Configuring MSSQL database secret engine using TLS encrypted connections

Avatar
Nitesh Kumar
  • Updated

Introduction

MSSQL is one of the supported plugins for the database secrets engine in Vault, which generates database credentials dynamically based on configured roles for the MSSQL database. This article discusses setting up an MSSQL secret engine using a TLS-encrypted connection. Here is an example snippet of an error during the configuration of the MSSQL database connection due to TLS requirements:

* error creating database object: error verifying connection: TLS Handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority


Overview of Solution

1433 port is a TLS-enabled port; and hence, there is no explicit need to define SSL parameters in "connection_url". That said; if there is a need to enforce encryption from the Vault side (due to port customization or enforcement at the database level), there are options to explicitly define certificate parameters while sending configuration API requests.

  • Enforce TLS encryption while configuring :
vault write database/config/my-mssql-database plugin_name=mssql-database-plugin allowed_roles="*" connection_url='server=database-1.clqvqtzonfuc.us-west-2.rds.amazonaws.com;port=1433;user id=****;password=****;database=vaultdb;encrypt=true'


If the Vault server does not trust the connectivity with the MSSQL server; it might still throw an error. This can be fixed by adding another parameter in the "connection_url" (trustServerCertificate=true). Below is an example snippet :

Screenshot 2024-07-10 at 4.18.19 PM.png

 

Additional notes:

  • SQL Server on Windows versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0 and 1.1 if you want to use only TLS 1.2 for client-server communication. This would come into the picture if tls_min_version is specified in the TCP listener stanza on the Vault.
  • If the Vault cluster is running in TLS-enabled mode (which is strongly suggested in production usage), you need to add the Vault server CA to the Windows trust store as well (In case that is not already present on the trust store). Here is a link to one of the community guides for managing trusted root certificates on Windows.

Reference

MSSQL database secret engine

 

Articles in this section

See more

Related articles