The MSSQL service connector processes connection requests to a MSSQL database.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes defining the host, port, username, and password of your database. You may optionally configure your encryption settings, including paths to relevant certificate information.

The options are as follows:





Database username under SQL Server authentication mode.



Database password under SQL Server authentication mode.



The network address of the target MSSQL Server.



The port on which the target MSSQL Server is listening.


(Default is 1433)


Specifies if the connection between Secretless Broker and your database is protected by SSL.

For details, see SSL modes.


(Default is require)


Specifies the SSL certificate authority (CA) certificate(s) in PEM format. If defined and using the SSL modes verify-caor verify-full, the server’s certificate is verified to be signed by one of these authorities.



The server host name.

If not specified, the host value in the configuration is used.

If the SSL mode is set to verify-full, Secretless validates the identity defined in the certificate against this value.


Secretless supports the following SSL modes:

Mode Description


Secretless does not expect a secure connection.

If the server requires a secure connection, the connection request fails.


Secretless expects s a secure connection, but does expect to verify anything about the server.

The connection fails if the server does not support an encrypted connection.


Like require, Secretless expects a secure connection. In addition, Secretless verifies the server Certificate Authority (CA) certificate against the configured CA certificates (provided in the Secretless credentials configuration viasslrootcert).

The connection fails if no valid matching CA certificates are found.


Like verify-ca, Secretless expects s a secure connection and verifies CA certificates the server CA against the configured CA certificates (provided in the Secretless configuration via sslrootcert). In addition, the verify-full SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification. Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name.

Secretless uses the value of the host parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the sslhost configuration parameter.


Supported client parameters

The Secretless MSSQL connector supports a subset of the parameters that your client allows you to include in the SQL Server connection string. We support the following:


JDBC Example

The name of the database to connect to. If not stated, a connection is made to the default database.

database or databaseName

The workstation name (default is the host name reported by the kernel). Used to identify the specific workstation in multiple SQL Server profiling and logging tools.

Workstation ID

The application name, which is used to identify the specific application in multiple SQL Server profiling and logging tools.


The application workload type or application intent, which can be used to initiate a read-only connection to an Availability Group listener. The database must be specified when connecting with the application intent set toReadOnly.



This parameter can be set ReadOnly or ReadWrite.

It defaults to ReadWrite.

Known limitations

  • Only SQL Server Authentication mode is supported.

  • The MSSQL connector only supports servers that use the TCP/IP network protocol.

  • Limitations inherited from the go-mssqldb client lib.

See also

Troubleshoot Secretless Service Connectors