Skip to main content
Delphix

Enabling Forced Encryption on SQL Server instances used with the Delphix Engine (KBA7852)

 

KBA

KBA# 7852

 

Overview

Some SQL Server instances may be configured to require all database connections to be encrypted (SSL / TLS), using the instructions provided in the Microsoft document Enable Encrypted Connections to the Database Engine.

clipboard_e44b823498e736974e750e1e41b0a8439.png

This article describes how this configuration option can affect Virtualization Engine and Masking Engine database connections initiated by the Delphix Engine.

 

Note

Note:

The SQL Server Forced Encryption setting relates to network transport encryption between database clients and the SQL Server instance. It does not relate to "at rest" encryption mechanisms such as Transparent Data Encryption or Always Encrypted.

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

Forced Encryption and the Virtualization Engine

The Delphix Engine initiates the following SQL Server connections during discovery, monitoring and container operations:

  • JDBC connections to the SQL Server Instance hosting the Source database, to monitor for new backups
  • ODBC connections to SQL Server Source, Staging and Target instances, using Microsoft's sqlcmd utility

These connections are expected to succeed regardless of whether the Force Encryption option is set on the SQL Server instance.

The Delphix Engine does not enforce encryption from the client side, or validate the certificate provided by the SQL Server instance. It should successfully connect even if the SQL Server instance is using a self-signed certificate.

Forced Encryption and the Masking Engine

The Masking Engine initiates the following SQL Server connections during connection management and masking jobs:

  • JDBC connections to the SQL Server instance hosting the masked database

In Masking Engine 6.0.3.0 and later, these connections are expected to succeed regardless of whether the Force Encryption option is set on the SQL Server instance.

The Masking Engine does not enforce encryption from the client side, or validate the certificate provided by the SQL Server instance. This configuration may be adjusted by manually specifying the appropriate JDBC connection attributes if required. For more detail, see the Masking Engine document Managing Connectors.

SSL Connection failures in Masking Engine 6.0.2.0 and earlier

The SQL Server JDBC driver used in Masking Engine 6.0.2.0 and earlier is unable to connect to SQL Server instances that use the Force Encryption option.

Attempts to connect using affected Masking Engine versions will result in a connection failure, and the following error will appear in the SQL Server ERRORLOG:

Logon Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed. Please upgrade your client library.

To resolve this issue, upgrade the Masking Engine to version 6.0.3.0 or later.

 

 


Related Articles

The following articles may provide more information or related information to this article: