Connection to SQL Server fails when the database server is configured to use TLS 1.2

, ,

Problem:

When we try to connect to an SQL database with TLS1.2 on and TLS1.0 off, we get this error:

The test connection operation failed for data source x on server x at node <node> with the following exception:

java.sql.SQLException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.

Error: “SQL Server did not return a response. The connection has been closed.

ClientConnectionId:x”.

DSRA0010E: SQL State = 08S01, Error Code = 0. View JVM logs for further details.

 

Resolution:

TLS 1.2 and SQL Server require a fix from Microsoft to work.

 

To get the Content Store connection working:

– Ensure that the unrestricted jre policy files are added and in cognos configuration you add the SHA256 ciphersuites.

– Use the latest SQL Server jdbc driver (at least 7.0) for the java version that Cognos uses. You can find the latest SQL Server JDBC driver here: https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-ver15

– Edit install_location\bin64\startwlp.bat (Windows) to add the following lines after the line set JVM_ARGS=-Xmx4096m -XX:MaxNewSize=2048m -XX:NewSize=1024m %DEBUG_OPTS%:

set JVM_ARGS=”-Dcom.ibm.jsse2.overrideDefaultTLS=true” %JVM_ARGS%

NOTE: The startwlp.bat file no longer exists in 11.1.5 and higher. 

– Edit install_location\bin64\bootstrap_wlp_os_version.xml to add the following lines after the line <param condName=”${java_vendor}” condValue=”IBM”>-Xscmaxaot4m</param>:

<param>”-Dcom.ibm.jsse2.overrideDefaultTLS=true”</param>

– Edit install_location\bin64\cogconfig.bat (Windows) to add the following lines after the line set J_OPTS=%DD_OPTS% %J_OPTS%:

set J_OPTS=”-Dcom.ibm.jsse2.overrideDefaultTLS=true” %J_OPTS%

– If SQL Server has ‘Force Encryption’ set to ‘Yes’ (meaning that it is using an SSL certificate), you will need to import the SQL Server certificate into the Java cacerts keystore for your JRE. For example (using the Cognos JRE):

  1. Obtain the root Certificate Authority certificate that issued your SQL Server’s certificate (or the self-signed server certificate if it was not issued by a Certificate Authority), and copy to the computer where Cognos Analytics is installed. For example, copy the file sqlcert.cer to the root directory, c:\sqlcert.cer
  2. Type cd C:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security
  3. Type , for example, C:\Progra~1\ibm\cognos\analytics\ibm-jre\jre\bin\keytool -import -trustcacerts -file “c:\sqlcert.cer” -keystore cacerts -alias SQLCert

– Start Cognos Configuration using cogconfig.bat you modified in the previous step. Important: You must start IBM Cognos Configuration using cogconfig.bat

To get the SQL Server Native Client Connection:

Download a version of the Native Client that supports TLS 1.2 as per Microsoft’s KB Article: https://support.microsoft.com/en-ca/help/3135244/tls-1-2-support-for-microsoft-sql-server

To get the JDBC data source connection working:

– Go to Cognos Administration -> Configuration tab -> Dispatchers and Services
– Click on the dispatcher server to drill down to the services
– Beside the QueryService, click the Set Properties button
– Go to the Settings tab
– Add the following the Additional JVM Arguments for the QueryService setting

-Dcom.ibm.jsse2.overrideDefaultTLS=true

– Click OK
– Click on the Status tab
– Select System
– Click on the server to drill down to the services
– Beside QueryService, click the drop down arrow
– Select “Stop immediately”
– Wait 30 seconds for it to fully stop
– Click the drop down again and select “Start immediately”

 

You can also review the article from IBM:

https://www-01.ibm.com/support/docview.wss?uid=swg22016796