Encrypting your database connection

This topic describes the steps for encrypting your database connection to TrueSight Server Automation. 

• Enabling or disabling encryption in a SQL Server database connection
• Enabling TCPS encryption in Oracle database connection
• Related topics

Enabling or disabling encryption in a SQL Server database connection

TrueSight Server Automation does not support using an encrypted Microsoft SQL Server database connection at the time of installation or upgrade. However, after the product is installed or upgraded successfully, TrueSight Server Automation can use an encrypted connection to communicate with the Microsoft SQL Server database.

Enabling encryption in a SQL Server database connection using third-party CA certificates

 Depending on your company policy, you can choose any third-party certificate authority (CA) to issue certificates for Server Authentication.

Step 1: Install the certificate on SQL Server

You must first install the third-party CA certificate on the SQL database server. 

1. In the Microsoft Management Console (MMC), select the File menu and click Add/Remove Snap-in.
2. In the Add/Remove Snap-in dialog box, click Add.
3. In the Available snap-ins box on the left, click Certificates, and then click Add.
4. Select the Computer account option and click Next. In the Certificates snap-in dialog box, click Computer account, and then click Finish.
5. Click Close.
6. In the Add/Remove Snap-in dialog box, click OK.
7. In the Certificates snap-in, expand Certificates, right-click Personal, point to All Tasks, and then click Import.
8. Use Certificate Import wizard to import the Public key certificate.
9. Complete the Certificate Import Wizard, to add a certificate to the computer.
10. Right-click the imported certificate under Personal, point to All Tasks, and then click Manage Private Keys. In the Security dialog box, add read permission for the user account used by the SQL Server service account.

Step 2: Configure the SQL Server to accept encrypted connections

To configure the SQL Server to accept encrypted connections, you must be running SQL Server Configuration Manager with an account that has local administrator privileges.

1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for the server instance you are using, and select Properties.
2. On the Certificate tab, select the desired certificate from the drop down for the Certificate box.
3. On the Flags tab, in the ForceEncryption box, select Yes, and then click OK to close the dialog box.
4. Start the Microsoft Management Console (MMC),
5. Expand Personal and then right-click Certificates, point to All Tasks, click Manage Private Keys, select Add User account and provide "NT Service\MSSQLSERVER" user and select Check option and then click OK.
6. Restart the SQL Server service.

Step 3: Configure the TrueSight Server Automation application server

Perform the following steps on all your TrueSight Server Automation application servers:

1. Obtain the third-party CA certificate of Database Server and copy to the the TrueSight Server Automation application server in a temporary location.
2. From the command prompt navigate to <BMC_Installation_Path>\NSH\JRE|bin

3. Enter the following command to import the public key certificate file:
   keytool -import -v -trustcacerts -alias <dbserver_hostname> -file <path_to_public_key> -keystore <app_server_cacerts>

   Example

   keytool -import -v -trustcacerts -alias tcpstsa -file C:\Program Files\BMC Software\BladeLogic\NSH\jre\lib\security\cacerts

   Important

   • The path to keytool application is typically: c:\program files\bmc software\bladelogic\NSH\jre\bin\keytool
   • In upgrade scenarios, you might not have to import the certificate, instead you must use the name as specified as the alias for importing the certificates in cacerts file.
4. When prompted for a password, enter the password that is set for JRE cacerts keystore in TrueSight Server Automation. The default password set for cacerts is typically changeit.

5. Connect to the application server and change the global.properties file with the following URL: url=jdbc\:sqlserver\://;serverName\=<FQDN_db_server>;port\=<port_number>;DatabaseName\=<database_name>;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

   Variable	Description
   <FQDN_db_server>	Fully qualified domain name of the SQL database server
   <database_name>	Database name

   Example

   url=jdbc\:sqlserver\://;serverName\=bmc-pun-123456.bmc.com;port\=1433;DatabaseName\=db_encrpted;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

6. Restart the application server.

_{Back to top}

Step 4: Configure the TrueSight Server Automation PXE server

1. Perform the following steps on all your TrueSight Server Automation PXE servers.
2. From the command prompt navigate to <BMC_Installation_Path>\NSH\JRE|bin and enter the following command to import the public key certificate file in cacerts.
   keytool -import -v -trustcacerts -alias <dbserver_hostname> -file <path_to_public_key> -keystore <pxe_server_cacerts>For example:
   keytool -import -v -trustcacerts -alias bmc-pun-123456 -file "C:\SSL\security_certificate.pubkey.cer" -keystore "C:\Program Files\BMC Software\BladeLogic\pxe\jre\lib\security\cacerts"
3. When prompted for a password, enter the password that is set for JRE cacerts keystore in TrueSight Server Automation. The default password set for cacerts is typically changeit.

4. Connect to the Application server and change the global.properties file for PXE server with the following URL:
   url=jdbc\:sqlserver\://;serverName\=<FQDN_db_server>;port\=<port_number>;DatabaseName\=<database_name>;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false
   

   <FQDN_db_server>	Fully qualified domain name of the SQL database server
   <database_name>	Database name

   For example:
   url=jdbc\:sqlserver\://;serverName\=bmc-pun-123456.bmc.com;port\=1433;DatabaseName\=db_encrpted;SelectMethod\=cursor;encrypt\=true;trustServerCertificate\=false

5. Restart the PXE server.

Disabling encryption in a SQL Server database connection

To disable encryption in your SQL Server database connection, perform the following steps on your SQL Server database:

1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for the server instance you are using, and select Properties. 
2. On the Certificate tab, select the certificate which is currently in use from the drop down in the Certificate box, and then click Clear. 
3. On the Flags tab, in the ForceEncryption box, select No, and then click OK to close the dialog box. 
4.  Restart the SQL Server service.  

_{Back to top}

Enabling TCPS encryption in Oracle database connection

Step 1: Configure Oracle database to accept encrypted connection

For detailed steps to enable the TCPS encryption on your Oracle database server, using Oracle Advanced Security, refer to the Oracle documentation.

See the following example procedure for encrypting the connection to your Oracle database.

Example: Steps to encrypt the connection to an Oracle database

1. Log on to your Oracle database server.
2. Navigate to <ORACLE_HOME>/NETWORK/ADMIN, where <ORACLE_HOME> is the path to the Oracle Home directory. 

3. Edit the sqlnet.ora file and add or replace values of the parameters given below. Note that you might need to uncomment the lines containing the parameters in the sqlnet.ora file.
   SSL_CIPHER_SUITES = <SSL_Cipher_Suite>
   SSL_VERSION = 1.2
   SQLNET.ENCRYPTION_SERVER = REQUIRED
   SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) 
   SQLNET.CRYPTO_SEED = <10-70_Random _Characters>
   

   Modify the SSL_CIPHER_SUITES and SQLNET.CRYPTO_SEED parameters by replacing the variables mentioned in the table below as described in the second column:
   

   Variable	Description
   <SSL_Cipher_Suite>	During an SSL handshake, two nodes negotiate to determine which cipher suite will be used to communicate with each other. Use this parameter to specify which SSL cipher suite you want to use.
   <10-70_Random _Characters>	A string of 10-70 random alphanumeric characters that is used to seed a random number generator to generate a cryptographic key.

4. Save the sqlnet.ora file.

Step 2: Configure the TrueSight Server Automation application server

Perform the following steps on all your TrueSight Server Automation application servers to communicate with TCPS encrypted database:

1. Obtain the Database Server certificate and copy to the TrueSight Server Automation application server in a /tmp location.

2. From the command prompt, navigate to <BMC_Installation_Path>\NSH\br\java\bin and enter the following command to import the public key certificate file:
   {{code language="none"}}
   keytool -import -v -trustcacerts -alias <alias_name> -file <path_where_oracle_wallet_cert_is_copied > -keystore <app_server_cacerts>
   
   {{/code}}

   Example

   keytool -import -v -trustcacerts -alias tcpstsa -file "/tmp/ExportedCertificateFromServer.cer" -keystore "/opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts

   Important

   In upgrade scenarios, you might not have to import the certificate, instead you must use the name as specified as the alias for importing the certificates in cacerts file.

3. When prompted for a password, enter the password that is set for JRE cacerts keystore in TrueSight Server Automation. The default password set for cacerts is typically changeit.

4. Connect to the application server and change the global.properties file with the following URL:
   {{code language="none"}}
   url=jdbc\:oracle\:thin\:@(DESCRIPTION\=(ADDRESS\=(PROTOCOL\=TCPS)(PORT\=<tcps_port>)(HOST\=<db_server>))(CONNECT_DATA\=(SERVICE_NAME\=<ServiceName>)))
   
   {{/code}}

   Example

   url=jdbc\:oracle\:thin\:@(DESCRIPTION\=(ADDRESS\=(PROTOCOL\=TCPS)(PORT\=1522)(HOST\=p0appserver3))(CONNECT_DATA\=(SERVICE_NAME\=ORA19C.bmc.com)))

5. Restart the application server and PXE server.

_{Back to top}

Related topics

Implementing-private-certificates-in-TrueSight-Server-Automation