Securing Database Communication in CA UIM 9.0.2 with TLS v1.2 (Microsoft SQL Server)
In today’s highly competitive environment, it is hard to find a software application that is successful without having any robust security mechanism. With newer security threats coming up every single day, organizations need to have a continued focus on enhancing security in their software applications if they want to be market leaders. Without the ability to meet the ever-increasing security demands in their products, organizations cannot capture the market or do business with various institutions (e.g. federal or financial institutions). Organizations that can secure their applications without compromising on performance are bound to edge out competitors who cannot.
CA Unified Infrastructure Management 9.0.2, a leading infrastructure management monitoring solution, comprehensively addresses both security and performance areas. It provides enhanced security by supporting Transport Layer Security (TLS) v1.2 while communicating with the CA UIM database–Microsoft SQL Server. This support enables the CA UIM Server to establish secure communication with the CA UIM database without compromising on the product performance. Various probes have been enhanced so that they can now communicate in a TLS v1.2-compliant CA UIM 9.0.2 environment.
At a high level, enabling TLS v1.2 support in CA UIM 9.0.2 is a two-step process. We recommend that you backup your database before you start the process explained in this article:
- Perform configurations on the Microsoft SQL Server database server.
- Enable the TLS option and provide relevant details during installation of the CA UIM Server.
Supporting TLS v1.2 on Microsoft SQL Server
The following diagram shows the steps that are required to enable TLS v1.2 when the CA UIM database is Microsoft SQL Server 2012, 2014, 2016, or 2017.
Configurations on the Database Server—Microsoft SQL Server
Perform the following tasks on the database server—Microsoft SQL Server:
Verify the FQDN Requirement. Verify that your full computer name is FQDN (for example, VI02-E74.ca.com). If not, add the domain name (for example, ca.com) to the computer name.
Verify and Apply Patches for Microsoft SQL Server. For Microsoft SQL Server versions that do not provide support for TLS v1.2 by default, download and apply the required packages depending on your Microsoft SQL Server version.
Disable Previous Versions of Certificates. Change the registry keys to disable all the previous versions of certificates on the database server. Verify the following registry keys on the database server:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
For the Client and Server entries, enter the following DWord and Value entries:
Import the Certificate to the Database Server. Use Internet Information Services (IIS) to import the Certification Authority (CA)-approved certificate to the database server. You must ensure that the certificate is issued to the FQDN of the computer, not the host name.
Grant SQL Server Rights to Use the Certificate. You must provide the SQL Server rights to use the certificate. You use SQL Server Configuration Manager and Microsoft Management Console (MMC) to perform this task.
Enable Encryption on the Database Server. Use the SQL Server Configuration Manager to enable the encryption on the database server. This step prepares your database server to use the encryption.
Export the Certificate on the Database Server. Export the self-signed certificate to the database server so that the CA UIM Server (client in this case) can use it. The CA UIM Server (client) must trust the certificate that is available on the database server. You do not need to perform this task in the case of CA-approved certificates because the certificate file is already available.
Configurations on the CA UIM Server Computer
Perform the following tasks on the computer where you plan to install the CA UIM Server:
Import the Certificate on the CA UIM Server Computer. This step is required to ensure that the CA UIM Server can trust the certificate that is available on the database server. You must import the certificate into the Trusted Root Certification Authorities certificate store on the CA UIM Server computer.
Create Java KeyStore for the Server Certificate. You also need to create a .jks file (Java keystore file) on the CA UIM Server computer to store the server certificate. The .jks file, when created, includes your database server certificate. You can use the Java keytool, which is a key and certificate management tool, to generate your .jks file. The tool stores the keys and certificates in a store called keystore.
Install the CA UIM Server. After you perform all the tasks that are listed in this section and review the other pre-installation planning tasks, you can then start the CA UIM Server installation. During the installation, ensure that you enable the TLS v1.2 option and provide the required information. The CA UIM Server installer automatically installs the required driver (SQLNCLI11) on the computer during the installation. Then browse to the location where you have created the .jks file. The installer copies that file to the <Nimsoft>\security folder as truststore.jks. Please note that if you are upgrading to CA UIM 9.0.2 from a previous CA UIM release, use the data_engine Admin Console or Infrastructure Manager UI to configure the TLS v1.2-related parameters.
For detailed information about Transport Layer Security (TLS) v1.2, considerations, how to perform various tasks outlined in this article, or to view the list of enhanced probes, see the related DocOps article: Support for TLS v1.2 (Microsoft SQL Server).
To learn how to support TLS v1.2 for Oracle, read this article.