Ivan Mackintosh 9 January 2013 - v1.0 SQL Server 2008 and SSL Secure Connection This document describes the steps involved for converting an existing SQL Connection to a secure SSL Connection suitable for a client connecting to a remote database over the Internet. DATRAN Web Trending accesses a remote database over the Internet so implementing SSL will increase the level of data security. For ease of fault finding and diagnosis it is recommended to start from an existing working database connection before adding the SSL security. This way any issues with SQL TCP connectivity, TCP Port configuration and firewall port forwarding have already been resolved. SSL Certificate The SQL Server needs an SSL Certificate to be created which is then used by both the client and server to verify the connection pre-sql logon. There are two options: Purchasing a certificate from a trusted certificate authority such as Verisign or Comodo. Note that for this option you must ensure you purchase a certificate that is for Server Authentication. Creating a self-signed certificate. The purchasing option will come with an annual renewal fee as the certificate will normally only be valid for a year. The renewed certificate will also need to reapplied to the SQL Server in order for the connection to remain operational. This option is normally taken if many clients connect to the server as the client software/web browser will already "trust" the authenticity of a Verisign or Comodo certificate. Creating a self-signed certificate is free and the certificate validation period can be specified at the time of creation. For instance a 10 year certificate could be created and then no ongoing annual server maintenance will be required. However, the client software/web browser will not automatically "trust" a self signed certificate but this can easily be resolved by adding the new self-signed certificate to the Trusted Authority's certificate store on the client machine. Because of the additional effort of this last step this method is best suited to situations where there are minimal clients and they are controlled in-house. This method is the best option for QTech's Web Trending as the QTech server is the only client to the customer's SQL Database. Creating a Self-Signed Certificate The easiest way to do with is to download and run a command line utility called SelfSSL. This Microsoft utility can be downloaded from Microsoft as part of the IIS Resource Kit or direct from the members section of the QTech website www.qtech.co.nz. If downloaded from QTech, copy the file selfssl.exe to a folder on the SQL Server, open a command prompt and navigate to that folder. Before running this program and creating the certificate you will need to know the fully qualified domain name (FQDN) of the SQL Server computer. This can be obtained from My Computer -> Properties -> Computer Name as shown below
Now create the self-signed certificate using the following command line: C:\Program Files\SelfSSL>selfssl.exe /N:CN=qtech40.qtech.local /K:2048 /V:3650 /T Microsoft (R) SelfSSL Version 1.0 Copyright (C) 2003 Microsoft Corporation. All rights reserved. Do you want to replace the SSL settings for site 1 (Y/N)?y The self signed certificate was successfully assigned to site 1. C:\Program Files\SelfSSL> The parameters are as follows: /N:CN= specifies the fully qualified domain name. This parameter must be correct as it is the one that it checked as part of the SSL connection negotiations. /K:2048 specifies the encryption key length (2048 is the current standard) /V:3650 specifies the duration in days for the certificates validity (3650 = 10 years) /T instructs the program to automatically install the certificate for you. You will be prompted to "replace settings for site 1". Answer Y to this question otherwise the certificate is not installed. Note that on some machines an error is displayed "Error opening metabase". This can safely be ignored. Add Certificate to SQL Server Run SQL Server Configuration Manager Right mouse click on your instance of SQL Server and select Properties from the context menu.
Select the Certificate tab and in the drop down menu you should see the self-signed certificate that you created earlier. Select this and then click the Apply button. Note that changes will not take effect until the SQL Server is restarted. If there are no entries in the Certificate drop down menu then there is a problem with the certificate installation from the previous step. See the Troubleshooting section later in this document. Under the Flags tab there is an option for Force Encryption. Leave this setting set to No. This means is that if a client connects to the SQL Server requiring an encrypted connection it will be encrypted and validated using the previously specified SSL certificate. However, if a client connects to the SQL Server not requiring encryption (e.g. existing clients such as DATRAN Trending) they will be accepted also. So we have not forced encryption on all of the SQL Server clients. Exporting the Certificate Authority from the Server To view the certificate repository start Microsoft Management Console - from the Start menu select Run and type mmc. 1. From the File menu select Add/Remove Snap-in 2. A dialog box will be displayed showing all currently installed snap-ins. If Certificates are not their then click the Add button and select Certificates. 3. The Certificates snap-in wizard will be displayed. 4. For the question The snap-in will always manage certificates for select Computer Account 5. The next screen Select the computer you want to manage leave as Local Computer and press Finish.
6. Press Close on the snap-in selection screen 7. Press OK on the Add/Remove snap-in screen. The main screen now shows Certificates in the left hand pane. Navigate to the Trusted Root Certification Authorities\Certificate folder and in the right hand pane find the one that matches the fully qualified domain name, our self-signed certificate created earlier. Right mouse click on this certificate and from the pop-up context menu select All Tasks->Export. Use all of the default options for the Export Wizard. For the configuration of Web Trending the exported certificate needs to be sent to QTech to be added in to the Web Trending client's Trusted Root Certification Authority. Importing the Certificate Authority to the Client On the Client computer, follow the same steps for the Export above but right mouse click on the Trusted Root Certification Authorities folder and select All Tasks->Import specifying the file provided by the export. Ensuring the Client Connects securely To force the client to connect securely such that the connection details including user name and password are not sent over the internet in plain text format the following needs to be added to the SQL Connection string: Encrypt=true The client connection should now be secure. However, there are now two possible connection failure scenarios: The certificate isn't installed correctly on the server so that client cannot make a encrypted connection The Certification Authority isn't installed correctly on the client so whilst the connection was established the certificate credentials could not be validated. For further error descriptions see the Troubleshooting section. Troubleshooting This section describes possible error conditions and remedies. 1. "A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)"
The self-signed certificate has not successfully been added to the client Trusted Certification Authority certificate store. Using MMC open the store and search for the certificate. If it is not there then import it. Or Occurs when the client requires a secure connection but the server isn't configured to handle one. The self-signed certificate has not successfully been configured in SQL Server Configuration Manager on the server computer. 2. From within the SQL Server Configuration Manager there are no certificates in the drop down box. The certificate either: doesn't exist in the Personal and Trusted certificate repository is the incorrect type of certificate - it needs to be a Server Authentication certificate the certificates CN (Common Name) property doesn't match the fully qualified name of the SQL Server. Run MMC on the SQL Server and search for the certificate in both the Personal and Trusted certificate repositories. Follow the section on creating a self signed certificate using SelfSSL