-
Title
How to enforce SQL over TLS -
Description
The ER Server establishes unencrypted SQL connections.
We need to enforce TLS for SQL from the ER Server without having to explicitly enforce TLS on the SQL Server.
We have not explicitly installed the public keys of the certificates on our ER server, as we operate an Enterprise PKI and the ER server trusts the root certificate of the SQL certificates. -
Resolution
To enforce TLS for SQL Server, we can configure the machine to use only TLS protocols. This ensures that TLS is used for authentication.
If we cannot enforce TLS at the machine level for some reason, we can also enforce encryption using connectionString on the ER Server machine.
To enforce encryption at ER Server, we can modify the connection string in the ReporterServer.exe.config file located in the C:\Program Files\Quest\Enterprise Reporter\Server folder. Add the connection string with Encrypt=True and TrustServerCertificate=False (if there is a verifiable server certificate).
Using Encrypt=True and TrustServerCertificate=True ensures encryption always occurs, but may use a self-signed server certificate. (Reference: https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax).To get the connection string, create a UDL file with the required information for SQL Server authentication. Verify that the connection tests successfully. Open the UDL file in Notepad and copy the connection string. Remove the provider from the connection string and paste it into the ReporterServer.exe.config file, with Encrypt=True and TrustServerCertificate=False (if there is a verifiable server certificate).
Initial config file database settings
After adding connection string (example):
Once the connection string is added, save the config file. Restart the server and nodes.