great detail! As a side note, when using encryption, especially with SSL, java cacerts might need the cert to be imported for it to be trusted
Original Message:
Sent: Jul 25, 2025 04:43 AM
From: Suman Pramanik
Subject: Integrating encrypted SQL Server database with Clarity CSA
Here are the explanation of each of parameters
- jdbc:sqlserver://: This is the standard prefix for SQL Server JDBC connection URLs.
- [host]: The hostname or IP address of your SQL Server instance.
- [port]: The port number on which SQL Server is listening (default is 1433).
- databaseName=[database]: The name of the database you want to connect to.
- encryptionMethod=SSL: This property explicitly enables SSL encryption for the connection.
- validateServerCertificate=[true/false]: This property determines whether the driver validates the server's SSL certificate.
- Set to true for production environments to ensure the server's identity is verified. This requires a trust store containing the server's certificate.
- Set to false for development or testing environments where certificate validation might be bypassed for convenience, but this is not recommended for production due to security risks.
------------------------------
Thanks & Regards
Suman Pramanik
Original Message:
Sent: Jul 25, 2025 02:45 AM
From: Paul Schofield
Subject: Integrating encrypted SQL Server database with Clarity CSA
When I did this at a client I just took the existing URL and appended encrypt=true to it, and then set the useURL flag to true.
Original Message:
Sent: Jul 24, 2025 10:38 AM
From: Ashok Kumar Modi
Subject: Integrating encrypted SQL Server database with Clarity CSA
Hello All,
As part of a customer POC, we are trying to integrate encrypted SQL Server database with Clarity CSA. Their database team has shared the certificate file in .crt format with us and we copied that file on the application server.
We then ran following keytool command from JAVA_HOME\bin to import the certificate to JDKs cacert file:
keytool -importcert -keystore cacerts -alias sql_cert -storepass <Default password> -file <Absolute path of .crt file on app server> -trustcacerts
After execution of the command it asked if we want to add the certificate to the keystore and we chose Yes.
Then in Clarity CSA we tried to integrate the database using following URL:
jdbc:sqlserver://<SQL Server Host Name>:1433;databaseName=niku;encrypt=true;trustServerCertificate=false;trustStore="<JAVA_HOME>\lib\security\cacerts";trustStorePassword=<Default Password>
We do not see any error message in CSA, but SQL Server connection status remains "Unavailable". This is what we see from nsa-ca.log:
ERROR 2025-07-24 14:45:49,006 [Config Monitor] config.TenantConfigurationManager (clarity:none:none:none) () Error retrieving a connection
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty". ClientConnectionId:56d59291-bcab-4676-800d-2452849f9d2a
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:3680)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:2113)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3204)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2833)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2671)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1640)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:936)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:681)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:190)
at com.niku.union.config.TenantConfigurationManager.getConnection(TenantConfigurationManager.java:1546)
at com.niku.union.config.TenantConfigurationManager.validateDatabaseConnectionConfig(TenantConfigurationManager.java:1567)
at com.niku.union.config.TenantConfigurationManager.checkTenantDatabases(TenantConfigurationManager.java:2866)
at com.niku.union.config.ConfigurationManager$ConfigMonitor$2.run(ConfigurationManager.java:8916)
at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
at java.base/java.util.TimerThread.run(Timer.java:516)
Caused by: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1712)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:470)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:2021)
... 13 more
Any suggestions what we might be doing wrong here?
Regards
-Ashok