[英]Cannot connect to SQL Server server with MS JDBC Driver from CentOS 8 server: SSL error but not using secure connection
I found one article that was close to the issue I am experiencing.我发现一篇与我遇到的问题很接近的文章。 It is this one:
就是这个:
SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption
I can provide the entire stack trace but the pruned version has this series of errors:我可以提供整个堆栈跟踪,但修剪后的版本有这一系列错误:
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates do not conform to algorithm constraints".
错误:“java.security.cert.CertificateException:证书不符合算法约束”。 ClientConnectionId:e7a5ebc2-d489-4743-85ba-7873926508fe
ClientConnectionId:e7a5ebc2-d489-4743-85ba-7873926508fe
Caused by: javax.net.ssl.SSLHandshakeException:
引起:javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates do not conform to algorithm constraintsjava.security.cert.CertificateException:证书不符合算法约束
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
原因:java.security.cert.CertificateException:证书不符合算法约束
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits.
原因:java.security.cert.CertPathValidatorException:算法约束检查在密钥大小限制上失败。 RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback.
与证书一起使用的 RSA 1024 位密钥:CN=SSL_Self_Signed_Fallback。 Usage was tls server
用法是 tls 服务器
The JDBC connection is to a SQL Server 2012 that does NOT have connection encryption enabled or any security that I know of. JDBC 连接到 SQL Server 2012 没有启用连接加密或我知道的任何安全性。 I talked to our DB guy and he says there is no security on the connection that he knows of.
我和我们的数据库人员谈过,他说他知道的连接没有安全性。 So, I am not sure WHY the MS driver continues to complain about the SSL connection.
所以,我不确定为什么 MS 驱动程序继续抱怨 SSL 连接。
This Linux server (CentOS 8) has two tomcat installations that use JDBC connections.这个 Linux 服务器 (CentOS 8) 有两个使用 JDBC 连接的 tomcat 安装。 I have a Tomcat 8.0.32 instance that connects to the SQL Server 2012 instance using the JTDS driver that has no problem at all in connecting.
我有一个 Tomcat 8.0.32 实例,该实例使用 JTDS 驱动程序连接到 SQL Server 2012 实例,连接完全没有问题。 I tried switching that driver to the MS driver and it then experienced the same errors.
我尝试将该驱动程序切换到 MS 驱动程序,然后它遇到了同样的错误。 So I switched it back.
所以我把它换回来了。 But the second installation of Tomcat (9.0.33) has an app that requires a JDBC 4.0 or above driver and the JTDS driver is only a 3.0 driver so I have to use the MS driver.
但是第二次安装 Tomcat (9.0.33) 有一个应用程序需要 JDBC 4.0 或更高版本的驱动程序,而 JTDS 驱动程序只有 3.0 驱动程序,所以我必须使用 MS 驱动程序。 But, I cannot figure out how to get a successful connection.
但是,我无法弄清楚如何获得成功的连接。
Digging through the Internet I found reference to the jsse.jar and having the correct certs installed (although nothing specific as to how to do it or why).通过互联网挖掘,我发现了对 jsse.jar 的引用并安装了正确的证书(尽管没有具体说明如何操作或为什么这样做)。 I also dug of an article that said that the JTDS driver uses NTLM to connect (not 100% sure about that since I have no reference to a domain in my connection for JTDS).
我还挖了一篇文章,说 JTDS 驱动程序使用 NTLM 进行连接(不是 100% 确定这一点,因为我在 JTDS 的连接中没有引用域)。 In any case, I just need some guidance on how to configure the MS driver to connect from Linux to a non-secured SQL Server 2012. The Microsoft references I found addressed secured connections but nothing about connections that were not secured.
无论如何,我只需要一些关于如何配置 MS 驱动程序以从 Linux 连接到非安全 SQL Server 2012 的指导。我发现 Microsoft 参考文献解决了安全连接,但没有关于不安全的连接。
Running Java version:运行Java版本:
openjdk version "1.8.0_252" openjdk 版本“1.8.0_252”
OpenJDK Runtime Environment (build 1.8.0_252-b09) OpenJDK 运行时环境(内部版本 1.8.0_252-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode) OpenJDK 64 位服务器 VM(内部版本 25.252-b09,混合模式)
driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central; driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central;
integratedSecurity=true;authenticationScheme=NTLM;domain=mydomain.org;集成安全=真;身份验证方案=NTLM;域=mydomain.org;
Also tried:也试过:
url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central;encrypt=false;sslProtocol=TLSv1.2;
And just:而且只是:
url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central
JTDS that works (in the tomcat 8.0.32 / JDBC 3.0 environment):有效的 JTDS(在 tomcat 8.0.32 / JDBC 3.0 环境中):
driverClassName=net.sourceforge.jtds.jdbc.Driver
url=jdbc:jtds:sqlserver://192.168.80.214:1433;databaseName=DB_Central
ANYTHING that might point me in the right direction would be helpful especially why the MS driver wants (or thinks) the connection is secure.任何可能为我指明正确方向的事情都会有所帮助,尤其是为什么 MS 驱动程序想要(或认为)连接是安全的。 The other tidbit is that I see none of these errors when deployed to Windows 10...so it has something to do with Linux and maybe the Java config on Linux.
The other tidbit is that I see none of these errors when deployed to Windows 10...so it has something to do with Linux and maybe the Java config on Linux. Or, maybe I just need the correct incantation for the connection string when in Linux.....
或者,也许我只需要在 Linux 中的连接字符串的正确咒语......
The driver believes that the connection is secure, if it is connecting to a port that is meant to receive only secure connections.驱动程序认为连接是安全的,如果它连接到一个仅用于接收安全连接的端口。 1.Check the port 2.Check for any other explicit setting of TLS / SSL on the JDBC url
1.检查端口 2.检查 JDBC url 上 TLS / SSL 的任何其他显式设置
So, the way I was able to get this to work after much trial and error was to copy the java.security file from the windows 10 install to the CentOS 8 install.因此,经过多次试验和错误后,我能够使其工作的方法是将 java.security 文件从 windows 10 安装复制到 ZAA1FC3398E84BDA331B47203C1E53ADZ8 安装。 The ONLY thing I can see as different between the two was in this section:
我可以看到两者之间唯一不同的是本节:
'# List of comma-separated packages that start with or equal this string '# 以该字符串开头或等于该字符串的逗号分隔包列表
'# will cause a security exception to be thrown when '# 时会引发安全异常
'# passed to checkPackageDefinition unless the '# 传递给 checkPackageDefinition 除非
'# corresponding RuntimePermission ("defineClassInPackage."+package) has '#对应的RuntimePermission("defineClassInPackage."+package)有
'# been granted. '# 被授予。
'# '#
'# by default, none of the class loaders supplied with the JDK call '# 默认情况下,没有随 JDK 调用提供的 class 加载程序
'# checkPackageDefinition. '# checkPackageDefinition.
'# '#
The entries in CentOS included at the end of the list: CentOS 中的条目包含在列表末尾:
org.GNOME.Accessibility.,\
org.GNOME.Bonobo.
The entries in the Windows version had only one entry at the end: Windows版本中的条目最后只有一个条目:
com.sun.java.accessibility.
That was the only difference I could find.这是我能找到的唯一区别。 And, I don't understand why that made a difference.. But it DOES connect without error now and that is all I wanted....
而且,我不明白为什么这会有所作为。但它现在确实连接没有错误,这就是我想要的......
spend quite some time to solve the connection issues between centos 8 with tomcat and jdbc:sql server 2014. I replaced the self-signed certificate in the properties of protocols in sql server configuration. spend quite some time to solve the connection issues between centos 8 with tomcat and jdbc:sql server 2014. I replaced the self-signed certificate in the properties of protocols in sql server configuration. It is misleading that you can't see it on windows.
在 windows 上看不到它是一种误导。 It's only visible in the tomcat catalina.out file - use debug with
-Djavax.net.debug=ssl:handshake:all
.它仅在 tomcat catalina.out 文件中可见 - 使用
-Djavax.net.debug=ssl:handshake:all
进行调试。 You have to prepare a certificate from an authority (a self-signed should also work) and store it in local computer - own certificate of the windows server.您必须准备来自权威机构的证书(自签名也应该有效)并将其存储在本地计算机中 - windows 服务器的自己的证书。 Make sure the service account of sql server has access right on the private key of the certificate.
确保 sql 服务器的服务帐户对证书的私钥具有访问权限。 Otherwise, the sql service will not start.
否则,sql 服务将不会启动。 Restart sql server.
重启 sql 服务器。
Add the certificate and chain to your tomcat configuration cacerts file.将证书和链添加到 tomcat 配置 cacerts 文件中。 add
-Djavax.net.ssl.trustStore=
and -Djavax.net.ssl.trustStorePassword=
to setenv.sh添加
-Djavax.net.ssl.trustStore=
和-Djavax.net.ssl.trustStorePassword=
到 setenv.sh
The string in the webapps web.xml had to be as simple as: jdbc:sqlserver://yourURL;DatabaseName=yourDB;user=youruser;password=secret
[other options did not work and led to further exceptions: integratedSecurity=true;encrypt=true;trustServerCertificate=true - trustStore=storeName;trustStorePassword=storePassword and i've tried all boolean options ie: false/true] Restart tomcat The string in the webapps web.xml had to be as simple as:
jdbc:sqlserver://yourURL;DatabaseName=yourDB;user=youruser;password=secret
[other options did not work and led to further exceptions: integratedSecurity=true; encrypt=true;trustServerCertificate=true - trustStore=storeName;trustStorePassword=storePassword 并且我已经尝试了所有 boolean 选项,即:false/true] 重新启动 tomcat
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.