-
Title
How to monitor cluster server or AlwaysOn listener on FIPS enabled FMS -
Description
When monitoring a cluster server or an AlwaysOn listener when FIPS enabled on the FMS, the following error will occur:[Foglight][SQLServer JDBC Driver]The server name in the certificate (HOSTNAME.DOMAIN) does not match the value specified in the hostNameInCertificate connect option (HOSTNAME).or[Foglight][SQLServer JDBC Driver]SSL handshake failed: protocol_version(70) -
Cause
The certificate is validated in FIPS mode. If there is no server name in the certificate, the connection to the database will fail. -
Resolution
To allow the certificate to be used for multiple hostnames/IPs, these must be set in the certificate as Subject Alternative Names (SAN).
Take keytool as an example:
Command:
keytool -genkey -alias -keyalg RSA -storetype PKCS12 -keysize 2048 -validity -keystore -storepass -ext san=ip:,dns:[,ip:,dns:]
Example:
If you have two database servers, the host names are serverA and serverB, and AlwaysOn listener name is virualHost, take serverA as an example:
keytool -genkey -alias servera -keyalg RSA -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore serverA.pfx -storepass changeit -dname "CN=serverA, OU=Quest, O=Quest Software Inc., L=ZH, ST=GD, C=CN" -ext san=dns:virualHost,dns:serverA
Copy the store file serverA.pfx to database serverA, and double click to import its certficate.
Run command certlm.msc and grant permission for SQL Server account through "Manage Private Keys..."
Add the SQL Server running account.
The SQLServer running account comes from SQL Server Service.
Select signed certificate for SQL Server and Restart SQL Server.
Click the "View" button and "Copy to File" to export certificate for monitoring.
How to import certificate see KB 317939
After that, you can use the AlwaysOn listener name (virualHost) to monitor.
-
Defect ID
FOM-609