Unable to connect to database during Critical System Protection install or upgrade
search cancel

Unable to connect to database during Critical System Protection install or upgrade

book

Article ID: 233617

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

Error while upgrading the DCS or CSP manager "Unable to connect to the Database with the specified username and password. Please verify Database settings"

Environment

Critical System Protection 8.x

Data Center Security 6.x

 

Cause

TLS 1.0 & 1.1 need to be enabled on the CSP manager & database server during the upgrade, or database connection can't be made

Resolution

Enable TLS 1.0 & 1.1 on the manager server & the SQL server:

NOTE: Making changes to the registry can cause unrecoverable system errors, and as such, it is recommended to take a backup of the registry before making any changes

Follow the below steps to enable TLS:

1. Stop the CSP manager services (on primary and tomcat manager)

2. On the CSP manager open the run regedit

3. Navigate to HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4. Right click and select export to save a copy of the current registry settings

5. Find the below registry keys, and change the value for the "enabled" key to "0x00000000(1)" to enable tls communication for both

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

6. Reboot the DCS manager server to save the settings

7. Follow the step 2-5 on the Database server and restart the database server to save changes

8. Start the CSP manager services up and run the server.exe as administrator to complete the upgrade

TLS 1.0 & 1.1 are not required for use with the CSP agents, and as such, this setting can be changed back to disabled after the CSP manager upgrade is successful

If you wish to keep this setting in place after you have completed the upgrade, you may need to modify the server.xml to add the default TLS settings back for agent communication as noted below: 

To modify the server.xml and add TLS 1.0 & TLS 1.1 back: 

1. Stop the CSP manager service

2. On the CSP manager, navigate to "CSPInstallDirectory" \Symantec\Critical System Protection\server\tomcat\conf

3. Copy the server.xml and save it to a location outside of the server's install directory 

4. Open the server.xml with a plain text editor and review the settings for TLS: 

Default settings in the server.xml show as the below, if you have removed the Tlsv1 or TLS v1.1 setting from the server.xml, add them back for all of your DCS managers. Examples of All versions, and TLS 1.2 only below

All
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

Only TLS 1.2
sslEnabledProtocols="TLSv1.2" 

5. Save the server.xml after making changes

6. Start the DCS manager services