Encrypting the connection to Yellowfin database used by Live Reporting
This topic describes steps for encrypting your connection to Yellowfin to secure information displayed by the Live Reporting dashboard. Depending on which database server Yellowfin runs on, perform either of the following procedures:
SQL Server database connection
Depending on your company policy, you can choose any third-party certificate authority (CA) to issue certificates for Server Authentication. Note that you cannot use self-signed certificates to encrypt a connection with an SQL Server database.
BMC Server Automation does not support using an encrypted Microsoft SQL Server database connection at the time of installation or upgrade. However, after the product is installed or upgraded successfully, BMC Server Automation can use an encrypted connection to communicate with the Microsoft SQL Server database.
- Ensure that you copy the third-party CA file (typically the pubkey.cer) to any temporary location on the Yellowfin SQL database server.
Download the Microsoft jdbc driver from this site.
Ensure that you select the correct architecture for the jar files based on your Yellowfin SQL Server database architecture
Unzip the file to a temporary location and copy the mssql-jdbc-6.2.1.jre8.jar file under the lib folders of the Yellowfin installation directory and the system JRE instillation directory:
Path Yellowfin <Yellowfin_Installation_Path>\appserver\lib JRE \Program Files\Java\jre1.8.0_141\lib
To allow Windows to authenticate to the SQL Server database, copy the sqljdbc_auth.dll file under the bin folders of the Yellowfin installation directory and JRE installation directory.
Path Yellowfin <Yellowfin_Installation_Path>\appserver\bin JRE \Program Files\Java\jre1.8.0_141\bin
copy the "C:\Microsoft JDBC Driver 6.2 for SQL Server\sqljdbc_6.2\enu\auth\x64\sqljdbc_auth.dll" to "C:\Yellowfin 7.1\appserver\bin" and "C:\Program Files\Java\jre1.8.0_141\bin"
6. Import the 3rd party CA certificate (issued to DB Server) into yellowfin
a) Go to the system_java/jre/bin to use the keytool command and import the 3rd party certificate to cacerts
Below command is a smaple
keytool -import -v -trustcacerts -alias <alias used to create certificate for DB Server> -file "C:\Users\Administrator\Documents\Third-Party.pubkey.cer" -keystore "C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts"
b) when prompted for password provide 'changeit' <it's default java password to import any certificate to it's cacerts>
c) Trust this certificate? [no]: yes
d) Restart the YellowFin Tomcat service
Log on to the Live Reporting dashboard with your REPORT_ADMIN credentials.
8. Go to Administration - Admin Console - Data Sources - <your data source>
9. In the connection section select 'Generic JDBC Data Source' for 'Database' field
10. Change the JDBC driver to 'com.microsoft.sqlserver.jdbc.SQLServerDriver'
11. Change the Connection String to 'jdbc:sqlserver://<BSA_DB_SERVER_NAME>:<Port>;databaseName=<BSA_DB_NAME>;encrypt=true;trustServerCertificate=true;integratedSecurity=true'
12. Test the connection by clicking on the link 'Click here to test the connection.'
13. The connection should be successful and should return the BSA_DB tables
Enabling or disabling encryption in an Oracle database connection
You do not need to perform any configuration on the BMC Server Automation application server for enabling or disabling encryption in your Oracle database connection using Oracle Advanced Security. For detailed steps on enabling encryption using Oracle Advanced Security refer to the Oracle documentation.
See the following example for encrypting the connection to your Oracle 11g R2 database using the AES256 encryption algorithm.
1. For Oracle there is no specific change required at the yellowfin server.
2. Once the DB Server has been encrypted by following the steps mentioned here <link to enable Oracle encryption>, yellowfin needs to be restarted
Steps to Encrypt DB Server <The earlier link to BSA DB Server encryption>
Note: If DB Server has been modified to support encryption, yellowfin’s tomcat needs to be restarted for establishing fresh secure connection.