Skip to main content

Installing and configuring Microsoft SQL Server

This section provides basic instructions for use with a Microsoft SQL Server database and the corresponding client software. These instructions are based on a "standard” configuration. If you want to use a non-standard configuration, or if you experience errors, consult the documentation provided with the SQL Server software.

Warning

When setting up SQL Server, avoid using non-alphanumeric characters in your server name, users’ passwords, or any other names (instance, database, schema).

Overview for setting up Microsoft SQL Server

The following is an overview of required and optional tasks for setting up Microsoft SQL Server to work with Bravura Security Fabric . The tasks are detailed in the sections that follow.

Caution

Express editions should only be used for evaluation purposes. Bravura Security strongly recommends that, whenever possible, you use an enterprise or standard edition rather than the express database edition. Bravura Security does not provide support for product issues resulting from clients upgrading their database edition.

Read Supported database management systems and Best practice: Where to install the Bravura Security Fabric and database software to determine appropriate version for your organization.

To set up Microsoft SQL Server :

  1. Install the SQL Server software if you haven’t already.

  2. Gather information about your database server that will be required during Security Fabric installation .

  3. Optional: Create a dedicated database, user, and schema .

    Alternatively, you can allow Bravura Security Fabric setup to do this for you, as described in Configure a dedicated database user .

  4. Optional: Create a dedicated report database user .

    You can allow Bravura Security Fabric setup to do this for you, as described in SSRS settings .

  5. Optional: Remove public/guest permissions .

  6. If you will be using multiple Bravura Security Fabric instances or servers (replication), read Working with multiple installations for additional considerations.

    Follow Microsoft’s best practice guide when setting up your SQL server.

Installing Microsoft SQL Server

You should install Microsoft SQL Server on Windows Server 2012 R2, 2016, 2019 or 2022.

  1. Install Microsoft SQL Server with the following settings:

    • Feature Selections

      • Database Engine Services

      • Optional: Reporting Services - Native

        This feature is a requirement to use the Analytics app.

      • Client Tools Connectivity

      • Management Tools - Basic

      • Management Tools - Complete

      If the footprint of Client Tools Connectivity and the Management Tools sets is too large, the minimum requirement on the application node is the SQL Server Native Client (sqlncli).

      Installing SQL Server Management Studio (SSMS) on the application node is strongly recommended for application database troubleshooting. SSMS can be installed on another server, but this would make the application database troubleshooting harder.

    2211.png

    • Server Configuration

      • SQL Server Agent NT AUTHORITY \ SYSTEM (not available in Microsoft SQL Server Express Edition)

      • SQL Server Database Engine NT AUTHORITY \ SYSTEM

      • SQL Server Browser NT AUTHORITY \ LOCAL SYSTEM

      • SQL Server Reporting Services NT SERVICE \ ReportServer

      (Only available if you chose to install reporting services)

    • Startup Type Automatic for all services

      The server collation type must be SQL_Latin1_General_CP1_CI_AS, and the database collation type must be set to Latin1_General_BIN when the database is created later.

    • Database Engine Configuration Mixed Mode (SQL Server authentication and Windows authentication).

      Enter and confirm the password. Optionally, you can specify SQL Server Administrators, which use Windows authentication to manage SQL Server.

  2. If you chose to install reporting services , click Install and configure on the Reporting Services Configuration page.

    This removes the need for the SSRS post installation steps.

    Caution

    If you are installing SQL Server Reporting Service (SSRS) to use the Analytics app ensure the server is not a Domain Controller.

  3. Verify the features to be installed on the Ready to install page.

  4. Click Install.

    Consult Microsoft’s documentation for detailed installation instructions.

Next

Information for product installation

You need the following information about your SQL Server database before installing Bravura Security Fabric:

  • IP address or DNS name of the server that SQL Server is installed on.

    You should verify that you can reach this address from the machine that will host Bravura Security Fabric.

    For Microsoft SQL Server Express Edition this is usually localhost.

  • SQL Server instance name.

    Typically, SQL Server is installed in the default instance, and the instance name is MSSQLSERVER.

    Clients that connect to the default instance, including Bravura Security Fabric, do not require \MSSQLSERVER in their server address lines.

    For Microsoft SQL Server Express Edition this is usually SQLEXPRESS.

  • Name and password of a system administrator (sysadmin role) login.

    For Microsoft SQL Server Express Edition this is usually sa.

Encrypted communication with iddb

In most cases the SQL Server is local to the Bravura Security Fabric instance. If this is not the case, you may want to set up encryption to ensure that communication between the Database Service (iddb) and SQL Server takes place over an encrypted channel.

To set up encryption on SQL Server:

  1. Obtain a certificate.

  2. Install the certificate with its private key on the SQL Server.

  3. Install the certificate (without private key) at the appropriate place on your instance server, if necessary.

  4. Under the instance's SQL Server registry key, create a DWORD called FORCEENCRYPT and set its value to 1.

  5. On SQL Server, in the certificate's snap-in of mmc.exe, right click the appropriate certificate > all tasks > manage private keys … and add read access to the account that runs the SQL Server service (by default, NT Authority\MSSQLSERVER)

  6. In the SQL Server Configuration Manager, expand SQL Server Network Configuration on the left-hand pane, then right click Protocols for <mssql instance name> and click Properties. Choose the appropriate certificate under the Certificates tab

  7. Restart the SQL Server service.

  8. Restart iddb .

Notes:

  • FORCEENCRYPT requires certificate validation; it cannot be turned off if you want encryption. You can use a self-signed cert, and install it as a trusted root certificate on the instance.

  • FORCEENCRYPT will use TDS 7.3 rather than 8.0, meaning that TLS will be used only for certificate negotiation (with application-layer encryption) rather than fully encapsulating the traffic. Bravura Security Fabric not support TDS 8.0 currently.

  • Since setup currently does not use the OLE DB driver, encryption will be on during install/patch only if the server is set to require it, and even then certificates will not be validated. During initial installation, if encryption is mandatory on the server side, iddb will fail to start. When presented with the error prompt, set the FORCEENCRYPT registry value and click Retry.

  • Take care not to allow the certificate to expire without rotating it. Your instance will stop working once it expires.

SSRS post installation

The SQL Server Reporting Services feature is a requirement to use the Analytics app in Bravura Security Fabric . The following steps are only required if you add the SSRS feature after you have already installed SQL Server; you do not need to do these steps if you installed SSRS during the SQL server install.

The version of SSRS must be the same version as the SQL Server for the instance. For example; SQL Server 2016 and SSRS 2016.

If you are installing SQL Server Reporting Service (SSRS) to use the Analytics ensure the server is not a Domain Controller.

  1. Launch Reporting Services Configuration Manager.

  2. Click the Web Service URL button on the left. Change settings if required.

  3. Click Apply (whether you change the settings or not).

  4. Take note of the Report Server Web Service URL. You will need this when you install Bravura Security Fabric .

  5. Click the Database button on the left.

  6. If you do not have a database:

    1. Click Change Database.

    2. Select Create a new report server database.

    3. Click Next.

    4. Follow the prompts to create a database.

    This initial database will not be used; however, SSRS requires an initial database to connect to as part of the install process.

Dedicated database, user, and schema

Bravura Security Fabric requires a dedicated database, user and schema in SQL Server in order to connect to and install schema objects.

When using the Bravura Security Fabric setup installer, you can:

  • Allow setup to do this for you, when asked to enter the database connection and user information;

    Or

  • Use the following instructions to pre-configure the user and schema, then enter database server connection settings when configuring the installation.

If you choose to pre-configure the user and schema:

  1. Start Microsoft SQL Server Management Studio.

  2. Connect to the server as a system administrator (sysadmin role).

    You can do this using SQL Server authentication and the sa account, or using Windows authentication if the Windows user has the sysadmin role.

    For example, to connect to the server using the sa account, set:

    Server type: Database Engine

    Server name: <host name or IP address> \ <instance>

    Authentication: SQL authentication

    Login: sa

    Password <password for sa>

    Click Connect.

  3. Create a new database for Bravura Security Fabric :

    1. In the Object Explorer (left) pane, right-click Databases, then click New Database….

    2. Type the Database name .

    3. Click Options .

    4. Select Recovery model and choose Simple.

      Note

      Ensure that an appropriate database backup policy is in place. See http://technet.microsoft.com/en-us/library/ms189275.aspx for more information.

    5. Select Compatibility level and ensure that this is set to a minimum value ofSQL Server 2016 (130).

      The compatibility level for the installed version of Microsoft SQL Server is suitable.

    6. Select Auto Create Statistics and choose True.

    7. Select Auto Update Statistics and choose True.

    8. Select Auto Update Statistics asynchronously and choose False.

    9. Click OK.

  4. Create a new login:

    1. In the Object Explorer pane, expand Security.

    2. Right-click Logins, then click New Login….

    3. On the General page, type the Login name.

    4. Select:

      • SQL Server Authentication

        Type and confirm the password for the new login. Deselect the User must change password at next login and Enforce password expiration checkboxes.

        Or

      • Windows authentication

        Pick a local or domain account or group.

    5. Set Default database to the database that you created in Step 3.

    6. Click OK.

  5. Create a new schema in the database:

    1. In the Object Explorer pane expand Databases > < Newdatabase > > Security.

      Where <New database> is the database that you created in Step 3.

    2. Right-click Schemas, then click New Schema….

    3. Type the Schema name.

    4. Click OK.

  6. Set the user in the database:

    1. In the Object Explorer pane, expand Databases > <Newdatabase> > Security.

      Where <New database> is the database that you created in Step 3.

    2. Right-click Users, then click New User…

    3. Type the User name.

    4. Set the Login name to the user you created in Step 4.

    5. Set the Default schema to the schema you created in Step 5.

    6. In the Database role membership area, enable:

      • db_datareader

      • db_datawriter

      • db_ddladmin

      • db_owner

    7. Click OK.

  7. Close the connection to the schema by collapsing the database tree and highlighting the root of the SQL Server management interface.

    5536.png

    This ensures that the database can be locked to perform the following operation.

  8. Alter the database collation:

    1. In the toolbar, click New Query.

    2. In the new query window, type the following:

      ALTER DATABASE <database name> SET SINGLE_USER WITH ROLLBACK IMMEDIATE
ALTER DATABASE <database name> COLLATE Latin1_General_BIN 
ALTER DATABASE <database name> SET ALLOW_SNAPSHOT_ISOLATION ON 
ALTER DATABASE <database name> SET READ_COMMITTED_SNAPSHOT ON 
ALTER DATABASE <database name> SET MULTI_USER

      If the database name is ”default”, enclose it in square brackets: [default].

    3. Click Execute.

  9. Exit SQL Server Management Studio.

    Note the database name, and the name and password of the login that you create. You will need these values, as well as the information you gathered earlier, when you install Bravura Security Fabric .

Dedicated report database user and schema

The optional Analytics app requires a dedicated report database user and schema.

When using the Bravura Security Fabric setup installer, you enter SSRS settings and:

  • Allow setup to create the user for you;

    Or

  • Use the following instructions to pre-configure the user and schema.

If you choose to pre-configure the report user and schema:

  1. Start Microsoft SQL Server Management Studio.

  2. Connect to the server as a system administrator (sysadmin role).

    You can do this using SQL Server authentication and the sa account, or using Windows authentication if the Windows user has the sysadmin role.

    For example, to connect to the server using the sa account, set:

    Server type: Database Engine

    Server name: <host name or IP address> \ <instance>

    Authentication: SQL authentication

    Login: sa

    Password <password for sa>

    Click Connect.

  3. Create a new schema in the database:

    1. In the Object Explorer pane expand Databases > <instancedatabase> > Security.

    2. Right-click Schemas, then click New Schema….

    3. Type the Schema name.

    4. Set the Schema owner to dbo.

      5537.png

    5. Click OK.

  4. Create a new login:

    1. In the Object Explorer pane, expand Security.

    2. Right-click Logins, then click New Login…

    3. On the General page, type the Login name.

    4. Select SQL Server Authentication.

    5. Type and confirm the password for the new login.

    6. Deselect the User must change password at next login and Enforce password expiration checkboxes.

    7. Set Default database to the instance database created either in a previous install or in Step 3.

      5538.png

    8. Click User Mapping on the left.

    9. Map the <instance database> to this new user and set the default schema to the schema created in the previous step.

      5539.png

    10. Click OK.

  5. Set the user in the database:

    1. In the Object Explorer pane, expand Databases > <instancedatabase> > Security > Users.

    2. Right-click the user created in Step 4 and click Properties.

    3. Click General on the left.

    4. Set the Default schema to the schema you created in Step 3.

      5540.png

    5. In the Membership area, enable:

      • db_datareader

      5541.png

    6. Click Securables on the left.

    7. Search and select Schema object types.

      5542.png

    8. Select the instance database's schema.

    9. Deny this user access to the instance database's schema.

      5543.png

    10. Search and select the report schema you created in Step 3.

    11. Grant Execute and Select permissions.

      5544.png

    12. Click OK.

Removing public/guest permissions

By default, in SQL Server, most objects have public permissions granted. If you remove the default public and guest permissions from your database, for example in SQL server 2016 and after, you must ensure the following steps are performed to ensure Bravura Security Fabric operates correctly:

  1. Start Microsoft SQL Server Management Studio.

  2. Connect to the server as a system administrator (sysadmin role).

    For example, to connect to the server using the sa account, set:

    Server type: Database Engine

    Server name: <host name or IP address> \ <instance>

    Authentication: SQL authentication

    Login: sa

    Password <password for sa>

  3. Click Connect.

  4. Create a new user:

    1. In the Object Explorer (left) pane, expand Databases > SystemDatabases > master > Security , right-click Users, then select New User….

    2. Type the User name.

    3. Select Login name created in Creating a dedicated database, user, and schema .

    4. Select Default schema (for example, sys).

    5. Select Securables to search and grant select permission on schemas sys and INFORMATION_SCHEMA.

    6. Click OK.

  5. Create a new database role for sp_describe_first_result_set:

    1. In the Object Explorer (left) pane, expand Databases > System Databases > master > Security > Roles, right-click Database Roles, then select New Database Role….

    2. Type the Role name.

    3. Add user created in previous step to Role Members.

    4. Select Securables page, and click Search.

    5. Select sp_describe_first_result_set (Extended Stored Procedures).

    6. Grant Execute permission, and click OK.

  6. Repeat last step to create a new database role for sp_executesql.

  7. For upgrade or migration, repeat to create a new database role for sp_rename.

  8. For upgrade or migration, ensure your login user can connect:

    1. In the Object Explorer (left) pane, expand Security > Logins, and select your login user.

    2. Select Securables page, and click Search.

    3. Select your server.

    4. Under the Permissions for <server> check the following permissions:

      • Connect SQL

      • Control server

      • Create any database

      • Create availability group

      • Create DDL event notification

      • Create endpoint

      • Create server role

      • Create trace event notification

      • External access assembly

      • View any definition

      • View server state

    5. Click OK.

Advanced configuration

If you require that the dedicated user works with fewer permissions, you can do one of the following:

  • Modify installation options so that Bravura Security Fabric installs to a named schema owned by a different user.

    The ”schema install user” requires all of the roles described in the above procedure.

  • Modify installation options so that Bravura Security Fabric does not install the schema, and instead uses a schema already set up by your database administrator.

  • Remove extra permissions from the dedicated user after Bravura Security Fabric is installed.

In the above cases, the dedicated user requires at least the db_datareader and db_datawriter database roles, as well as permissions to the schema objects. This includes: EXECUTE permission on the stored procedures, VIEW DEFINITION permission on the stored procedures and views. To learn how to grant permissions to schema objects, contact your database administrator or refer to your database documentation.

See Pre-configured database server settings for more information about advanced installation options.

Working with multiple installations

Instances

If you are installing multiple Bravura Security Fabric instances, ensure that you create and use a separate database and user for each instance.

Database replication

If you will be using Bravura Security Fabric database replication, ensure that you create and use a separate database and user for each replicated server installation.

Schema

During installation, you can modify options so that Bravura Security Fabric does not install the schema, if:

  • The schema is set up by your database administrator ahead of time.

    In this configuration, you must set up database replication between instances. See Database Replication for more information.

  • The schema is shared from a previous installation.

    This means both instances work against the same schema and no database replication is required between them.

    See Installing with a Shared Schema for details on shared schema server setup.

Troubleshooting

Errors

If you experience errors, verify that:

  • You can connect to SQL Server using the login that you created.

    You can verify the connection using the SQL Server Command Line Tool.

    If the login uses SQL Server authentication:

    sqlcmd.exe -S <server name>\<instance> -U <login ID> -P <password>

    If the login uses Windows authentication, and the current Windows user is the same as the SQL Server login:

    sqlcmd.exe -S <server name>\<instance>

  • Your system meets the recommended installation requirements.

    For example, 1 GB RAM is recommended (512 MB is the minimum) for Microsoft SQL Server.

If you continue to experience errors with Microsoft SQL Server :

  • Ensure that the server is set up to allow remote connections.

  • If you are connecting to a named instance, try specifying the TCP port number along with the server and instance name: < servername > \ < instance >, < port >.

    For example, using sqlcmd.exe:

    sqlcmd.exe -S sqlserver\mycorp2,1433 -U sa -P letmein!

If you continue to experience errors with Microsoft SQL Server , try the following:

  1. Start the SQL Server Configuration Manager (Start > All Programs > Microsoft SQL Server 2008 > Configuration Tools)

  2. Select SQL Server Network Configuration > Protocols for < SQLServer instance > and enable Shared Memory, TCP/IP, and Named Pipes protocols.

  3. Select SQL Native Client Configuration > Client Protocols and enable protocols with the following order:

    • Shared Memory 1

    • TCP/IP 2

    • Named Pipes 3

  4. Restart the server to apply your settings.

User mapping

Check if user mapping is correct and places the DBUser login in the context of the application database. In SSMS or sqlcmd execute:

select count(1) from sesslog_full;

You need to fix user mapping if you get "no such table" or zero rows. For example in SSMS:

  1. Click Server > Security > Logins.

  2. Right-click the DBUser then select Properties> User mapping.

  3. Ensure that the correct Login is mapped to the database schema and user, and has correct privileges granted, as in Step 6.

Verify or update current backend database connection settings

Use the iddbadm utility to verify or update current backend database connection settings.

You can see and change the details of the application connection to its database, in the Windows registry (HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\MSSQL)

Any change to that key's values can be made directly, other than the password, which is encrypted and requires running iddbadm to be changed (showconfig will not expose its plaintext value).

Services

Under certain circumstances, Bravura Security Fabric services may fail to start after a server reboot. This problem may occur if the database is unavailable, or the database services and/or other dependent services have not started completely when the Bravura Security Fabric services attempt to start. There are two methods for resolving this problem.

Method 1: Manually start the services

If Bravura Security Fabric services fail to start, you can manually start all required services. To do this:

  1. Before you begin, ensure the database is available.

  2. Log on to the affected server.

  3. On the Start menu, click Run , type services.msc, Click OK.

  4. In the results pane, find the Bravura Security Logging Service.

  5. Right-click the service, then select Restart.

  6. In the results pane, find the Bravura Security Database Service .

  7. Right-click the Service, then select Start.

  8. Repeat steps 6 and 7 for all Bravura Security services that did not start.

Method 2: Set Bravura Security Fabric services to Automatic (Delayed Start)

To ensure that the database and all required services have started completely before the Bravura Security Fabric services have started, you can set them to Automatic (Delayed Start). To do this:

  1. Log on to the affected server.

  2. On the Start menu, click Run, type services.msc, Click OK.

  3. In the results pane, find the Bravura Security services.

  4. Right-click the service, then select Properties….

  5. Change the Startup Type to Automatic (Delayed Start).

  6. Click Apply , then click OK.

  7. Repeat steps 4-6 for all Bravura Security services that are installed.

  8. Restart the server.

In this section: