Connecting with encryption

  • Article
  • 2 minutes to read

DownloadDownload JDBC Driver

The examples in this article describe how to utilise connection string properties that allow applications to use Transport Layer Security (TLS) encryption in a Coffee application. For more information about these new connexion string properties such equally encrypt, trustServerCertificate, trustStore, trustStorePassword, and hostNameInCertificate, see Setting the Connection Properties.

Configuring the connectedness

When the encrypt property is set to true and the trustServerCertificate property is set to truthful, the Microsoft JDBC Commuter for SQL Server won't validate the SQL Server TLS certificate. This setting is common for allowing connections in exam environments, such as where the SQL Server instance has simply a cocky-signed document.

The following code example demonstrates how to set the trustServerCertificate property in a connection cord:

              String connectionUrl =     "jdbc:sqlserver://localhost:1433;" +      "databaseName=AdventureWorks;integratedSecurity=truthful;" +      "encrypt=true;trustServerCertificate=truthful";

When the encrypt holding is set up to true and the trustServerCertificate property is fix to false, the Microsoft JDBC Commuter for SQL Server volition validate the SQL Server TLS document. Validating the server certificate is a role of the TLS handshake and ensures that the server is the correct server to connect to. To validate the server certificate, the trust material must be supplied at connection time either by using trustStore and trustStorePassword connexion properties explicitly, or past using the underlying Coffee Virtual Machine (JVM)'southward default trust store implicitly.

The trustStore belongings specifies the path (including filename) to the certificate trustStore file, which contains the listing of certificates that the client trusts. The trustStorePassword property specifies the password used to check the integrity of the trustStore data. For more information on using the JVM's default trust store, see the Configuring the client for encryption.

The following code case demonstrates how to set the trustStore and trustStorePassword backdrop in a connection string:

              String connectionUrl =     "jdbc:sqlserver://localhost:1433;" +      "databaseName=AdventureWorks;integratedSecurity=true;" +      "encrypt=true; trustServerCertificate=false;" +      "trustStore=storeName;trustStorePassword=storePassword";

The JDBC Driver provides some other property, hostNameInCertificate, which specifies the host name of the server. The value of this property must match the subject property of the certificate.

The following lawmaking example demonstrates how to use the hostNameInCertificate property in a connexion string:

              String connectionUrl =     "jdbc:sqlserver://localhost:1433;" +      "databaseName=AdventureWorks;integratedSecurity=true;" +      "encrypt=true; trustServerCertificate=imitation;" +      "trustStore=storeName;trustStorePassword=storePassword;" +      "hostNameInCertificate=hostName";

Annotation

Alternatively, you can set the value of connection properties by using the advisable setter methods provided by the SQLServerDataSource class.

If the encrypt belongings is true and the trustServerCertificate property is false and if the server name in the connexion string doesn't lucifer the server name in the TLS document, the following error will be issued: The driver couldn't establish a secure connectedness to SQL Server past using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Failed to validate the server proper noun in a certificate during Secure Sockets Layer (SSL) initialization.". With version 7.2 and up, the driver supports wildcard blueprint matching in the left-near label of the server proper noun in the TLS document.

Meet also

Using encryption
Securing JDBC driver applications