SQL Server 2008 and SSL Secure Connection



Similar documents
How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

How to Configure a Secure Connection to Microsoft SQL Server

NSi Mobile Installation Guide. Version 6.2

ADFS Integration Guidelines

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

DriveLock Quick Start Guide

Wavecrest Certificate

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

Browser-based Support Console

Enable SSL for Apollo 2015

Setting Up SSL on IIS6 for MEGA Advisor

RSA Security Analytics

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

ESET SECURE AUTHENTICATION. API SSL Certificate Replacement

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Install the Production Treasury Root Certificate (Vista / Win 7)

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

ECA IIS Instructions. January 2005

4cast Client Specification and Installation

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Installing your certificate on your Windows PC

IIS, FTP Server and Windows

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Microsoft IIS 7 Guide to Installing Root Certificates, Generating CSR and Installing certificate

Set up Outlook for your new student e mail with IMAP/POP3 settings

SIMS Multi-user Installation Instructions

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

DMZ Server monitoring with

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

Desktop Surveillance Help

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

NETWRIX USER ACTIVITY VIDEO REPORTER

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

etoken Enterprise For: SSL SSL with etoken

Introduction to Mobile Access Gateway Installation

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Run Archive Server for MDaemon in HTTPS

Sophos for Microsoft SharePoint startup guide

Microsoft IAS Configuration for RADIUS Authorization

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Secure IIS Web Server with SSL

LAB 1: Installing Active Directory Federation Services

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

Connection and Printer Setup Guide

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide

Microsoft Exchange 2010 and 2007

CA NetQoS Performance Center

Using TLS Encryption with Microsoft Outlook 2007

NETWRIX EVENT LOG MANAGER

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Aspera Connect User Guide

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

1. CONFIGURING REMOTE ACCESS TO SQL SERVER EXPRESS

Installation Guide. SafeNet Authentication Service

WHITE PAPER Citrix Secure Gateway Startup Guide

RoomWizard Synchronization Software Manual Installation Instructions

Issue Tracking Anywhere Installation Guide

Kaseya 2. User Guide. Version 6.1

Specops Command. Installation Guide

NovaBACKUP xsp Version 15.0 Upgrade Guide

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Installing and Configuring vcenter Multi-Hypervisor Manager

Installation Instruction STATISTICA Enterprise Server

XenDesktop Implementation Guide

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

System Administration Training Guide. S100 Installation and Site Management

Installation and Configuration Guide

Windows Live Mail Setup Guide

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Using RPC over HTTP with Exchange Server 2003 SP1

Setup Guide for AD FS 3.0 on the Apprenda Platform

QUANTIFY INSTALLATION GUIDE

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

Implementing a SAS Metadata Server Configuration for Use with SAS Enterprise Guide

Velocity Web Services Client 1.0 Installation Guide and Release Notes

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Deploy Remote Desktop Gateway on the AWS Cloud

SafeWord Domain Login Agent Step-by-Step Guide

Basic Exchange Setup Guide

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Installation Procedure SSL Certificates in IIS 7

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Immotec Systems, Inc. SQL Server 2005 Installation Document

Transcription:

Ivan Mackintosh 9 January 2013 - v1.0 SQL Server 2008 and SSL Secure Connection This document describes the steps involved for converting an existing SQL Connection to a secure SSL Connection suitable for a client connecting to a remote database over the Internet. DATRAN Web Trending accesses a remote database over the Internet so implementing SSL will increase the level of data security. For ease of fault finding and diagnosis it is recommended to start from an existing working database connection before adding the SSL security. This way any issues with SQL TCP connectivity, TCP Port configuration and firewall port forwarding have already been resolved. SSL Certificate The SQL Server needs an SSL Certificate to be created which is then used by both the client and server to verify the connection pre-sql logon. There are two options: Purchasing a certificate from a trusted certificate authority such as Verisign or Comodo. Note that for this option you must ensure you purchase a certificate that is for Server Authentication. Creating a self-signed certificate. The purchasing option will come with an annual renewal fee as the certificate will normally only be valid for a year. The renewed certificate will also need to reapplied to the SQL Server in order for the connection to remain operational. This option is normally taken if many clients connect to the server as the client software/web browser will already "trust" the authenticity of a Verisign or Comodo certificate. Creating a self-signed certificate is free and the certificate validation period can be specified at the time of creation. For instance a 10 year certificate could be created and then no ongoing annual server maintenance will be required. However, the client software/web browser will not automatically "trust" a self signed certificate but this can easily be resolved by adding the new self-signed certificate to the Trusted Authority's certificate store on the client machine. Because of the additional effort of this last step this method is best suited to situations where there are minimal clients and they are controlled in-house. This method is the best option for QTech's Web Trending as the QTech server is the only client to the customer's SQL Database. Creating a Self-Signed Certificate The easiest way to do with is to download and run a command line utility called SelfSSL. This Microsoft utility can be downloaded from Microsoft as part of the IIS Resource Kit or direct from the members section of the QTech website www.qtech.co.nz. If downloaded from QTech, copy the file selfssl.exe to a folder on the SQL Server, open a command prompt and navigate to that folder. Before running this program and creating the certificate you will need to know the fully qualified domain name (FQDN) of the SQL Server computer. This can be obtained from My Computer -> Properties -> Computer Name as shown below

Now create the self-signed certificate using the following command line: C:\Program Files\SelfSSL>selfssl.exe /N:CN=qtech40.qtech.local /K:2048 /V:3650 /T Microsoft (R) SelfSSL Version 1.0 Copyright (C) 2003 Microsoft Corporation. All rights reserved. Do you want to replace the SSL settings for site 1 (Y/N)?y The self signed certificate was successfully assigned to site 1. C:\Program Files\SelfSSL> The parameters are as follows: /N:CN= specifies the fully qualified domain name. This parameter must be correct as it is the one that it checked as part of the SSL connection negotiations. /K:2048 specifies the encryption key length (2048 is the current standard) /V:3650 specifies the duration in days for the certificates validity (3650 = 10 years) /T instructs the program to automatically install the certificate for you. You will be prompted to "replace settings for site 1". Answer Y to this question otherwise the certificate is not installed. Note that on some machines an error is displayed "Error opening metabase". This can safely be ignored. Add Certificate to SQL Server Run SQL Server Configuration Manager Right mouse click on your instance of SQL Server and select Properties from the context menu.

Select the Certificate tab and in the drop down menu you should see the self-signed certificate that you created earlier. Select this and then click the Apply button. Note that changes will not take effect until the SQL Server is restarted. If there are no entries in the Certificate drop down menu then there is a problem with the certificate installation from the previous step. See the Troubleshooting section later in this document. Under the Flags tab there is an option for Force Encryption. Leave this setting set to No. This means is that if a client connects to the SQL Server requiring an encrypted connection it will be encrypted and validated using the previously specified SSL certificate. However, if a client connects to the SQL Server not requiring encryption (e.g. existing clients such as DATRAN Trending) they will be accepted also. So we have not forced encryption on all of the SQL Server clients. Exporting the Certificate Authority from the Server To view the certificate repository start Microsoft Management Console - from the Start menu select Run and type mmc. 1. From the File menu select Add/Remove Snap-in 2. A dialog box will be displayed showing all currently installed snap-ins. If Certificates are not their then click the Add button and select Certificates. 3. The Certificates snap-in wizard will be displayed. 4. For the question The snap-in will always manage certificates for select Computer Account 5. The next screen Select the computer you want to manage leave as Local Computer and press Finish.

6. Press Close on the snap-in selection screen 7. Press OK on the Add/Remove snap-in screen. The main screen now shows Certificates in the left hand pane. Navigate to the Trusted Root Certification Authorities\Certificate folder and in the right hand pane find the one that matches the fully qualified domain name, our self-signed certificate created earlier. Right mouse click on this certificate and from the pop-up context menu select All Tasks->Export. Use all of the default options for the Export Wizard. For the configuration of Web Trending the exported certificate needs to be sent to QTech to be added in to the Web Trending client's Trusted Root Certification Authority. Importing the Certificate Authority to the Client On the Client computer, follow the same steps for the Export above but right mouse click on the Trusted Root Certification Authorities folder and select All Tasks->Import specifying the file provided by the export. Ensuring the Client Connects securely To force the client to connect securely such that the connection details including user name and password are not sent over the internet in plain text format the following needs to be added to the SQL Connection string: Encrypt=true The client connection should now be secure. However, there are now two possible connection failure scenarios: The certificate isn't installed correctly on the server so that client cannot make a encrypted connection The Certification Authority isn't installed correctly on the client so whilst the connection was established the certificate credentials could not be validated. For further error descriptions see the Troubleshooting section. Troubleshooting This section describes possible error conditions and remedies. 1. "A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)"

The self-signed certificate has not successfully been added to the client Trusted Certification Authority certificate store. Using MMC open the store and search for the certificate. If it is not there then import it. Or Occurs when the client requires a secure connection but the server isn't configured to handle one. The self-signed certificate has not successfully been configured in SQL Server Configuration Manager on the server computer. 2. From within the SQL Server Configuration Manager there are no certificates in the drop down box. The certificate either: doesn't exist in the Personal and Trusted certificate repository is the incorrect type of certificate - it needs to be a Server Authentication certificate the certificates CN (Common Name) property doesn't match the fully qualified name of the SQL Server. Run MMC on the SQL Server and search for the certificate in both the Personal and Trusted certificate repositories. Follow the section on creating a self signed certificate using SelfSSL

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information