SSL Errors with Data Stores in MSSQL Server
search cancel

SSL Errors with Data Stores in MSSQL Server

book

Article ID: 4940

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Either a Policy Store, Key Store, Session Store, Audit Store, or User Store has been configured on a MS SQL Server.  

ODBCAD32.exe:  Error When 'Test Connection' is run: 

[DataDirect][ODBC SQL Server Wite Protocol driver] SSL required, but was not requested. 

 

SMConsole: Error When 'Test Connection' is run: 

Failure. Siteminder can not access the following data sources: <DSN Name> : SM-DBU-00620. Error code -1063 

NOTE: SMConsole error only applies to the Stores defined in the SMCONSOLE (Policy Store, Key Store, Session Store or Audit Store).

 

 

 

Environment

Policy Server: AnyPolicy Server OS: AnyPolicy Store: MSSQL Server

Cause

The MSSQL Server instance is configured with 'Force Encryption' and requires an SSL connection with its clients.  

Resolution

Windows Policy Server

1) Logon to the Policy Server

2) Open ODBCad32.exe 

3) Select the System DSN tab 

4) Select the DSN Name, then select CONFIGURE 

5) Within the DSN Properties, select the Security Tab 

6) Set the Encryption Method to (1-SSL) 

7) (OPTIONAL) Configure the Validate Server Certificate settings (e.g Trust Store) 

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

7b) If there is no Trust Store, then remove the "Validate Server Certificate Flag" 

 

 

UNIX Policy Server

1) Open the ODBC.ini file  [<siteminder_home>/db/system_odbc.ini]

2) Locate the DSN for the Store 

3) Set the Encryption Method to "SSL"

EncryptionMethod=1

The EncryptionMethod parameter is populated with a bitmap value:

0 = Disabled

1 = SSL

6 = Request SSL

7 = LoginSSL

CryptoProtocolVersion=SSLV2,SSLV3,TLSV1  

The CryptoProtocolVersion is a CSV delimited, multi-valued parameter which allows any combination of the following three values:

SSLV2; SSLV3; TLSV1 

ValidateServerCertificate=1 (Optional)

The ValidateServerCertificate parameter is an Optional parameter.  It has a binary value and is either enabled or disabled

1 = Enabled

0 = Disabled

TrustStore=<TrustStoreName>

TrustStorePassword=<TrustStorePassword>

HostNameInCertificate=<FQDN in Certificate>

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

4) Save the Changes to the DSN

 

Powered by Wolken Software