000025411 - Windows Authentication for Microsoft SQL Server Datastore

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025411
Applies ToRSA ClearTrust Server 5.5.3
RSA Access Manager 6.0
Microsoft SQL Server 2005 Datastore
JNetDirect JDBC driver for SQL Server version 5.5
IssueWindows Authentication for Microsoft SQL Server Datastore
Security audit shows cleartext passwords in the sql.conf file. 
The option to encrypt the conf files and having to bring up the services
manually and entering a password is not acceptable.
Resolution

The following changes allow Windows Authentication rather than SQL Server Authentication to be used without password or user entered in the sql.conf and the windows services to still be utilized.

JSQLConnect.jar file -  JNetDirect JDBC driver for SQL Server version 5.5 that is supplied by RSA on the AXM 6.0 DVD.  This file will reside in the AXM\ClearTrust Installation folder under the lib folder 

JSQLTrustedAuthentication.dll file  -  This file will need to be supplied by RSA in addition to the above .jar file.  This file will need to reside in a folder that is included in the Path environment variable. The DLL with it's driver, which if installed on the client machine, will allow their otherwise-all-java driver to connect the Java application to the DBMS as the current Windows user, without coding or entering any username or password at runtime.

Windows Domain User Account - Since the ClearTrust server and the SQL Server 2005 may run on different machines, this domain user account will be the account that the database is accessed with rather than the CT_ADMIN SQL Server Account.  The ClearTrust services will run under this domain account and when they are started, will access the database using the domain account.

SQL.Conf Configuration

configure the jdbc_url :
cleartrust.data.sql.server.mssql.jdbc_url:jdbc:JSQLConnect://mydbserver:myport/database=CT/trustedAuthentication=true

Minimum File Permissions required for the Domain Userid on the CleartrustMachine:

<AXM/ClearTrust Installation folder> ? Read, Execute
<AXM/ClearTrust Installation folder>/logs ? Read, Write
<AXM/ClearTrust Installation folder>/var/_5608 ? Read, Write

Database permissions required for the Domain Userid on the Database Machine:

Within SQL Server, the Windows Domain Account needs to be placed into the CT_ADMIN_ROLE.

Running the ClearTrust Services:
The main AXM/ClearTrust services need to be configured to run under the Windows Domain Account rather than Local Service.  These services are: dispatcher, aserver, eserver.

Configuring MS SQL Server:
Microsoft SQL Server support logins using password authentication or operating system authentication. If the authentication mode is set to 'SQL Server or Windows NT', authentication to the server can be done using standard SQL Server login IDs or using Windows NT users. If the authentication mode is set to 'Windows NT Only', authentication can be done through Windows NT users only.

From Enterprise Manager, right-click on SQL Server, select properties, select Security tab, view and select the appropriate authentication mode.

Presently the following cannot be blank and dummy values had to be put in to work.
cleartrust.data.sql.server.mssql.user         :bogususer
cleartrust.data.sql.server.mssql.password     :boguspassword


The JSQLConnect.jar and JSQLTrustedAuthentication.dll files are available from RSA Customer Support. Contact Customer Support and request hotfix for RSA Access Manager 6.0.2.17
NotesReferences:
JNetDirect Technical Reference:
http://www.jnetdirect.com/jsqlconnectTechDocs/Documentation/TechnicalReference.html
Legacy Article IDa35142

Attachments

    Outcomes