Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect Addon Integration Issue - Microsoft SQL Server 2012

kiranpanchavat1
Path Finder
‎02-24-2022 05:48 AM

Hello Team,

We are trying to integrate one of the SQL data base using the splunk db connect add-on and we are getting the below error.  Id MS SQL 2012 is compatible with the below db connect and splunkversions ?

Splunk DB Connect

Version: 3.5.1 Build: 4 Splunk Enterprise : 8.1.7.2

DB version is Microsoft SQL Server 2012

ERROR :

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Labels (1)
Labels
Tags (1)
Reply

andrew207
Path Finder
‎11-20-2022 07:25 PM

I have hit this problem too, and it's a bit awkward. Here's what I have learned:

- Even with encrypt=false in your JDBC URL, authentication still occurs over TLS.

- MSSQL 2014 uses 1024-bit keys by default

- Newer versions of JRE/JDK (not sure when it changed) specify minimum key lengths of 2048 for RSA

I am working to solve this by having the MSSQL team configure suitable certs signed by our PKI. As a temporary workaround you may be able to set this:

#$JAVA_HOME/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024

Notably, we are changing the disabled RSA keySize to <1024, which would allow the 1024-bit keys used by default in MSSQL14 -- even when SSL is explicitely disabled in the JDBC URL.

Tags (1)
0 Karma
Reply

andrew207
Path Finder
‎11-22-2022 01:46 PM 
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024

Just as a followup, performing this change to allow RSA keysizes of 1024 bits worked fine and when combined with explicitly specifying encrypt=false in the JDBC URL we now have working connectivity. 

0 Karma
Reply

kiranpanchavat1
Path Finder
‎03-02-2022 11:15 PM

can anyone please provide an update on this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...