect (ARC).

Encryption options for the dictionary and tables are located on the Security tab of the Create Database dialog in ARC. The default encryption type is the RC4 encryption which is included with Advantage. You can now also select AES128 or AES256, in order to use these encryption types you must have the OpenSSL libraries ( purchased separately ) in your search path or application directory. The OpenSSL libraries are required by both the client and the server when using strong encryption. A 7160 error will occur if the OpenSSL libraries cannot be found on the server. If the OpenSSL libraries are not found on the client a 6323 error will be returned. ARC provides a custom error message (see right) if the libraries cannot be located. Instructions for distributing the OpenSSL libraries are included with the strong encryption download. After selecting the encryption option you will need to enter an encryption password as shown below.

StrongEncrypt_DD1

The encryption password can be supplied as the value for the DDPassword connection option. However, we do not recommend sending this password with every connection when using remote server. Once the server has generated the keys for accessing the encrypted database they are cached and do not need to be regenerated unless the encryption type is changed. Passwords for strongly encrypted dictionaries should be stored on the server using the SE_PASSWORDS configuration parameter. The keys for accessing the encrypted dictionary will be generated when the server starts up and therefore the client does not need to provide the DDPassword.

Changing Encryption Type of an Existing Data Dictionary

In previous versions of Advantage ( 10.0 and below ) you could only encrypt a data dictionary when it was created. There was no mechanism for encrypting the data dictionary files ( ADD, ADM, AI ) after they were created. With version 10.1 and later you can change the encryption type of the data dictionary files using the sp_SetDDEncryptionType system procedure. This procedure can also decrypt the dictionary files.

Setting the encryption type encrypts the data dictionary files and sets the encryption type for all of the tables associated with the data dictionary. Therefore, all of the tables associated with the dictionary must be decrypted before using the sp_SetDDEncryptionType procedure. After running the procedure tables can be encrypted using ARC or using the sp_EncryptTable system procedure. It is very important to note that all user passwords will be lost when you change an existing dictionary's encryption type. Data dictionaries do not store user passwords it only stores password verification, therefore passwords cannot be recovered.

The procedure takes five parameters; Path to the dictionary, AdsSys password, DDPassword used to encrypt the files, Encryption type ( RC4, AES128 or AES256 ) and whether or not to encrypt the dictionary. This procedure requires exclusive access to the data dictionary so you cannot have any active connections to the data. It is probably easiest to make a connection to the directory containing the dictionary and then running the procedure. An example of this procedure is shown below.

// Encrypt the data dictionary files with 256-bit AES encryption
EXECUTE PROCEDURE sp_SetDDEncryptionType('Sample.add', 'password', 
                                         'StrongPassword', 'AES256', TRUE)

// Remove encryption from the data dictionary
EXECUTE PROCEDURE sp_SetDDEncryptionType('Sample.add', 'password', 
                                         'StrongPassword', 'RC4', FALSE)

You can verify the type of encryption that the dictionary is using with the sp_GetSecurityInfo system procedure. This procedure returns information about the various security options configured for the current connection. A screenshot of the security configuration for the example dictionary is shown below.

SP_GetSecurityInfo1

In my next post I will discuss the new connection options related to strong encryption.

Friday, December 10, 2010

Lazarus Support

Lazarus is the open source IDE for the FreePascal compiler, which can use many Delphi components. Below is the official description from the Free Pascal Lazarus Project:

Lazarus is the class libraries for Free Pascal that emulate Delphi. Free Pascal is a GPL'ed compiler that runs on Linux, Win32, OS/2, 68K and more. Free Pascal is designed to be able to understand and compile Delphi syntax, which is of course OOP. Lazarus is the part of the missing puzzle that will allow you to develop Delphi like programs in all of the above platforms. Unlike Java which strives to be a write once run anywhere, Lazarus and Free Pascal strives for write once compile anywhere. Since the exact same compiler is available on all of the above platforms it means you don't need to do any recoding to produce identical products for different platforms.

With the release of Advantage 10.1 support for Lazarus has been added to the Advantage Delphi Components. You will need to have Lazarus version 0.9.28.2 or later to use the components. The Lazarus components are not installed by default so you must choose a Custom Install and make sure you select the Lazarus Free Pascal option.

DelphiComponents_10_1

The TDataSet installer will not automatically add the Advantage components to Lazarus you must follow these steps to use the Advantage Components.

  1. Open the Lazarus IDE.
  2. Click on "Package", then "Open Package File (.lpk) ..." and browse to the adsl.lpk file in the TDataSet installation directory.
  3. In the package window (shown below), click the "Compile" button.
  4. When compilation is complete, click the "Install" button.  When asked if you wish to rebuild Lazarus, select "Yes".
  5. Lazarus should build a new version of the Lazarus executable and automatically start the new version of the executable.
  6. The component palette should now contain the Advantage tab.
  7. The Advantage components can now be used in Lazarus to access Advantage data from your application.

Lazarus_Install

Once the components have been installed they can be used in an application. The components work just like they do in Delphi and are very easy to configure. Lazarus includes many of the same components as Delphi. Below is a screenshot of a simple application which displays the contents of the Customer.adt table from the example data supplied with the Advantage Delphi Components.

Lazarus_One

For additional information about using Advantage with Lazarus refer to the Advantage Help File or the Lazarus and Advantage Database Server entry in the Lazarus Wiki.

Wednesday, December 8, 2010

Advantage Strong Encryption Overview

With the release of 10.1 a new FIPS 140-2 encryption option has been added to Advantage. You must purchase the strong encryption libraries separately, for more information contact your sales representative or visit our encryption page. You can also view the strong encryption datasheet.
The default encryption mechanism is a 160-bit RC4 encryption mechanism. This includes encrypting of all files ( tables, memos and indexes ) as well as encryption of communications. The strong encryption add-on provides a FIPS 140.2 compatible encryption mechanism. This implements both 128-bit and 256-bit AES encryption for files and Transport Layer Security (TLS) for communication.
Here is a quick summary of the new features and benefits of strong encryption.

  • TLS v1.0 operating over TCP/IP using RSA for key exchange with either 128-bit or 256-bit AES encryption with SHA-1 for message authentication
  • Tables can be encrypted using 128-bit or 256-bit AES
  • Improved key strength by salting and hashing keys
  • Ability to encrypt a data dictionary with an external password. This also allows you to change the type of encryption of an existing dictionary.
  • Added a FIPS mode for Advantage clients and server. This ensures that all encryption meets the FIPS 140-2 standard.

Several new stored procedures have been added to make working with encryption easier. These include functions for encrypting and decrypting tables, setting encryption types and retrieving information about the type of encryption being used. A list of these new system procedures are listed below.

  • sp_EncryptTable encrypts a table. When AES Encryption is specified on dictionary bound tables this procedure converts the table to strong encryption.
  • sp_DecryptTable decrypts tables.
  • sp_SetDDEncryptionType converts the type of encryption used by a data dictionary
  • sp_GetSecurityInfo returns information about the type of encryption being used on the connection
Next week I'll be walking through using the new strong encryption with Advantage.

Monday, December 6, 2010

Advantage 10.1 Now Available

Advantage version 10.1 is now available for download on the DevZone. Here are the highlights:

  • Support for Delphi XE
  • Support for Lazarus
  • Unicode Full Text Search Support
  • Support for Copy/Paste of rows in ARC
  • Strong Encryption and FIPS 140-2 compliance

For a complete list of supported platforms and IDEs refer to the Advantage Supported Platforms document. Details on the new encryption options is available here. For additional details on the new features refer to the What's New in Advantage 10 and 10.1 document.

I'll have a couple of articles on the new encryption support later this week.

Friday, December 3, 2010

Geek Christmas List - 2010

It's the most wonderful time of the year and many sites are publishing gift guides. Of course many of these sites are doing it for purely capitalistic reasons, which I fully support. I just like to take this opportunity to talk about some of the cool gifts that  I have been keeping my eye on this year.
AppleTVI have been a fan of Apple products for several years, I have always liked the quality and usability they provide. So this year I have looked into getting the latest generation AppleTV. It allows access to your iTunes library, rentals and Netflix. It has HDMI output and both wired and wireless network adapters. We gave away a couple of these at the Southwest Fox show a couple of months ago. I am also very excited about this device due to the new airplay support which allows users to send content from other iOS devices directly to the AppleTV via a wireless network.
MacBookAirAnother great Apple product is the new MacBook Air, no offense to the iPad which I also think is awesome. The new MacBook Air brings all of the great things about the iPad to a full computer. It is equipped with a Solid State Drive (SSD) which provides nearly instant on just like the iOS device. It has exceptional battery life and a full keyboard. Unlike other iOS devices it includes support for Flash providing for a full web browsing experience.
CrucialSSDIf your looking for something for your current PC I would recommend a SSD. Prices have come down significantly over last year with drives starting at under $100. Many of the reviews I have read recommend the Crucial RealSSD C300 series of drives. They have good durability and very fast data transfer rates ( reads up to 355MB/s ). The 128GB model costs about $300 and is a good size for a laptop especially if you take your current HDD and put it into an expansion bay that fits where the DVD drive resides.
EVGA_UV16I use a laptop with a docking station at work which allows me to run two external monitors. However, there are a few times when I would like to have just a bit more space. Since you cannot add an additional video card to a laptop I have been researching a USB Display Adapter. After seeing a few in action and reading several reviews I have settled on the UV Plus from EVGA. It is available online for about $50 and supports resolutions up to 1600 X 1200 at 60hz.
love-my-geek-regTThere are many other less practical gifts out there. For example I have wanted to get a USB Rocket Launcher for years, we have also discussed marshmallow guns. A friend of mine bought a pair of the eight bit dynamic life t-shirts for him and his wife. These shirts have hearts on them that light up as the shirts get closer together. Maybe I'll just get my wife the I <heart> my geek shirt this year.
If your looking for some more gift guides I would recommend the gift guides available on Gizmodo.

Wednesday, December 1, 2010

FAQs – November 2010

Advantage ADO.NET Designers Don't Work with Delphi Prism

The Advantage .NET Data Provider includes several wizards which enable functionality such as creating a connection using the Server Explorer, Drag and Drop onto a DataSet object and generating typed DataSets. Addins like these for Visual Studio require the full version of Visual Studio. They will not work in the Express versions or Shell versions of Visual Studio. Since Delphi Prism uses the Visual Studio shell these designers are not available to Prism users.

Delphi XE Support

The latest version of Delphi, Delphi XE, is not yet supported by the Advantage Components for Delphi. Support for Delphi XE is planned for Advantage 10.1 which is scheduled for release in December.  Delphi XE support will also be included in a maintenance release of the Advantage Components for Delphi version 9.1 shortly.

For the latest information on all supported platforms and IDEs refer to the Advantage Supported Platforms document.

7075 Error with Local Server

The Advantage Local Server (ALS) is limited to 5 concurrent users and will return a 7075 error when a sixth user attempts to connect. Another user cannot connect until one of the current users disconnects. A user is each machine that is connected to ALS.

If a client is ended abnormally, i.e. CTRL-ALT-DEL, the table(s) may not be closed correctly. In this case a new user may receive the 7075 error even if fewer than five users are currently connected. You can resolve this problem by opening and closing the table from the workstation where the application abnormally terminated. This will "free" up the connection for a new user.

ARC Slow to Open a Table with Many Fields

ARC_UI_SettingsWhen opening a table with many fields ARC may freeze or hang for several seconds. By default ARC uses the size of each field to provide an optimal display in the grid when the table is displayed. The more fields in the table the longer this process can take.

You can avoid this problem by changing the default settings in ARC. Choose Tools –> ARC Settings and go to the User Interface tab. From here you can limit the size of the columns using the "Limit amount of data displayed…" and "Minimum Column Width' settings. More information is available in this knowledge base article.