Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DB Connect Addon Integration Issue - Microsoft SQL Server 2012

kiranpanchavat1
Path Finder
‎02-24-2022 05:48 AM

Hello Team,

We are trying to integrate one of the SQL data base using the splunk db connect add-on and we are getting the below error.  Id MS SQL 2012 is compatible with the below db connect and splunkversions ?

Splunk DB Connect

Version: 3.5.1 Build: 4 Splunk Enterprise : 8.1.7.2

DB version is Microsoft SQL Server 2012

ERROR :

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Labels (1)
Labels
Tags (1)
Reply

andrew207
Path Finder
‎11-20-2022 07:25 PM

I have hit this problem too, and it's a bit awkward. Here's what I have learned:

- Even with encrypt=false in your JDBC URL, authentication still occurs over TLS.

- MSSQL 2014 uses 1024-bit keys by default

- Newer versions of JRE/JDK (not sure when it changed) specify minimum key lengths of 2048 for RSA

I am working to solve this by having the MSSQL team configure suitable certs signed by our PKI. As a temporary workaround you may be able to set this:

#$JAVA_HOME/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024

Notably, we are changing the disabled RSA keySize to <1024, which would allow the 1024-bit keys used by default in MSSQL14 -- even when SSL is explicitely disabled in the JDBC URL.

Tags (1)
0 Karma
Reply

andrew207
Path Finder
‎11-22-2022 01:46 PM 
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024

Just as a followup, performing this change to allow RSA keysizes of 1024 bits worked fine and when combined with explicitly specifying encrypt=false in the JDBC URL we now have working connectivity. 

0 Karma
Reply

kiranpanchavat1
Path Finder
‎03-02-2022 11:15 PM

can anyone please provide an update on this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...