Page History
...
- If encryption is not enforced then users can fallback to use unencrypted connections. This comes at the price of using unsecure connections.
- This is available from the following query parameter in the JDBC URL:
encrypt=false
- See the previous chapter for locations how to apply this query parameter.
- This is available from the following query parameter in the JDBC URL:
- If encryption is enforced then users have to deploy the respective Root CA certificate and optionally Intermediate CA certificate(s) to a Java truststore.
- Keep in mind that deploying the certificates to the Windows certificate store will not resolve the problem as this certificate store is not used by Java.
- Users can add the certificate(s) to the JOC Cockpit's truststore, see JS7 - JOC Cockpit HTTPS Connections.
- Users can add the certificate(s) to the global Java
cacerts
truststore.- The
cacerts
truststore is located in the Java installation directory. The precise location depends on use of a JRE/JDK and on the Java version in use. Frequently thelib/security
sub-directory of the Java JRE/JDK holds thecacerts
truststore file. - Import of certificate(s) can be performed with the Java
keytool
command that is available with the JRE/JDK:Example how to import certificates to the Java truststore:
Code Block keytool -import -trustcacerts -alias <sql-server-alias> -file <certificate.cer> -keystore <cacerts> -storepass "<password>"
Explanation:
<sql-server-alias>
specifies the certificate's alias name, frequently the fully qualified domain name (FQDN) of the SQL Server host or database name is used.<certificate.cer>
specifies the path to the certificate file. If a certificate chain is used, for example consisting of a Root CA certificate and Intermediate CA certificate, then thekeytool
command can be executed individually for each certificate.<cacerts>
specifies the location of thecacerts
Java truststore file.<password>
specifies the password required when writing to thecacerts
truststore. The default password frequently ischangeit
.- Argument values can be quoted.
- The
- Consider that for successful SSL handshake the hostname specified with the certificate - available from the common name (CN) in the certificate's subject property - and the SQL Server's hostname have to match. This suggests to use a fully qualified domain name (FQDN).
- Users have the option not to verify the hostname specified with the certificate. This undermines security, however, it might be applicably applicable when testing connections. The following query parameter can be used in the JDBC URL to suppress verification:
trustServerCertificate=true
. - See the previous chapter for locations how to apply this query parameter.
- Users have the option not to verify the hostname specified with the certificate. This undermines security, however, it might be applicably applicable when testing connections. The following query parameter can be used in the JDBC URL to suppress verification:
...
Overview
Content Tools