search cancel

SSL Errors with Data Stores in MSSQL Server


Article ID: 4940


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Either a Policy Store, Key Store, Session Store, Audit Store, or User Store has been configured on a MS SQL Server.  

ODBCAD32.exe:  Error When 'Test Connection' is run: 

[DataDirect][ODBC SQL Server Wite Protocol driver] SSL required, but was not requested. 


SMConsole: Error When 'Test Connection' is run: 

Failure. Siteminder can not access the following data sources: <DSN Name> : SM-DBU-00620. Error code -1063 

NOTE: SMConsole error only applies to the Stores defined in the SMCONSOLE (Policy Store, Key Store, Session Store or Audit Store).





Policy Server: AnyPolicy Server OS: AnyPolicy Store: MSSQL Server


The MSSQL Server instance is configured with 'Force Encryption' and requires an SSL connection with its clients.  


Windows Policy Server

1) Logon to the Policy Server

2) Open ODBCad32.exe 

3) Select the System DSN tab 

4) Select the DSN Name, then select CONFIGURE 

5) Within the DSN Properties, select the Security Tab 

6) Set the Encryption Method to (1-SSL) 

7) (OPTIONAL) Configure the Validate Server Certificate settings (e.g Trust Store) 

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

7b) If there is no Trust Store, then remove the "Validate Server Certificate Flag" 



UNIX Policy Server

1) Open the ODBC.ini file  [<siteminder_home>/db/system_odbc.ini]

2) Locate the DSN for the Store 

3) Set the Encryption Method to "SSL"


The EncryptionMethod parameter is populated with a bitmap value:

0 = Disabled

1 = SSL

6 = Request SSL

7 = LoginSSL


The CryptoProtocolVersion is a CSV delimited, multi-valued parameter which allows any combination of the following three values:


ValidateServerCertificate=1 (Optional)

The ValidateServerCertificate parameter is an Optional parameter.  It has a binary value and is either enabled or disabled

1 = Enabled

0 = Disabled



HostNameInCertificate=<FQDN in Certificate>

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

4) Save the Changes to the DSN