无法使用 MS JDBC 驱动程序从 CentOS 8 服务器连接到 SQL 服务器服务器：使用安全连接 ZEA52C2Z42253C5F99C23Z 错误

Question

I found one article that was close to the issue I am experiencing. It is this one:

SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption

I can provide the entire stack trace but the pruned version has this series of errors:

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates do not conform to algorithm constraints". ClientConnectionId:e7a5ebc2-d489-4743-85ba-7873926508fe

Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=SSL_Self_Signed_Fallback. Usage was tls server

The JDBC connection is to a SQL Server 2012 that does NOT have connection encryption enabled or any security that I know of. I talked to our DB guy and he says there is no security on the connection that he knows of. So, I am not sure WHY the MS driver continues to complain about the SSL connection.

This Linux server (CentOS 8) has two tomcat installations that use JDBC connections. I have a Tomcat 8.0.32 instance that connects to the SQL Server 2012 instance using the JTDS driver that has no problem at all in connecting. I tried switching that driver to the MS driver and it then experienced the same errors. So I switched it back. But the second installation of Tomcat (9.0.33) has an app that requires a JDBC 4.0 or above driver and the JTDS driver is only a 3.0 driver so I have to use the MS driver. But, I cannot figure out how to get a successful connection.

Digging through the Internet I found reference to the jsse.jar and having the correct certs installed (although nothing specific as to how to do it or why). I also dug of an article that said that the JTDS driver uses NTLM to connect (not 100% sure about that since I have no reference to a domain in my connection for JTDS). In any case, I just need some guidance on how to configure the MS driver to connect from Linux to a non-secured SQL Server 2012. The Microsoft references I found addressed secured connections but nothing about connections that were not secured.

Running Java version:

• openjdk version "1.8.0_252"

• OpenJDK Runtime Environment (build 1.8.0_252-b09)

• OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)

  driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central;
  integratedSecurity=true;authenticationScheme=NTLM;domain=mydomain.org;

Also tried:

url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central;encrypt=false;sslProtocol=TLSv1.2;

And just:

url=jdbc:sqlserver://192.168.80.214:1433;databaseName=DB_Central

JTDS that works (in the tomcat 8.0.32 / JDBC 3.0 environment):

driverClassName=net.sourceforge.jtds.jdbc.Driver
url=jdbc:jtds:sqlserver://192.168.80.214:1433;databaseName=DB_Central

ANYTHING that might point me in the right direction would be helpful especially why the MS driver wants (or thinks) the connection is secure. The other tidbit is that I see none of these errors when deployed to Windows 10...so it has something to do with Linux and maybe the Java config on Linux. Or, maybe I just need the correct incantation for the connection string when in Linux.....

Answer 1

The driver believes that the connection is secure, if it is connecting to a port that is meant to receive only secure connections. 1.Check the port 2.Check for any other explicit setting of TLS / SSL on the JDBC url

Answer 2

So, the way I was able to get this to work after much trial and error was to copy the java.security file from the windows 10 install to the CentOS 8 install. The ONLY thing I can see as different between the two was in this section:

'# List of comma-separated packages that start with or equal this string

'# will cause a security exception to be thrown when

'# passed to checkPackageDefinition unless the

'# corresponding RuntimePermission ("defineClassInPackage."+package) has

'# been granted.

'#

'# by default, none of the class loaders supplied with the JDK call

'# checkPackageDefinition.

'#

The entries in CentOS included at the end of the list:

           org.GNOME.Accessibility.,\
           org.GNOME.Bonobo.

The entries in the Windows version had only one entry at the end:

           com.sun.java.accessibility.

That was the only difference I could find. And, I don't understand why that made a difference.. But it DOES connect without error now and that is all I wanted....

Answer 3

spend quite some time to solve the connection issues between centos 8 with tomcat and jdbc:sql server 2014. I replaced the self-signed certificate in the properties of protocols in sql server configuration. It is misleading that you can't see it on windows. It's only visible in the tomcat catalina.out file - use debug with -Djavax.net.debug=ssl:handshake:all . You have to prepare a certificate from an authority (a self-signed should also work) and store it in local computer - own certificate of the windows server. Make sure the service account of sql server has access right on the private key of the certificate. Otherwise, the sql service will not start. Restart sql server.

Add the certificate and chain to your tomcat configuration cacerts file. add -Djavax.net.ssl.trustStore= and -Djavax.net.ssl.trustStorePassword= to setenv.sh

The string in the webapps web.xml had to be as simple as: jdbc:sqlserver://yourURL;DatabaseName=yourDB;user=youruser;password=secret [other options did not work and led to further exceptions: integratedSecurity=true;encrypt=true;trustServerCertificate=true - trustStore=storeName;trustStorePassword=storePassword and i've tried all boolean options ie: false/true] Restart tomcat

Answer 4

It has to do something with openjdk version of java. We have switched to amazon correto 1.8 you can find it here , and everything worked perfectly.