Encryption of communications between SDCS:SA Manager and the database server (ForcedEncryption)

book

Article ID: 164913

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

Customer has enabled ForcedEncryption on SQL database and communication between the Symantec Data Center Server manager and the database has stopped.

 

 

Environment

Microsoft SQL server can use Secure Socket Layer (SSL) to encrypt data that is transmitted across network between an instance of SQL server. 

Info about ForcedEncryption in SQL: 

https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx

 

Resolution

When you enable ForcedEncryption in the database, you need to modify the server.xml to allow ssl connection. Below are the listed steps that will be required in DCS Management server for SSL encrypted communication

1. Stop the management server service. It should be listed as Symantec Data Center Managememnt Service in services.

2. Navigate to the install directory which is normally located in "C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf"  

           a. Create a backup copy of the server.xml in the above directory

3. Open the original server.xml with notepad to edit the following strings.

4. Find the following strings: 

            url="jdbc:jtds:sqlserver://10.167.29.xxx/SCSPDB;instance=scsp;integratedSecurity=false"

            url="jdbc:jtds:sqlserver://10.167.29.xxx/SCSPDB;instance=scsp;integratedSecurity=false"

            url="jdbc:jtds:sqlserver://10.167.29.xxx/dcsc_umc;instance=scsp;integratedSecurity=false"

5: Update the 3 strings in step 5 to enable ssl as follows: 

            url="jdbc:jtds:sqlserver://10.167.29.xxx/SCSPDB;instance=scsp;ssl=require"

            url="jdbc:jtds:sqlserver://10.167.29.xxx/SCSPDB;instance=scsp;ssl=require"

            url="jdbc:jtds:sqlserver://10.167.29.xxx/dcsc_umc;instance=scsp;ssl=require"

6. Save the server.xml in the same directory

7. For 6.5.x and 6.6.x DCS Management servers, registry keys need to be updated additionally

     a.  For 6.5.x servers, open registry editor and go to below registry key:
           1. Edit "JVM Option Count" registry value and set it to 1 higher than what it is currently set to (default installation its set to 8, so set it to 9)

           2. Add a new Registry String Value "JVM Option Number N" where N is equal to 1 less than the "JVM Option Count" that was updated in step 2 (default                                                    installation requires: "JVM Option Number 8")

           3.  Set the value to: -Djsse.enableCBCProtection=false

     b.  For 6.6.x server, open registry editor and go to below registry key 

                HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\SISManager\Parameters\Java

             1.  Edit “Options” registry value

             2.  add below value to the end of value data

                   -Djsse.enableCBCProtection=false

8. Start DCS management server service

9. Test connection to database by logging into Console