This Article Applies From:
CVI Fusion24.1.3 | Infinity Client24.1.3 | Infinity Module24.1.3 | Core Services24.1.3 |
Introduction
Pivotware allows secure communication to the MSSQL database used by CoreService starting with version 24.1.3.
The present article lists the steps necessary to achieve this.
TABLE OF CONTENTS Introduction1.1 - Suggested readings before diving-in 1.3 - Importing the certificate 2 - Certificate configuration |
1 - Pre- requisites
1.1 - Suggested readings before diving-in
Be sure to get familiar with the following articles before going any further:
- CoreService installation procedure: this article lists the necessary steps to install CoreService.
- MSSQL configuration: this articles explains how to set-up the MSSQL database for CoreService.
1.2 - Server configuration
Some specific settings are required on your Windows Server:
- The correct TLS revision must be allowed.
To crosscheck which revision is active:
1- Launch Internet Properties configuration window:
2-Select the Advanced panel then scroll down to check which TLS revision is selected. Select the correct TLS version then click Apply.
Note: TLS1.0 and TLS1.1 have been deprecated since 2021. TLS1.2 should therefore be the preferred solution.
This protocol version is supported natively since SQL Server 2016. - MSSQL's log on option must be set to use Built-in account. To check the setting:
1- Launch SQL Server Configuration Manager on the server running your MSSQL database.
2- Click on SQL Server Services then right click on SQL server then select Properties.
3- Select the Log On panel in the window that opens then check that the Built-in account is selected for Local System.
1.3 - Importing the certificate
The certificate you wish to use must be imported to the windows server the database is running on.
You have two ways of achieving this:
- Double click on the certificate. As a result, the Certificate Import Wizard opens and guides you through the necessary steps. Be sure, though, to select Local Machine for the Store Location in the wizard welcome page.
- Use the Microsoft Management Console to import the certificate. Once again, be sure to select Computer Account when adding the Certificate snap in.
Feel free to reach out to your remote software support team or your local support team if you need any help installing the certificate.
2 - Certificate configuration
2.1 - Configuring the certificate in MSSQL
Once your windows server has been configured and the certificate is loaded, it is possible to set your certificate for your SQL Server:
- Open SQL Server Configuration Manager.
- Expand the SQL Server Network Configuration, right click on Protocols for MSSQLServer then select Properties.
- In the Flags panel, set Force Encryption to Yes.
Note: SQL Server 2022 comes with an option to Force Strict Encryption. This option is not supported by Pivotware.
The key difference between Force Encryption and Force Strict Encryption is that, for the latest, the client connecting to MSSQL must also be loaded with a certificate. - Select the Certificate Panel. Select your certificate from the drop- down menu then click Apply.
- Restart MSSQL services.
2.2 - Configuring CVIFusion
To configure CVIFusion for encrypted communication with your database:
- Open CVIFusion then navigate to the Database connectivity menu.
- Expand Connection Security field.
- Click the Encryption drop down menu. Two options are available:
1- Optional: CVIFusion will adapt to the server rules for encryption (i.e. either no encyrption, or with encryption).
2- Mandatory: CVIFusion will expect the server to establish a secure connection. This is the most secure option, and the one that should be used if you want to ensure encryption is enforced. - Trust server certificate option: by default the option is checked. In such a case, CVIFusion will implicitly trust the server certificate.
For an added layer of security, you can disable the option. In that case, you will need to provide the Common Name used in your certificate to fill the Host name in certificate field: whenever CVIFusion will try to connect to your database, it will check that the information matches your setting. - Click Connect then select the database you wish to connect to and click Save.
Once the setting is complete, communication between CVIFusion and your database will use the TLS protocol.
2.3 - Configuring CoreService
CoreService needs to be configured with the same settings as CVIFusion.
To achieve this:
- Navigate to your CoreService project.
- In the main menu, you will find the same settings as for CVIFusion database connectivity. Provide the required information, save the project then click Send Configuration- please refer to section 2.2 - Configuring CVIFusion for a description of the various options and fields.
Once the configuration has been send to CoreService, communication between CoreService and the database will be secured.