Configuring encryption for database connections
Available in version 8.2 and later |
---|
Encryption enables transmitting encrypted data across the network between an instance of SQL Server and the Verba applications. SSL/TLS is a protocol for establishing a secure communication channel to prevent the interception of critical or sensitive information across the network and other Internet communications. SSL/TLS allows the client and the server to authenticate the identity of each other. After the participants are authenticated, SSL/TLS provides encrypted connections between them for secure message transmission.
Enabling encryption increases the security of data transmitted across networks between instances of SQL Server and applications. However, enabling encryption results in slower performance.
Encryption needs to be configured in both SQL Server and Verba, although you can turn on the encryption support on the SQL Server side without configuring the Verba servers. In this case, the connection will be encrypted but not validated. You can also use this approach with earlier Verba releases, where encryption-related settings are not available for the Verba applications.
Enabling encryption for the SQL Server
Microsoft provides detailed guidance on configuring encryption for an SQL Server: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine
Make sure you follow the guideline properly. We strongly recommend consulting your database administrator before proceeding with the configuration.
Enabling encryption for Verba services
Follow the steps below to enable SSL encryption for the SQL Server connections in Verba:
Export the certificate
For Verba to request the encryption, Verba servers must trust the SQL Server certificate and the certificate must already exist on the SQL Server. For more information, see http://support.microsoft.com/kb/316898
To export the SQL Server certificate's, follow these steps:
Step 1 - Click Start and then Run, and type MMC. (MMC is an acronym for the Microsoft Management Console)
Step 2 - In MMC, open the Certificates.
Step 3 - Expand Personal and then Certificates.
Step 4 - Right-click the server certificate, and then select All Tasks\Export.
Step 5 - Click Next to move past the welcome dialog box of the Certificate Export Wizard.
Step 6 - Confirm that "No, do not export the private key" is selected, and then click Next.
Step 7 - Make sure that either DER encoded binary X.509 (.CER) or Base-64 encoded X.509 (.CER) is selected, and then click Next.
Step 8 - Enter an export file name.
Step 9 - Click Next, and then click Finish to export the certificate.
Import the certificate on the Verba servers
Follow these steps to import the SQL Server certificate on all Verba servers:
Step 10 - Navigate to the Verba server by using the MMC snap-in, and then browse to the Trusted Root Certification Authorities folder.
Step 11 - Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import.
Step 12 - Browse, and then select the certificate (.cer file) that you generated in Step 1 - 9. Select the defaults to complete the remaining part of the wizard.
Step 13 - Repeat Step 10 through Step 12 on all Verba servers.
Import the certificate into a Java Trust Store on the Verba servers
Follow these steps to import the SQL Server certificate to a Java trust store on all Verba servers:
Step 14 - Use the Java "keytool" utility that is installed with the JRE (Java Runtime Environment). The following command prompt demonstrates how to use the "keytool" utility to import the certificate from a file:
keytool -import -v -trustcacerts -alias myServer -file caCert.cer -keystore truststore.ks
Where myServer is the FQDN of the SQL Server, caCert.cer is the SQL Server certificate file exported, and truststore.ks is the name of the Java trust store you will use in Verba configuration.
Make a note of the password entered when executing the command.
Step 15 - Repeat Step 14 on all Verba servers. Make sure you use the same parameters (trust store name and path, password) on all servers to enable simple configuration using configuration profiles.
Configure Verba database connection parameters
Follow these steps to configure encryption for the Verba services:
Step 16 - In the Verba web interface click on Administration > Verba Servers and select your server, or select the appropriate Configuration Profile at Administration -> Configuration Profiles.
Step 17 - Click on the Change Configuration Settings tab.
Step 18 - Expand Database Connection and SSL Encryption for Connections.
Step 19 - Enable the SSL Encryption option.
Step 20 - Enter the full path of the Java trust store, created on the server at Step 14 above, into Java Trust Store Path.
Step 21 - Enter the password, used at Step 14 above, into Java Trust Store Password.
Step 22 - Click the Save icon to save your settings
Step 23 - The system will notify you that the changes need to applied to the server by restarting the involved services. Execute the required tasks.
Step 24 - Repeat Step 16 through 23 for each Verba server.
Checking encryption
The best way to check if encryption is enabled is to use Wireshark or other network capturing tool and validate that SQL connections are encrypted and cannot be read.