Encrypting your database connection

This topic describes the steps for encrypting your database connection to TrueSight Server Automation. 

Enabling or disabling encryption in a SQL Server database connection

TrueSight Server Automation does not support using an encrypted Microsoft SQL Server database connection at the time of installation or upgrade. However, after the product is installed or upgraded successfully, TrueSight Server Automation can use an encrypted connection to communicate with the Microsoft SQL Server database.


Note

You cannot use self-signed certificates to encrypt a connection with an SQL Server database.

Enabling encryption in a SQL Server database connection using third-party CA certificates

 Depending on your company policy, you can choose any third-party certificate authority (CA) to issue certificates for Server Authentication.

Step 1: Install certificate on SQL Server

You must first install the third-party CA certificate on the SQL database server. 

Important

The following steps are provided for your reference. Refer to Microsoft documentation for detail steps on enabling encrypted connections to the Microsoft SQL Server Database Engine, click here.

  1. In the Microsoft Management Console (MMC), select the File menu and click Add/Remove Snap-in.
  2. In the Add/Remove Snap-in dialog box, click Add.
  3. In the Available snap-ins box on the left, click Certificates, and then click Add.
  4. Select the Computer account option and click Next. In the Certificates snap-in dialog box, click Computer account, and then click Finish.
  5. Click Close.
  6. In the Add/Remove Snap-in dialog box, click OK.
  7. In the Certificates snap-in, expand Certificates, right-click Personal, point to All Tasks, and then click Import.
  8. Use Certificate Import wizard to import the Public key certificate.
  9. Complete the Certificate Import Wizard, to add a certificate to the computer.
  10. Right-click the imported certificate under Personal, point to All Tasks, and then click Manage Private Keys. In the Security dialog box, add read permission for the user account used by the SQL Server service account.

Step 2: Configure the SQL Server to accept encrypted connections

To configure the SQL Server to accept encrypted connections, you must be running SQL Server Configuration Manager with an account that has local administrator privileges.

Important

The following steps are provided for your reference. Refer to Microsoft documentation for detail steps on enabling encrypted connections to the Microsoft SQL Server Database Engine, click here.

  1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for the server instance you are using, and select Properties.
  2. On the Certificate tab, select the desired certificate from the drop down for the Certificate box.
  3. On the Flags tab, in the ForceEncryption box, select Yes, and then click OK to close the dialog box.
  4. Start the Microsoft Management Console (MMC),
  5. Expand Personal and then right-click Certificates, point to All Tasks, click Manage Private Keys, select Add User account and provide "NT Service\MSSQLSERVER" user and select Check option and then click OK.
  6. Restart the SQL Server service.

Step 3: Configure the TrueSight Server Automation application server

Perform the following steps on all your TrueSight Server Automation application servers:

  1. Copy the third-party CA certificate to the TrueSight Server Automation application server in a temporary location.
  2. From the command prompt navigate to <BMC_Installation_Path>\NSH\JRE|bin

  3. Enter the following command to import the public key certificate file:
    keytool -import -v -trustcacerts -alias <dbserver_hostname> -file <path_to_public_key> -keystore <app_server_cacerts>
    For example:
    keytool -import -v -trustcacerts -alias bmc-pun-123456 -file C:\Program Files\BMC Software\BladeLogic\NSH\jre\lib\security\cacerts

    Note

    The path to keytool application is typically: c:\program files\bmc software\bladelogic\NSH\jre\bin\keytool

  4. When prompted for a password, enter the password that is set for JRE cacerts keystore in TrueSight Server Automation. The default password set for cacerts is typically changeit.

  5. Connect to the application server and change the global.properties file with the following URL: url=jdbc\:sqlserver\://;serverName\=<FQDN_db_server>;port\=<port_number>;DatabaseName\=<database_name>;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

    Variable

    Description

    <FQDN_db_server>

    Fully qualified domain name of the SQL database server

    <database_name>

    Database name


    For example    :
    url=jdbc\:sqlserver\://;serverName\=bmc-pun-123456.bmc.com;port\=1433;DatabaseName\=db_encrpted;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

  6. Restart the application server.

Back to top

Step 4: Configure the TrueSight Server Automation PXE server

Perform the following steps on all your TrueSight Server Automation PXE servers.

  1. From the command prompt navigate to <BMC_Installation_Path>\NSH\JRE|bin and enter the following command to import the public key certificate file in cacerts.
    keytool -import -v -trustcacerts -alias <dbserver_hostname> -file <path_to_public_key> -keystore <pxe_server_cacerts>For example:
    keytool -import -v -trustcacerts -alias bmc-pun-123456 -file "C:\SSL\security_certificate.pubkey.cer" -keystore "C:\Program Files\BMC Software\BladeLogic\pxe\jre\lib\security\cacerts"
  2. When prompted for a password, enter the password that is set for JRE cacerts keystore in TrueSight Server Automation. The default password set for cacerts is typically changeit.

  3. Connect to the Application server and change the global.properties file for PXE server with the following URL:
    url=jdbc\:sqlserver\://;serverName\=<FQDN_db_server>;port\=<port_number>;DatabaseName\=<database_name>;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

    <FQDN_db_server>

    Fully qualified domain name of the SQL database server

    <database_name>

    Database name

    For example:
    url=jdbc\:sqlserver\://;serverName\=bmc-pun-123456.bmc.com;port\=1433;DatabaseName\=db_encrpted;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

  4. Restart the PXE server.

Back to top

Disabling encryption in a SQL Server database connection

To disable encryption in your SQL Server database connection, perform the following steps on your SQL Server database:

Important

The following steps are provided for your reference. Refer to Microsoft documentation for detail steps on disabling encrypted connections to the Microsoft SQL Server Database Engine, click here.

  1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for the server instance you are using, and select Properties
  2. On the Certificate tab, select the certificate which is currently in use from the drop down in the Certificate box, and then click Clear
  3. On the Flags tab, in the ForceEncryption box, select No, and then click OK to close the dialog box. 
  4.  Restart the SQL Server service.  

Back to top

Enabling or disabling encryption in an Oracle database connection

No additional steps need to be performed in TrueSight Server Automation, once your Oracle database server is enabled for encryption using Oracle Advanced Security. For detailed steps on enabling encryption on your Oracle database server, using Oracle Advanced Security, refer to the Oracle documentation.

Enabling encryption in an Oracle database connection

See the following example procedure for encrypting the connection to your Oracle database.

Example: Steps to encrypt the connection to an Oracle database

  1. Log on to your Oracle database server.
  2. Navigate to <ORACLE_HOME>/NETWORK/ADMIN, where <ORACLE_HOME> is the path to the Oracle Home directory. 

  3. Edit the sqlnet.ora file and add or replace values of the parameters given below. Note that you might need to uncomment the lines containing the parameters in the sqlnet.ora file.
    SSL_CIPHER_SUITES = <SSL_Cipher_Suite>
    SSL_VERSION = 1.2
    SQLNET.ENCRYPTION_SERVER = REQUIRED
    SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) 
    SQLNET.CRYPTO_SEED = <10-70_Random _Characters>

    Modify the SSL_CIPHER_SUITES and SQLNET.CRYPTO_SEED parameters by replacing the variables mentioned in the table below as described in the second column:

    Variable

    Description

    <SSL_Cipher_Suite>

    During an SSL handshake, two nodes negotiate to determine which cipher suite will be used to communicate with each other. Use this parameter to specify which SSL cipher suite you want to use.

    <10-70_Random _Characters>

    A string of 10-70 random alphanumeric characters that is used to seed a random number generator to generate a cryptographic key.

  4. Save the sqlnet.ora file.
  5. Restart the TrueSight Server Automation application server. 

Disabling encryption in an Oracle database connection

See the following example procedure for disabling encryption in the connection to your Oracle database.

Example: Steps to disable encryption in the connection to an Oracle database

  1. Log on to your Oracle database server.
  2. Navigate to <ORACLE_HOME>/NETWORK/ADMIN, where <ORACLE_HOME> is the path to the Oracle Home directory. 
  3. Edit the sqlnet.ora file and comment out or remove the lines containing the following parameters in the sqlnet.ora file:
    # SSL_CIPHER_SUITES = SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    # SSL_VERSION = 1.2
    # SQLNET.ENCRYPTION_SERVER = REQUIRED
    # SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) 
    # SQLNET.CRYPTO_SEED = dfglnkldn12323412
  4. Save the sqlnet.ora file.
  5. Restart the TrueSight Server Automation application server.

Back to top

Related topics

Implementing-private-certificates-in-TrueSight-Server-Automation

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*