Encryption of communications between Manager and the database server (ForcedEncryption)
search cancel

Encryption of communications between Manager and the database server (ForcedEncryption)

book

Article ID: 164913

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

You would like more details on setup of the communication between the Symantec Data Center Server manager (SDCSS) and the SQL database over SSL

Environment

Microsoft SQL server can use Secure Socket Layer (SSL) to encrypt data that is transmitted across network between an instance of SQL server. 

Info about ForcedEncryption in SQL: 

https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx

 

Resolution

When you enable ForcedEncryption in the database, you need to modify the server.xml to allow ssl connection. Below are the listed steps that will be required in DCS Management server for SSL encrypted communication

1. Stop the management server service. It should be listed as Symantec Data Center Management Service in services.

2. Navigate to the install directory which is normally located in "C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf"  

           a. Create a backup copy of the server.xml in the above directory

3. Open the original server.xml with notepad to edit the following strings.

4. Find the following strings (Note: Older DCS versions will only have 2 or 3): 

          url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;integratedSecurity=false"

     url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;integratedSecurity=false"

     url="jdbc:jtds:sqlserver://192.0.2.xxx/dcsc_umc;instance=scsp;integratedSecurity=false"

          url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;integratedSecurity=false"


5: Update all of strings in step 5 to enable ssl as follows:  (Note: Older DCS versions will only have 2 or 3): 

          url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;ssl=required"

     url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;ssl=required"

     url="jdbc:jtds:sqlserver://192.0.2.xxx/dcsc_umc;instance=scsp;ssl=required"

     url="jdbc:jtds:sqlserver://192.0.2.xxx/SCSPDB;instance=scsp;ssl=required"

6. Save the server.xml in the same directory

7. For DCS 6.5.x and 6.6.x DCS Management servers, registry keys need to be updated additionally. This is not required for newer DCS versions.

     a.  For 6.5.x servers, open registry editor and go to below registry key:
           1. Edit "JVM Option Count" registry value and set it to 1 higher than what it is currently set to (default installation its set to 8, so set it to 9)

           2. Add a new Registry String Value "JVM Option Number N" where N is equal to 1 less than the "JVM Option Count" that was updated in step 2 (default installation requires: "JVM Option Number 8")

           3.  Set the value to: -Djsse.enableCBCProtection=false

     b.  For 6.6.x server and newer, open registry editor and go to below registry key 

                HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\SISManager\Parameters\Java

             1.  Edit “Options” registry value

             2.  add below value to the end of value data

                   -Djsse.enableCBCProtection=false

8. Start DCS management server service

9. Test connection to database by logging into Console

Additional Information

ForcedEncryption is enabled on SQL database.

Powered by Wolken Software