Viewing MSSQL Certificates and Kerberos Keys

Certificates are obtained automatically from the MSSQL server when a SecureSphere Agent is installed on the database server, eliminating the need to install a certificate manually. The agent forwards certificate information to the SecureSphere Gateway, which uses it to decrypt MSSQL client/server data. The Gateway shares the MSSQL certificate information with the SecureSphere MX, where installed certificates can be viewed. When the SecureSphere Agent retrieves the MSSQL certificates, it retrieves Kerberos keys and transmits them to the MX (via the SecureSphere Gateway).

Certificate information is updated periodically based on the configuration of the agent’s discovery mechanism, defined on the agent Settings tab. By default, certificates are checked every two minutes. If discovery is disabled, client certificates still are checked unless a disable code is entered into the Advanced Configuration section in the Settings tab. For more information, see General Settings - Advanced Configuration Section.

For information on configuring Kerberos key support, see Configuring Kerberos Support.

Kerberos keys detected by agents are displayed in the Kerberos Keys table, listed as last updated by agent. For more information, see Managing Kerberos Keys.

To prevent agents from automatically discovering Kerberos keys, see (DAM only) Disabling the Automatic Discovery of Kerberos Keys by Agents.

Kerberos keys detected by agents are associated automatically with specific services. For more information, see (Recommended) Associating a Service with Kerberos Keys.

To view discovered Kerberos keys and MSSQL certificates in SecureSphere:

1. In the Main workspace, select Setup > Agents.
2. In the Views pane, select Workbench, and in the Details pane, select an agent. Extended details about the agent are displayed in the bottom pane.
3. In the extended details pane, select Encryption Support. The Discovered Kerberos Keys and Discovered Certificates tables are displayed.

   Note: The Encryption Support tab appears only when Kerberos keys or MSSQL certificates have been discovered.

The Discovered Kerberos Keys table includes:

• Account Name: Name of the account for which the discovered Kerberos keys are defined.
• Last Updated: The most recent date and time that the Kerberos keys were updated.
• IPs: Lists the IPs that use the account’s Kerberos keys.
• The Discovered Certificates table includes:
• Server Name: Name of the server on which the certificate is installed.
• Database Instance: When the server type is Default, lists the name of the database instance where the certificate is discovered. When there are multiple database instances, lists each database instance in a separate row.
• Type: Lists the type of certificate. Possible values include:
• Installed: The certificate was manually installed on the database server.
• Default: The certificate was generated by the MSSQL server upon startup (MSSQL 2005 and newer).
• Non Exportable: The certificate was manually installed and was configured so it cannot be exported. Non exportable certificates do not allow SecureSphere to decrypt traffic. Knowing that a certificate is not exportable may assist in troubleshooting.
• Valid Through: Lists the expiration date of the certificate as defined by the certificate originator. Only available with manually installed certificates.
• Last Updated: The most recent date and time that the certificate was updated.