Security 1: Configure SSL connections between SQL server and client

Source: Internet
Author: User
Tags ssl connection fully qualified domain name
Http://www.edong.org/main/content/view/259/42/

Written by: Administrator

2004-05-18
Ms SQL server password plaintext transmission is a security defect. I will not describe the specifics. If you are interested, please refer to this article: in-depth exploration of SQL2000 network connection security issues
So I can only talk about how I implement SQL Server 2000 SSL. Because there are a lot of materials, I only need to take one rough step. In addition, I listed all the materials I used and the problems I encountered. For more information, see
How to enable the SQL Server 2000 SSL connection
By default, SQL Server is in plain text for client connection and may be listened to by other malicious attackers in the network using sniffer software. Therefore, when high security is required, you can consider using SSL connections between the client and the server to improve security.
When SQL2000 is configured to use SSL, the Certificate Server must exist in the network. Configuration steps:
1. Choose "add and delete programs"> "add and set up"> "Certificate Service"
2. Follow the Certificate Service prompts to install the enterprise Root CA or independent Root CA. I chose an independent Root CA.
3. After installation, check that the "Certificate Authority" plug-in appears in the management tool.
The following operations request a certificate for SQL Server:
1. if you select an independent Root CA, open the IE browser. Enter http: // servername/certsrv in the address bar to submit a certificate application to your certificate server.
2. On the Application page, select "request Certificate"> "Advanced request"> "submit a request using the form". Next Step
3. Enter the certificate name in the certificate content. Note that you must select the FQDN name of the server. Otherwise, an error may occur. Select "Server Authentication Certificate" for the applied certificate, and select "use local computer storage" to submit the request.
4. Authorize this application in CA, select View submitted application option in IE, and install the certificate
Check whether the certificate is correctly installed:
1. In the IE-property-content-certificate option, check whether the issued certificate exists and its function is "Server Authentication"
2. Open the MMC console and add the certificate plug-in (including the computer account ). Confirm that the issued certificate exists.

Operations on the SQL Server:
1. In SQL's "SQL SERVER network utility", select "Force protocol encryption"
2. Restart MSSQLServer service. OK
3. In "client utility", select "Force protocol encryption"

Test:
You can use query analyzer to connect to ODBC application, and then use network monitoring software to capture packets and check whether SSL is enabled.

Common Errors:
1. When installing the certificate service, set the name of the Certificate Service to the same name as the host name. This will cause the SQL Server to fail during initialization, this problem can be seen KB: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 302409 & Product = sql2k
2. When applying for a certificate, the certificate name does not use the FQDN fully qualified domain name. This is one of the reasons for the SQL Server "SSL security error: connectionopen (secdoclienthandshake ()" error. Kb309398 elaborated this question: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 309398 & Product = sql2k
3. About can refer to the installation configuration article: How to: Enable SSL encryption for SQL Server 2000 with Certificate Server can see KB: http://support.microsoft.com/default.aspx? SCID = KB; en-US; 276553 & Product = sql2k #2 (with ppt files available for download)
Http://support.microsoft.com/default.aspx? SCID = KB; en-US; 324777 & Product = sql2k

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.