Enabling TLS 1.2 with SQL Server

Follow the steps to set up TLS 1.2, which is required for NIST SP800-131 compliance.

Before you begin

  • The TLS set up requires installing supported versions of MS SQL and the latest patches.
  • The minimum required version is MS SQL Server 2012 Service Pack 3.
  • Ensure that your browser is TLS 1.2 enabled.
  • For BFC V1.10.x and earlier:
    • Open the jvm.options file with a text editor and add the following code:
      -Dcom.ibm.jsse2.overrideDefaultTLS=true

      File location: <SCA>\wlp\usr\servers\server1\

      Note: Ensure that there are no extra/empty space or tab in the code.
    • You must restart the compliance service for the updates to take effect.
  • For BFC V2.0.x and later, the code is already added in jvm.options.

    File location: <SCA>\wlp\usr\servers\server1\configDropins\defaults\

About this task

Procedure

  1. Install one of the supported versions of MS SQL server and the latest patches. Minimum requirement is MS SQL Server 2012 Service Pack 3. For more information about the updates that Microsoft is releasing to enable TLS 1.2 support for Microsoft SQL Server setup, see https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server
  2. Generate your self-signed certificate using Openssl or IIS manager tool (make sure the certificate owner or 'common name' match with your hostname).
    1. OpenSSL > req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
    2. Make sure you combine your certificate and keys into .pfx
    3. OpenSSL > pkcs12 -export -out sca_server.pfx -inkey privateKey.key -in certificate.crt
    4. Use IIS manager to generate Self-signed certificate and export to .pfx directly. To install the IIS manager, go to Server Manager, click adding features and add Web Server(IIS). For information on generating certificates, see https://aboutssl.org/how-to-create-a-self-signed-certificate-in-iis/
  3. Upload the certificate/key into BigFix Compliance.
  4. From the command line, run mmc.exe.
  5. Add a certificate snap-in.
    1. Select File > Add/Remove Snap-in.
    2. Select the Certificates snap-in and click Add.
    3. Select Computer account and click Next.
    4. Ensure that the Local computer option is selected and click Finish.
    5. Click OK.
  6. Import the certificate.
    1. In the Console window, go to Console Root > Certificates.
    2. Right-click Certificates and select All Tasks > Import.
    3. From the Welcome Window, click Next.
    4. Click Browse and select the certificate store that you created.
    5. Click Next.
    6. Enter the password for the certificate store and click Next.
    7. Ensure that Place all certificates in the following store is selected and that Certificate Store is set to Personal.
    8. Click Next and click Finish.
  7. Manage the private keys.
    1. Right-click the certificate file and select All Tasks > Manage Private Keys.
    2. Click Add.
    3. Click Check Names, select MSSQLSERVER and click OK (If MSSQLSERVER is not found, choose SERVICE instead).
    4. Click OK on the Select Users and Groups window.
    5. Set permissions for MSSQLSERVER on the Permissions window and click OK. For example, select Allow for Read for a Read-only option.
  8. Configure the SQL Server to accept the encrypted connections by following the SQL Server documents. For more information, see https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms191192(v=sql.110)#EncryptConnection
  9. Restart the SQL server and BigFix Compliance.