Enabling Forced Encryption on SQL Server instances used with the Delphix Engine (KBA7852)
KBA
KBA# 7852
Overview
Some SQL Server instances may be configured to require all database connections to be encrypted (SSL / TLS), using the instructions provided in the Microsoft document Enable Encrypted Connections to the Database Engine.
This article describes how this configuration option can affect Virtualization Engine and Masking Engine database connections initiated by the Delphix Engine.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
Forced Encryption and the Virtualization Engine
The Delphix Engine initiates the following SQL Server connections during discovery, monitoring and container operations:
- JDBC connections to the SQL Server Instance hosting the Source database, to monitor for new backups
- ODBC connections to SQL Server Source, Staging and Target instances, using Microsoft's
sqlcmd
utility
These connections are expected to succeed regardless of whether the Force Encryption option is set on the SQL Server instance.
The Delphix Engine does not enforce encryption from the client side, or validate the certificate provided by the SQL Server instance. It should successfully connect even if the SQL Server instance is using a self-signed certificate.
Forced Encryption and the Masking Engine
The Masking Engine initiates the following SQL Server connections during connection management and masking jobs:
- JDBC connections to the SQL Server instance hosting the masked database
In Masking Engine 6.0.3.0 and later, these connections are expected to succeed regardless of whether the Force Encryption option is set on the SQL Server instance.
The Masking Engine does not enforce encryption from the client side, or validate the certificate provided by the SQL Server instance. This configuration may be adjusted by manually specifying the appropriate JDBC connection attributes if required. For more detail, see the Masking Engine document Managing Connectors.
SSL Connection failures in Masking Engine 6.0.2.0 and earlier
The SQL Server JDBC driver used in Masking Engine 6.0.2.0 and earlier is unable to connect to SQL Server instances that use the Force Encryption option.
Attempts to connect using affected Masking Engine versions will result in a connection failure, and the following error will appear in the SQL Server ERRORLOG:
Logon Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed. Please upgrade your client library.
To resolve this issue, upgrade the Masking Engine to version 6.0.3.0 or later.
Related Articles
The following articles may provide more information or related information to this article:
- Enable Encrypted Connections to the Database Engine in Microsoft SQL Server documentation
- Managing Connectors in Delphix Masking Engine documentation