Creating a certificate for an MS SQL database when NIST SP800-131A is enabled

When you enable NIST SP800-131A compliance and you are using an MS SQL database, you must create a certificate.

About this task

To generate the certificate, you can use the IBM® Key Management tool. You can access the IBM® Key Management tool if the Remote Control server is installed with embedded components and also if the controller component is installed. It is also provided by IBM® WebSphere® Application Server.
Note: To create a certificate with 4096 key size or greater, you must overwrite the restriction policy files local_policy.jar and US_export_policy.jar.

Go to the following directory and copy the local_policy.jar and US_export_policy.jar files.

Windows systems
TRC\server\java\demo\jce\policy-files\unrestricted
Linux systems
TRC/server/java/demo/jce/policy-files/unrestricted

Replace the following files with the JAR files that you copied.

Windows systems
TRC\server\java\jre\lib\security\local_policy.jar

TRC\server\java\jre\lib\security\US_export_policy.jar

Linux systems
TRC/server/java/jre/lib/security/local_policy.jar

TRC/server/java/jre/lib/security/US_export_policy.jar

To create and install the certificate, complete the following steps:

Procedure

  1. Install one of the supported versions of MS SQL server and the latest patches. Minimum requirement is MS SQL Server 2012 Service Pack 3.
  2. Create a keystore with a self-signed certificate.
    1. Open a command line window.
    2. Go to one of the following directories to run the keytool.
      Remote control server that is installed with embedded components
      Go to the Remote Control server installation directory.
      WebSphere® Application Server is installed
      Go to the WebSphere® Application Server installation directory.
      The controller component is installed
      Go to the ...\Controller\jre directory. For example,
      Windows systems.
      C:\Program Files\BigFix\Remote Control\Controller\jre
      Linux systems.
      /opt/bigfix/trc/controller/jre
    3. Change to the bin directory.
    4. Run the ikeyman file relevant to your operating system.
      Windows systems
      ikeyman.bat
      Linux systems
      ikeyman.sh
    5. Select Key Database File > New
    6. Select PKCS12 for Key database type.
    7. Click Browse and go to the location in which you want to store the keystore.
    8. Type a file name for your file and click Save.
    9. Click OK.
    10. Enter and confirm a password to protect the keystore and click OK.
    11. Select Create > New Self-Signed Certificate
    12. Enter a name for the Key Label.
      For example, the host name of the server.
    13. Select X509 V3 for the Version.
    14. Select a Key Size value.
      Recommended value for NIST SP800-131A compliance is 2048 or greater.
    15. Select SHA256WithRSA for the Signature Algorithm
    16. Type a Common Name.
      Set to the DNS host name of your server.
      For example, trcserver.example.com.
    17. Enter any additional optional information as required.
    18. Enter a Validity Period.
      Set the number of days that the certificate is valid for. Default is 365 days.
    19. Set the Subject Alternative Names, DNS Name option to the DNS host name of your server.
    20. Click OK.
  3. Add the certificate store to the database server.
    1. At a command line, run mmc.exe.
    2. Add a certificate snap-in.
      1. Select File > Add/Remove Snap-in.
      2. Select the Certificates snap-in and click Add.
      3. Select Computer account and click Next.
      4. Ensure that the Local computer option is selected and click Finish.
      5. Click OK.
    3. Import the certificate
      1. In the Console1 window, go to Console Root > Certificates.
      2. Right click Certificates and select All Tasks > Import.
      3. Click Next on the Welcome window.
      4. Click Browse and select the certificate store that you created.
      5. Click Next.
      6. Enter the password for the certificate store and click Next.
      7. Ensure that Place all certificated in the follolwing store is selected and that Certificate Store is set to Personal. Click Next.
      8. Click Finish.
  4. Manage private keys.
    1. Right-click the certificate file and select All Tasks > Manage Private Keys.
    2. Click Add.
    3. Click Check Names, select MSSQLSERVER and click OK.
    4. Click OK on the Select Users and Groups window.
    5. Set permissions for MSSQLSERVER on the Permissions window and click OK. For example, select Allow for Read for a Read-only option.
  5. To complete the configuration, run the SQL Server Configuration Manager.
    1. Expand SQL Server Network Configuration.
    2. Right click Protocols for MSSQLSERVER and select Properties.
    3. On the Certificates tab, select your imported certificate.
    4. On the Flags tab set Force Encryption to Yes and click OK.
    5. Click OK on the Warning window.
    6. Select SQL Server Services.
    7. Right-click SQL Server (MSSQLSERVER) > Restart in the right pane.