Events
Mar 31, 11 PM - Apr 2, 11 PM
The biggest SQL, Fabric and Power BI learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The Microsoft JDBC Driver for SQL Server supports running in JVMs configured to be FIPS 140 Compliant.
Generally, applications can configure the java.security
file to use FIPS-compliant crypto providers. See the documentation specific to your JVM for how to configure FIPS 140 compliance.
To see the approved modules for FIPS Configuration, refer to Validated Modules in the Cryptographic Module Validation Program.
Vendors may have some more steps to configure a JVM with FIPS.
To connect to SQL Server in FIPS mode, a valid TLS/SSL Certificate is required. Install or import it into the Java Key Store on the client machine (JVM) where FIPS is enabled.
For FIPS, most likely you need to import the certificate (.cert) in either PKCS or a provider-specific format. Use the following snippet to import the TLS/SSL certificate and store it in a working directory with the appropriate KeyStore format. TRUST_STORE_PASSWORD is your password for Java KeyStore.
public void saveGenericKeyStore(
String provider,
String trustStoreType,
String certName,
String certPath
) throws KeyStoreException, CertificateException,
NoSuchAlgorithmException, NoSuchProviderException,
IOException
{
KeyStore ks = KeyStore.getInstance(trustStoreType, provider);
FileOutputStream os = new FileOutputStream("./MyTrustStore_" + trustStoreType);
ks.load(null, null);
ks.setCertificateEntry(certName, getCertificate(certPath));
ks.store(os, TRUST_STORE_PASSWORD.toCharArray());
os.flush();
os.close();
}
private Certificate getCertificate(String pathName)
throws FileNotFoundException, CertificateException
{
FileInputStream fis = new FileInputStream(pathName);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
return cf.generateCertificate(fis);
}
The following example is importing an Azure TLS/SSL Certificate in PKCS12 format with the BouncyCastle Provider. The certificate is imported in the working directory named MyTrustStore_PKCS12 by using the following snippet:
saveGenericKeyStore(BCFIPS, PKCS12, "SQLAzure SSL Certificate Name", "SQLAzure.cer");
For some FIPS Providers, unrestricted Policy jars are needed. In such cases, for Sun / Oracle, download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JRE 8 or JRE 7.
To run the JDBC Driver in FIPS-compliant mode, configure connection properties as shown in following table.
Property | Type | Default | Description | Notes |
---|---|---|---|---|
encrypt |
String ["true / false / strict"] | "true" | For FIPS enabled JVM encrypt property should be true | The default changed from false to true in version 10.2. In version 11.2.0, the type changed from boolean to String and the strict option was added to allow for TDS 8.0 support. |
TrustServerCertificate |
boolean ["true / false"] | "false" | For FIPS, the user needs to validate certificate chain, so the user should use "false" value for this property. | |
trustStore |
String | null | Your Java Keystore file path where you imported your certificate. If you install certificate on your system, then no need to pass anything. Driver uses cacerts or jssecacerts files. | |
trustStorePassword |
String | null | The password used to check the integrity of the trustStore data. | |
fips |
boolean ["true / false"] | "false" | For FIPS enabled JVM this property should be true | Added in 6.1.4 (Stable release 6.2.2) |
fipsProvider |
String | null | FIPS provider configured in JVM. For example, BCFIPS or SunPKCS11-NSS | Added in 6.1.2 (Stable release 6.2.2), deprecated in 6.4.0 - see the details Here. |
trustStoreType |
String | JKS | For FIPS mode set trust store type either PKCS12 or type defined by FIPS provider | Added in 6.1.2 (Stable release 6.2.2) |
Events
Mar 31, 11 PM - Apr 2, 11 PM
The biggest SQL, Fabric and Power BI learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayTraining
Learning path
Implement a secure environment for a database service - Training
Implement a secure environment for a database service
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.