Skip to main content

Encrypted communication with iddb

In most cases the SQL Server is local to the Bravura Security Fabric instance. If this is not the case, you may want to set up encryption to ensure that communication between the Database Service (iddb) and SQL Server takes place over an encrypted channel.

To set up encryption on SQL Server:

  1. Obtain a certificate.

  2. Install the certificate with its private key on the SQL Server.

  3. Install the certificate (without private key) at the appropriate place on your instance server, if necessary.

  4. Under the instance's SQL Server registry key, create a DWORD called FORCEENCRYPT and set its value to 1.

  5. On SQL Server, in the certificate's snap-in of mmc.exe, right click the appropriate certificate > all tasks > manage private keys … and add read access to the account that runs the SQL Server service (by default, NT Authority\MSSQLSERVER)

  6. In the SQL Server Configuration Manager, expand SQL Server Network Configuration on the left-hand pane, then right click Protocols for <mssql instance name> and click Properties. Choose the appropriate certificate under the Certificates tab

  7. Restart the SQL Server service.

  8. Restart iddb .

Notes:

  • FORCEENCRYPT requires certificate validation; it cannot be turned off if you want encryption. You can use a self-signed cert, and install it as a trusted root certificate on the instance.

  • FORCEENCRYPT will use TDS 7.3 rather than 8.0, meaning that TLS will be used only for certificate negotiation (with application-layer encryption) rather than fully encapsulating the traffic. Bravura Security Fabric not support TDS 8.0 currently.

  • Since setup currently does not use the OLE DB driver, encryption will be on during install/patch only if the server is set to require it, and even then certificates will not be validated. During initial installation, if encryption is mandatory on the server side, iddb will fail to start. When presented with the error prompt, set the FORCEENCRYPT registry value and click Retry.

  • Take care not to allow the certificate to expire without rotating it. Your instance will stop working once it expires.

In this section: