MSSQL

The MSSQL service connector processes connection requests to a MSSQL database.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes defining the host, port, username, and password of your database. You may optionally configure your encryption settings, including paths to relevant certificate information.

The options are as follows:

Option

Description

Required

username

Database username under SQL Server authentication mode.

Required

password

Database password under SQL Server authentication mode.

Required

host

The network address of the target MSSQL Server.

Required

port

The port on which the target MSSQL Server is listening.

Optional

(Default is 1433)

sslmode

Specifies if the connection between Secretless Broker and your database is protected by SSL.

For details, see SSL modes.

Optional

(Default is require)

sslrootcert

Specifies the SSL certificate authority (CA) certificate(s) in PEM format. If defined and using the SSL modes verify-caor verify-full, the server’s certificate is verified to be signed by one of these authorities.

Optional

sslhost

The server host name.

If not specified, the host value in the configuration is used.

If the SSL mode is set to verify-full, Secretless validates the identity defined in the certificate against this value.

Optional

Secretless supports the following SSL modes:

Mode Description

disable

Secretless does not expect a secure connection.

If the server requires a secure connection, the connection request fails.

require

Secretless expects s a secure connection, but does expect to verify anything about the server.

The connection fails if the server does not support an encrypted connection.

verify-ca

Like require, Secretless expects a secure connection. In addition, Secretless verifies the server Certificate Authority (CA) certificate against the configured CA certificates (provided in the Secretless credentials configuration viasslrootcert).

The connection fails if no valid matching CA certificates are found.

verify-full

Like verify-ca, Secretless expects s a secure connection and verifies CA certificates the server CA against the configured CA certificates (provided in the Secretless configuration via sslrootcert). In addition, the verify-full SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification. Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name.

Secretless uses the value of the host parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the sslhost configuration parameter.

Examples

  
 	
version: 2
services:
  mssql:
    connector: mssql
    listenOn: tcp://0.0.0.0:2223
    credentials:
      username:
        from: conjur
        get: path/to/production/creds/username
      password:
        from: conjur
        get: path/to/production/creds/password
      host:
        from: conjur
        get: path/to/production/creds/host
      port:
        from: conjur
        get: path/to/production/creds/port
  
version: 2
services:
  mssql:
    connector: mssql
    listenOn: tcp://0.0.0.0:2223
    credentials:
      username:
        from: conjur
        get: path/to/production/creds/username
      password:
        from: conjur
        get: path/to/production/creds/password
      host:
        from: conjur
        get: path/to/production/creds/host
      port:
        from: conjur
        get: path/to/production/creds/port
      sslmode: verify-full
      sslhost: my-expected.example-host.com
      sslrootcert:
        from: conjur
        get: path/to/production/creds/ca-cert

Supported client parameters

The Secretless MSSQL connector supports a subset of the parameters that your client allows you to include in the SQL Server connection string. We support the following:

Description

JDBC Example

The name of the database to connect to. If not stated, a connection is made to the default database.

database or databaseName

The workstation name (default is the host name reported by the kernel). Used to identify the specific workstation in multiple SQL Server profiling and logging tools.

Workstation ID

The application name, which is used to identify the specific application in multiple SQL Server profiling and logging tools.

applicationName

The application workload type or application intent, which can be used to initiate a read-only connection to an Availability Group listener. The database must be specified when connecting with the application intent set toReadOnly.

applicationIntent

 

This parameter can be set ReadOnly or ReadWrite.

It defaults to ReadWrite.

Known limitations

  • Only SQL Server Authentication mode is supported.

  • The MSSQL connector only supports servers that use the TCP/IP network protocol.

  • Limitations inherited from the go-mssqldb client lib.

See also

Troubleshoot Secretless Service Connectors