download presentation
TRANSCRIPT
Using Encryption with Using Encryption with Microsoft SQL Server Microsoft SQL Server 20002000
Kevin McDonnellKevin McDonnellTechnical LeadTechnical LeadSQL Server SupportSQL Server SupportMicrosoft CorporationMicrosoft Corporation
2
Presentation ContentPresentation Content
We will discuss how to set up Microsoft® We will discuss how to set up Microsoft® SQL Server™ 2000 with SSL encryptionSQL Server™ 2000 with SSL encryption
This is not a discussion on Certificate Server, This is not a discussion on Certificate Server, PKI, or an in-depth discussion of SSLPKI, or an in-depth discussion of SSL
3
Data EncryptionData EncryptionSQL Server 7.0 vs. SQL Server 2000SQL Server 7.0 vs. SQL Server 2000
In SQL Server 7.0, we used the Multiprotocol In SQL Server 7.0, we used the Multiprotocol library and enabled the encryption optionlibrary and enabled the encryption option Not strong encryptionNot strong encryption Requires additional protocol MSRPCRequires additional protocol MSRPC Requires additional ports opened on the firewallRequires additional ports opened on the firewall Not supported for named instancesNot supported for named instances
SQL Server 2000 SQL Server 2000 Strong encryptionStrong encryption Uses only the TCP protocolUses only the TCP protocol
4
SQL Server 2000 EncryptionSQL Server 2000 Encryption
There is no wizard to install a certificateThere is no wizard to install a certificate There is no SQL GUI to manage certificatesThere is no SQL GUI to manage certificates There is no way to identify which There is no way to identify which
connections are encrypted and which connections are encrypted and which connections are notconnections are not
There is no SQL GUI to verify a certificate is There is no SQL GUI to verify a certificate is validvalid
The certificate is read on the server during The certificate is read on the server during SQL Server startupSQL Server startup
5
SQL Server 2000 OverviewSQL Server 2000 OverviewNet-Library ArchitectureNet-Library Architecture
TCP IPX/SPX Net-Library Router
Encryption Layer
SSNetLib - Server Socket Net-Library
SQL Server
6
SQL Server 2000 Client OverviewSQL Server 2000 Client Overview
Requires MDAC 2.6 or later to be installedRequires MDAC 2.6 or later to be installed Does not require SQL Server 2000 ToolsDoes not require SQL Server 2000 Tools Programmers can request SSL encryption in Programmers can request SSL encryption in
their connection stringtheir connection string ODBC : Encrypt = YesODBC : Encrypt = Yes Oledb : Use Encryption for Data = TrueOledb : Use Encryption for Data = True
7
SQL Server 2000 Client OverviewSQL Server 2000 Client OverviewNet-Library ArchitectureNet-Library Architecture
Client Application
Oledb Provider or ODBC Driver
Client Net-Library DBNetlib.dll
TCP IPX/SPX Net-Library Router
Encryption Layer
8
Certificate RequestCertificate RequestFrom a Microsoft Certificate Authority ServerFrom a Microsoft Certificate Authority Server
Stand-Alone CAStand-Alone CA Enterprise CAEnterprise CA
SQL Server 2000SQL Server 2000 Web request:Web request:
Use advanced Use advanced request using a request using a form.form.
MMC request.MMC request.
VirtualVirtualSQL Server 2000 SQL Server 2000 ClusterCluster
Web request:Web request:
Use advanced Use advanced request using a request using a form. Must form. Must specify virtual specify virtual server name.server name.
Web request:Web request:
Use advanced Use advanced request using a request using a form. Change form. Change certificate certificate template to Web template to Web Server.Server.
9
Encryption Planning for SQL Encryption Planning for SQL Server 2000Server 2000Enabling SSL Encryption from the ServerEnabling SSL Encryption from the Server
Use the SQL Server Network UtilityUse the SQL Server Network Utility Forces all incoming connections to be Forces all incoming connections to be
encryptedencrypted Install server certificate onlyInstall server certificate only All or nothing — the server will not start if the All or nothing — the server will not start if the
certificate is not found or is invalidcertificate is not found or is invalid
10
Encryption Planning for SQL Server Encryption Planning for SQL Server 20002000 (2) (2)
Enabling Encryption from the Client Using theEnabling Encryption from the Client Using theClient Network UtilityClient Network Utility
Use the SQL Server Client Network UtilityUse the SQL Server Client Network Utility Forces all client connections to be Forces all client connections to be
encryptedencrypted Can no longer connect to SQL Server 7.0Can no longer connect to SQL Server 7.0 Install server certificate — client requires Install server certificate — client requires
updated Trusted Root Authorityupdated Trusted Root Authority
11
Certificate RequestCertificate RequestFrom a Stand-Alone CAFrom a Stand-Alone CA
12
Certificate RequestCertificate RequestChange the Intended PurposeChange the Intended Purpose
13
Certificate RequestCertificate RequestCertificate Store LocationCertificate Store Location
14
Certificate RequestCertificate RequestSubmit Certificate Request to CASubmit Certificate Request to CA
15
Certificate RequestCertificate RequestPending CA ApprovalPending CA Approval
16
Certificate RequestCertificate RequestCheck on a Pending CertificateCheck on a Pending Certificate
17
Certificate RequestCertificate RequestSelect the Certificate Request You Want To Select the Certificate Request You Want To CheckCheck
18
Certificate RequestCertificate RequestInstall the CertificateInstall the Certificate
19
View Certificate in MMCView Certificate in MMC
20
Certificate General InformationCertificate General Information
21
SQL Server 2000SQL Server 2000Server Network UtilityServer Network Utility
Select the “Force protocol encryption” check Select the “Force protocol encryption” check box to enable SSL encryptionbox to enable SSL encryption
22
SQL 2000 Server RegistrySQL 2000 Server Registry The registry that shows server-enabled The registry that shows server-enabled
encryption is:encryption is:
HKLM\Software\Microsoft\MSSQLServer\HKLM\Software\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLibMSSQLServer\SuperSocketNetLib
23
Certificate RequestCertificate RequestFrom an Enterprise CAFrom an Enterprise CA
24
Certificate RequestCertificate RequestUsing MMCUsing MMC
25
Certificate Request Certificate Request (2)(2)
Using MMCUsing MMC
26
Certificate Request Certificate Request (3)(3)
Using MMCUsing MMC
27
Certificate Request Certificate Request (4)(4)
Using MMCUsing MMC
28
Certificate Request Certificate Request (5)(5)
Using MMCUsing MMC
29
Client Request for EncryptionClient Request for Encryption
The SQL Server must have the certificate The SQL Server must have the certificate installedinstalled
The client computer must update the Trusted The client computer must update the Trusted Root AuthorityRoot Authority
Export the Trusted Root Authority from the Export the Trusted Root Authority from the server and import it on the client computerserver and import it on the client computer
Enable “Force protocol encryption” from the Enable “Force protocol encryption” from the SQL Client Network Utility or use the SQL Client Network Utility or use the appropriate connection stringappropriate connection string
Recommended for SQL Server clusterRecommended for SQL Server cluster
30
SQL Server 2000SQL Server 2000Client Network UtilityClient Network Utility
Enabling the “Force protocol encryption” Enabling the “Force protocol encryption” optionoption
31
SQL Client RegistrySQL Client Registry
Client registry:Client registry:
HKLM\Software\Microsoft\MSSQLServer\HKLM\Software\Microsoft\MSSQLServer\Client\SuperSocketNetLibClient\SuperSocketNetLib
32
Sample ODBC ConnectionSample ODBC Connection
33
Knowledge Base Articles Knowledge Base Articles
Q309398, “PRB: SQL Server 2000 Installation Fails Q309398, “PRB: SQL Server 2000 Installation Fails with "SSL Security error :ConnectionOpen with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" Error Message”(SECDoClientHandshake())" Error Message”
Q302409, “FIX: Unable to Connect to SQL Server Q302409, “FIX: Unable to Connect to SQL Server 2000 When Certificate Authority Name Is the Same 2000 When Certificate Authority Name Is the Same As the Host Name of the Windows 2000 Computer”As the Host Name of the Windows 2000 Computer”
Q318605, “INF: How SQL Server Uses a Certificate Q318605, “INF: How SQL Server Uses a Certificate When the Force Protocol Encryption Option is Set When the Force Protocol Encryption Option is Set On”On”
Q316898, “HOW TO: Enable SSL Encryption for SQL Q316898, “HOW TO: Enable SSL Encryption for SQL Server 2000 with Microsoft Management Console”Server 2000 with Microsoft Management Console”
Q276553, “HOW TO: Enable SSL Encryption for SQL Q276553, “HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server ”Server 2000 with Certificate Server ”
34
Known IssuesKnown Issues
Microsoft® Visual Studio® .NET installs the Microsoft® Visual Studio® .NET installs the Microsoft SQL Server Desktop Edition of SQL Microsoft SQL Server Desktop Edition of SQL Server. If there are certificates on the Server. If there are certificates on the computer that are not used for SQL Server, computer that are not used for SQL Server, setup may fail.setup may fail.
See Q309398, “PRB: SQL Server 2000 See Q309398, “PRB: SQL Server 2000 Installation Fails with "SSL Security Installation Fails with "SSL Security error :ConnectionOpen error :ConnectionOpen (SECDoClientHandshake())" Error Message.”(SECDoClientHandshake())" Error Message.”
The SQL Server 2000 release required the The SQL Server 2000 release required the certificate’s intended purpose to be client certificate’s intended purpose to be client authentication.authentication.
Local store versus current user.Local store versus current user.
35
SetCert UtilitySetCert Utility
Included with the SQL Server 2000 resource Included with the SQL Server 2000 resource kitkit
Permits you to control the certificate used for Permits you to control the certificate used for SQL ServerSQL Server
36
CAPICOMCAPICOM
Cryptographic COM componentCryptographic COM component Permits you to write scripts to manage Permits you to write scripts to manage
certificate storescertificate stores
Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Subject Name: CN=myserver.cherryhill.corp.widget.com SHA-1 Thumbprint: 791B74BFD698B477F7768566365D44FE78BCEF9D Valid To: 3/12/2003 2:34:49 PM Extended Key Usage: Server Authentication(1.3.6.1.5.5.7.3.1)
37
SummarySummary
SQL Server 2000 encryption can be SQL Server 2000 encryption can be implemented from the server or clientimplemented from the server or client
The certificate must be installed on the server The certificate must be installed on the server and the intended purpose must be server and the intended purpose must be server authenticationauthentication
The SQL Server service account must be the The SQL Server service account must be the same account that requested the certificatesame account that requested the certificate
If the client requests an encrypted If the client requests an encrypted connection, the Trusted Root Authority must connection, the Trusted Root Authority must be updated on the client computerbe updated on the client computer
Certificates on a SQL Server cluster must be Certificates on a SQL Server cluster must be issued to the virtual SQL Server nameissued to the virtual SQL Server name
38
Thank you for joining us for Today’s Microsoft Support Thank you for joining us for Today’s Microsoft Support
WebCast.WebCast.
For information on all upcoming Support WebCasts andFor information on all upcoming Support WebCasts and
access to the archived content (streaming media files, access to the archived content (streaming media files,
PowerPoint ® slides, and transcripts), please visit:PowerPoint ® slides, and transcripts), please visit:
http://support.microsoft.com/WebCastshttp://support.microsoft.com/WebCasts
We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any
comments or suggestions regarding the Supportcomments or suggestions regarding the Support
WebCasts to WebCasts to [email protected]@microsoft.com