How do we enable TLS 1.2 encryption in Risk Auth components and Database communication without configuring any certificates?
search cancel

How do we enable TLS 1.2 encryption in Risk Auth components and Database communication without configuring any certificates?

book

Article ID: 277968

calendar_today

Updated On:

Products

CA Risk Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)

Issue/Introduction

The Microsoft SQL Server version used in the Risk Authentication environment has been upgraded to 2019 and TLS versions 1.0/1.1 have been disabled on the DB server side. When the setting is enabled to allow only TLS 1.2 traffic, Admin/UDS and Risk Auth server instances cannot connect to the database.

How do we enable TLS 1.2 encryption in Risk Auth components and Database communication without configuring any certificates?

Environment

Symantec Risk Authentication 9.1 SP1

Microsoft SQL Server 2019

JDK 1.8

Resolution

To achieve TLS 1.2 encrypted communication with the database without configuring any certificates on Risk Auth components, below changes are recommended in RA environment:

1. JDBC Driver Upgrade

You need to download and use the latest Microsoft JDBC Driver for SQL Server 2019 as per SQL version compatibility matrix. In this scenario, we have downloaded JDBC driver 12.4 mssql-jdbc-12.4.2.jre8.jar for JDK 1.8 and placed it Tomcat lib folder.

2. ODBC Driver configuration

[<ARCOT_HOME>/odbc64/odbc .ini]

Earlier:
[SQL Server Wire Protocol]
CryptoProtocolVersion=TLSV1,TLSV1.1,TLSV1.2
EncryptionMethod=1
ValidateServerCertificate=1

Changes to:
[SQL Server Wire Protocol]
CryptoProtocolVersion=TLSV1.2
EncryptionMethod=1
ValidateServerCertificate=0

Note:
EncryptionMethod - specifies how the driver encrypts data that is sent between the driver and the database server. 
ValidateServerCertificate : determines whether the driver validates the certificate that is sent by the database server when SSL encryption is enabled (EncryptionMethod=1|6|7). If set to 0 (Disabled), the driver does not validate the certificate that is sent by the database server.

For more information, please refer the link 'Validate section Server Certificate' in Progress DataDirect for ODBC for Microsoft SQL Server Wire Protocol Driver User's Guide.

3. JDBC Driver configuration

[<ARCOT_HOME>/conf/arcotcommon.ini]

Earlier:
[arcot/db/primarydb]
URL.1=jdbc:sqlserver://<db_host>:<db_port>;database=<db_name>;selectMethod=cursor

[ssl/config]
sslContextAlgorithm=TLS

Changes to:
[arcot/db/primarydb]
URL.1=jdbc:sqlserver://<db_host>:<db_port>;database=<db_name>;selectMethod=cursor;EncryptionMethod=SSL;trustServerCertificate=true;CryptoProtocolVersion=TLSv1.2

[ssl/config]
sslContextAlgorithm=TLS
RiskAuthSupportedProtocols=tlsv1.2
RiskAuthCipherSuites=ECDHE-ECDSA-AES256-SHA384

Note:
EncryptionMethod = SSL. Indicates whether data is encrypted when transmitted over the network. This parameter must be set to SSL..
trustServerCertificate = true : If the server requires the client to support TLS encryption or if the server supports encryption, the driver will initiate the TLS certificate exchange. If the trustServerCertificate property is set to "true", the driver won't validate the TLS certificate.

For more information, please refer the section 'Understanding encryption support' in SQL Server documentation.