SSL Errors with Data Stores in MSSQL Server

Document ID : KB000004940
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Either a Policy Store, Key Store, Session Store, Audit Store, or User Store has been configured on a MS SQL Server.  

ODBCAD32.exe:  Error When 'Test Connection' is run: 

[DataDirect][ODBC SQL Server Wite Protocol driver] SSL required, but was not requested. 

 

SMConsole: Error When 'Test Connection' is run: 

Failure. Siteminder can not access the following data sources: <DSN Name> : SM-DBU-00620. Error code -1063 

NOTE: SMConsole error only applies to the Stores defined in the SMCONSOLE (Policy Store, Key Store, Session Store or Audit Store).

 

 

 

Environment:
Policy Server: AnyPolicy Server OS: AnyPolicy Store: MSSQL Server
Cause:

The MSSQL Server instance is configured with 'Force Encryption' and requires an SSL connection with its clients.  

Resolution:

Windows Policy Server

1) Logon to the Policy Server

2) Open ODBCad32.exe 

3) Select the System DSN tab 

4) Select the DSN Name, then select CONFIGURE 

5) Within the DSN Properties, select the Security Tab 

6) Set the Encryption Method to (1-SSL) 

7) (OPTIONAL) Configure the Validate Server Certificate settings (e.g Trust Store) 

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

7b) If there is no Trust Store, then remove the "Validate Server Certificate Flag" 

 

 

UNIX Policy Server

1) Open the ODBC.ini file  [<siteminder_home>/db/system_odbc.ini]

2) Locate the DSN for the Store 

3) Set the Encryption Method to "SSL"

EncryptionMethod=1

The EncryptionMethod parameter is populated with a bitmap value:

0 = Disabled

1 = SSL

6 = Request SSL

7 = LoginSSL

CryptoProtocolVersion=SSLV2,SSLV3,TLSV1  

The CryptoProtocolVersion is a CSV delimited, multi-valued parameter which allows any combination of the following three values:

SSLV2; SSLV3; TLSV1 

ValidateServerCertificate=1 (Optional)

The ValidateServerCertificate parameter is an Optional parameter.  It has a binary value and is either enabled or disabled

1 = Enabled

0 = Disabled

TrustStore=<TrustStoreName>

TrustStorePassword=<TrustStorePassword>

HostNameInCertificate=<FQDN in Certificate>

NOTE: If 'ValidateServerCertificate' is enabled, then the 'TrustStore', TrustStorePassword', & 'HostNameInCertificate' will also need to be defined and have values populated in the DSN.

4) Save the Changes to the DSN