I have a SQL Server (which is a Google cloud SQL Server). The connection with it needs to be ssl encrypted and authenticated with a username and password.
I can get the .pem file for the ssl certificate :
I also have the username, password, and ip of the server. In the SqlClient connection string syntax I was able to find the flags defining the username (uid), password (pwd) and ip (Data Source). But I can't find how to place the .pem file.
Does the .pem file not belong in the connection string? If so, how do I use it ?
Thanks,
nimrod
Edit: I tried opening the connection with trustServerCertificate=true, but still got error: 40 - Could not open a connection to SQL Server.
Solution:
The SSL wasn't the issue. Adding the TrustServerCertificate and Encrypt flags should have allowed SSL. With these flags the client just accepts any certificate from the sever, and proceeds with the SSL handshake.
My issue was that I didn't add the client network to the trusted networks list for the cloud SQL. This is apparently a requirement even though the cloud SQL is set to us a public IP. I added the 0.0.0.0/0 network as trusted, and the connection worked.
Does the .pem file not belong in the connection string?
No.
The client demands protocol encryption using the Encrypt connection string option. If the server's certificate is not trusted by the client, you either need to install the certificate on the client or opt to TrustServerCertificate in the connection string.
Related
I want to add a database (Microsoft SQL) to the website I'm working on, using Cold Fusion Administrator (latest version).
After entering all needed data, I got the issue:
Connection verification failed for data source: dbKantine
java.sql.SQLException: The sqlserver package is not installed. You can install the package through the CLI package manager (C:/Users/MYNAME/.CommandBox/server/C1EA019F5A81794693D0EA837C1622B4-PROJECTNAME/adobe-2021.0.2.328618/WEB-INF/cfusion/bin/cfpm.bat) by running the command : install sqlserver.
I tried to execute the *.bat file mentioned, but nothing happened.
I also tried install sqlserver in the CommandBox, but it says:
Error getting ForgeBox entry [sqlserver]
The entry slug sent is invalid or does not exist
EDIT:
I got it installed using cfpm.sh and wrote there "install sqlserver".
But now it tells me this inside of Cold Fusion Administrator:
Connection verification failed for data source: MYDB
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.
EDIT 2:
I setup everything again with ColdFusion 2018 (as I'm learning CF 2018 currently).
Now I get the issue:
Connection verification failed for data source: MYDB
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer
JDBC Driver]The SQL Server login requires an SSL connection. The root
cause was that: java.sql.SQLNonTransientConnectionException:
[Macromedia][SQLServer JDBC Driver]The SQL Server login requires an
SSL connection.
What I tried:
I created a *.keystore file and a *.cer file.
I followed this (https://usermanual.wiki/adobe/CF11Configen.762142204/html#pf2f) instruction and tried to add the keystore file to the CF Administrator:
According to Data Source Management for ColdFusion > Enabling SSL Connection what you need is a truststore. The JVM used by ColdFusion already has a default truststore configured, typically jre\lib\security\cacerts, so no need to create one. Though depending on the server certificate, it may need to be imported into the truststore. The "Enable RMI Over SSL For Data Management" setting isn't relevant. It's for Flex Integration, not datasources.
Do the following to enable SSL connection:
In the ColdFusion Administrator, go to Data & Services > Data Sources.
Select the data source to enable SSL Connection.
In the data source page, click Show Advanced Settings.
In the Connection String text box, specify the connection properties as per the SSL requirements.
The relevant SQL Server SSL connection settings are:
EncryptionMethod - Values are noEncryption and SSL
TrustStore - The (full path) of the truststore file
TrustStorePassword - The password to access the truststore file
ValidateServerCertificate - Determines whether the driver validates the certificate sent by the database, true or false.
server
HostNameInCertificate - Host name for certificate validation. (Either a literal string "host_name" or #SERVERNAME#)
Sample connection string to enable SSL and validate the server certificate:
EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=YourServerName;TrustStore=C:\commandbox\openjdk11\jre\lib\security\cacerts;TrustStorePassword=ThePassword
Sample connection string to enable SSL without validating the server certificate:
EncryptionMethod=SSL;ValidateServerCertificate=false;TrustStore=C:\commandbox\openjdk11\jre\lib\security\cacerts;TrustStorePassword=ThePassword
Is it possible to cause SQL Server (2014 or later) to encrypt connections, if that server isn't on DNS (i.e. accessed via IP address)? I understand that an SSL certificate can only be tied to a domain name, but that doesn't always prevent its use without the server being at that domain name, such as via an SslStream.
Thanks
I configured successfully SSL on Microsoft SQL Server 2012 Express Edition for the purpose of encrypting external network connections to the database that are made through Internet. For performance reasons for internal clients on the network I do not want to force the use of SSL and leave to the clients the option of use it or not. I set Force Encryption to No with the following steps:
Sql Server Configuration Manager
Sql Server Network Configuration
Protocols for (MYSQLSERVERNAME)
Right click: Properties
Flags tab.
When I try to establish an encrypted connection with Microsoft Sql Server Management Studio checking Encrypt connection option on Options > Connection Properties I get the following error.
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.) (Microsoft SQL Server, Error: -2146893022)
What is striking is that if I select Force Encryption as Yes on Sql Server Configuration Manager and I not select Encrypt connection on Microsoft Sql Server Management Studio I can connect to the database. If I execute the query:
select * from sys.dm_exec_connections
In fact the column encrypt_option is TRUE.
The certificate was generated with Openssl and this is the information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Jun 9 15:53:18 2016 GMT
Not After : Jun 9 15:53:18 2018 GMT
Subject: C=US, ST=State, L=Location, O=Testing, OU=Development, CN=JOSEPH-ASUS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:7F:58:DC:F7:D9:90:2A:DF:0E:31:84:5C:49:68:E7:61:97:D8:41
X509v3 Authority Key Identifier:
keyid:C9:5C:79:34:E0:83:B2:C7:26:21:90:17:6A:86:88:84:95:19:88:EA
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Alternative Name:
DNS:alternatename1, DNS:alternatename2, IP Address:192.168.1.100, IP Address:192.191.1.101, IP Address:192.168.1.103
Signature Algorithm: sha256WithRSAEncryption
...
The current OS is Windows 10 Home.
What I'm missing?
I had the same issue and got resolved by adding TrustServerCertificate=True; to the connection string.
I received this error when I was doing something similar. I also created a certificate from OpenSSL and imported it into SQL Server. I also used SQL Server Management Studio to attempt to verify that the client side copy of the certificate was required. When I did this I got the error described above.
The solution was simply that in the window to connect I was not using the CN that is on the certificate:
Instead of 127.0.0.1 (or whatever you have there) put the CN on the certificate and this connection should work.
The certificate generated with OpenSSL work properly. In my case the problem was rights of the account under which runs MSSQL over the certificate, I solved this issue with the follow steps:
Open SQL Server Configuration Manager.
Locate the account which is used to run MSSQL instance (Log On tab on MSSQL instance Properties).
Open MMC Console and add Certificates (Local Machine) snap-in.
Search the certificate store, right click on certificate and select All Tasks -> Manage Private Keys....
Set the Permissions to the same account under which MSSSQL runs.
I got this error when trying to connect via sqlcmd to a server which required windows integrated authentication (option -E) but accidentally used Azure Active Directory Authentication (option -G). Selecting the correct flags fixed it for me. Note that this is the equivalent of including Trusted_Connection=True in the connection string.
It's possible that your Server Certificate is using a *.domain name.
Make sure your SQL server has a certificate with a fully qualified name (sqlserver.yourcompany.com, not just *.yourcompany.com)
I used to get this same error when I had a *.mycompany.com certificate installed, but when I tried with a self-signed certificate specifically made for that SQL server, Then everything worked.
The steps are as follows:
Assuming you have already generated a certificate and it's in your machine
In certificate manager find your certificate, right click, all tasks, manage public keys, Allow the SQL server user (usually NT service\MSSQLSERVER) access to the private keys.
From certificate manager, export the cert without private keys and import them into a client machine
Open SQL server configuration manager > network > protocols > right click > certificate, select the new certificate. apply
Restart the SQL server instance
Using information from some consultants about 2 years ago we set up a SQL Server 2012 box to always have an encrypted connection (at least we thought so). A week ago the SSL certificate expired and everything continues to work fine which is puzzling.
We forced encryption by doing the following:
Obtain an SSL certificate and install it on the SQL Server via MMC. Explicit instructions for this step are here.
Open SQL Server Configuration Manger and expand the SQL Server Network Configuration node in the left pane.
Right click Protocols for MSSQLServer and choose properties.
Go to Certificate tab and choose the installed SSL cert from the drop down.
Go to the Flags tab and set force encryption to Yes.
Now, since the SSL cert expired, there is no longer any cert selected in the drop down when I visit step 3 above. However, I put WireShark on the DB server and use SSMS to request some data. The TDS (Tabular Data Stream) packets are still encrypted? When I put WireShark on a different DB Server I set ForceEncryption to NO, those TDS packets are not encrypted as expected.
So my questions are:
How are the TDS packets still encrypted if the cert is expired?
Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
1)How are the TDS packets still encrypted if the cert is expired?
you don't need a valid certificate in order to encrypt, you can still encrypt using an expired certificate.
2)Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
Do not enable the Force Protocol Encryption option on both the client and the server,
if you enabled force encryption on SQL server you don't need to do it on any client-side
3)If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
To enable SSL you need the certificate to be installed on SQL server so in order to access the DBusing SSL you are doing the same job.
Thank you
I'm using plain-C WebSocket library called libwebsockets to make a connection between client and server. When starting server I specify the server's cert and private key to be able to use SSL connection. It works OK.
When making a client's connection to the server I specify an SSL option to be able to create an SSL connection (using self-signed cert). All those things work as expected.
Now, I need somehow to get server's certificate on the client side during the connection establishment (or during handshake). Is there a way to do this? I can't find anything in the official documentation.
Thanks in advance.