Clarity

 View Only
  • 1.  Integrating encrypted SQL Server database with Clarity CSA

    Posted 8 days ago

    Hello All,

    As part of a customer POC, we are trying to integrate encrypted SQL Server database with Clarity CSA. Their database team has shared the certificate file in .crt format with us and we copied that file on the application server.

    We then ran following keytool command from JAVA_HOME\bin to import the certificate to JDKs cacert file:

     keytool -importcert -keystore cacerts -alias sql_cert -storepass <Default password> -file <Absolute path of .crt file on app server> -trustcacerts

    After execution of the command it asked if we want to add the certificate to the keystore and we chose Yes.

    Then in Clarity CSA we tried to integrate the database using following URL:

    jdbc:sqlserver://<SQL Server Host Name>:1433;databaseName=niku;encrypt=true;trustServerCertificate=false;trustStore="<JAVA_HOME>\lib\security\cacerts";trustStorePassword=<Default Password>

    We do not see any error message in CSA, but SQL Server connection status remains "Unavailable". This is what we see from nsa-ca.log:

    ERROR 2025-07-24 14:45:49,006 [Config Monitor] config.TenantConfigurationManager (clarity:none:none:none) () Error retrieving a connection
    com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty". ClientConnectionId:56d59291-bcab-4676-800d-2452849f9d2a
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:3680)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:2113)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3204)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2833)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2671)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1640)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:936)
        at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:681)
        at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:190)
        at com.niku.union.config.TenantConfigurationManager.getConnection(TenantConfigurationManager.java:1546)
        at com.niku.union.config.TenantConfigurationManager.validateDatabaseConnectionConfig(TenantConfigurationManager.java:1567)
        at com.niku.union.config.TenantConfigurationManager.checkTenantDatabases(TenantConfigurationManager.java:2866)
        at com.niku.union.config.ConfigurationManager$ConfigMonitor$2.run(ConfigurationManager.java:8916)
        at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
        at java.base/java.util.TimerThread.run(Timer.java:516)
    Caused by: javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1712)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:470)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:2021)
        ... 13 more

    Any suggestions what we might be doing wrong here?

    Regards

    -Ashok



  • 2.  RE: Integrating encrypted SQL Server database with Clarity CSA

    Broadcom Employee
    Posted 8 days ago
    Edited by Broadcom Platform Admin 8 days ago

    Try this URL and see 

    url="jdbc:sqlserver://XXX.com:1433;DatabaseName=NNNNN_STAGE;InsensitiveResultSetBufferSize=0;ProgramName=Clarity;encryptionmethod=ssl;" driver="com.ca.clarity.jdbc.sqlserver.SQLServerDriver" instanceName="" serviceId="NNNNN_STAGE" jndiDatabaseId="jdbc/NikuDS" useURL="true"/> 

    In your URL i see attribute encryptionmethod=SSL is not there.



    ------------------------------
    Thanks & Regards
    Suman Pramanik
    ------------------------------



  • 3.  RE: Integrating encrypted SQL Server database with Clarity CSA

    Posted 8 days ago

    When I did this at a client I just took the existing URL and appended encrypt=true to it, and then set the useURL flag to true.




  • 4.  RE: Integrating encrypted SQL Server database with Clarity CSA

    Broadcom Employee
    Posted 7 days ago

    Here are the explanation of each of parameters 

    • jdbc:sqlserver://: This is the standard prefix for SQL Server JDBC connection URLs.
    • [host]: The hostname or IP address of your SQL Server instance.
    • [port]: The port number on which SQL Server is listening (default is 1433).
    • databaseName=[database]: The name of the database you want to connect to.
    • encryptionMethod=SSL: This property explicitly enables SSL encryption for the connection.
    • validateServerCertificate=[true/false]: This property determines whether the driver validates the server's SSL certificate.
      • Set to true for production environments to ensure the server's identity is verified. This requires a trust store containing the server's certificate.
      • Set to false for development or testing environments where certificate validation might be bypassed for convenience, but this is not recommended for production due to security risks.


    ------------------------------
    Thanks & Regards
    Suman Pramanik
    ------------------------------



  • 5.  RE: Integrating encrypted SQL Server database with Clarity CSA

    Posted 5 days ago

    great detail! As a side note, when using encryption, especially with SSL, java cacerts might need the cert to be imported for it to be trusted