Powered by Zoomin Software. For more details please contactZoomin

Database Activity Monitoring User Guide

Source Type
Application Security
Data Security
Network Security
Application Performance
Product Versions
Hypervisor Installation
Document Type
Public Cloud
    Community Content Type
      Product Area
      This guide

      Viewing MSSQL Certificates and Kerberos Keys

      Table of Contents

      Viewing MSSQL Certificates and Kerberos Keys

       Viewing MSSQL Certificates and Kerberos Keys

      Certificates are obtained automatically from the MSSQL server when a SecureSphere Agent is installed on the database server, eliminating the need to install a certificate manually. The agent forwards certificate information to the SecureSphere Gateway, which uses it to decrypt MSSQL client/server data. The Gateway shares the MSSQL certificate information with the SecureSphere MX, where installed certificates can be viewed. When the SecureSphere Agent retrieves the MSSQL certificates, it retrieves Kerberos keys and transmits them to the MX (via the SecureSphere Gateway).

      Note: In MSSQL 2000, there is no default configuration for encryption and all traffic flows unencrypted unless otherwise configured. In MSSQL 2005 and later, the login is encrypted by default, and if there are no installed certificates, MSSQL uses a self-generated certificate. If the login is encrypted and no key is available, user names are displayed as Hashed Users in audit data. If all traffic is encrypted and no key is available, no audit data is available.

      Certificate information is updated periodically based on the configuration of the agent’s discovery mechanism, defined on the agent Settings tab. By default, certificates are checked every two minutes. If discovery is disabled, client certificates still are checked unless a disable code is entered into the Advanced Configuration section in the Settings tab. For more information, see General Settings - Advanced Configuration Section.

      For information on configuring Kerberos key support, see Configuring Kerberos Support.

      Kerberos keys detected by agents are displayed in the Kerberos Keys table, listed as last updated by agent. For more information, see Managing Kerberos Keys.

      To prevent agents from automatically discovering Kerberos keys, see (DAM only) Disabling the Automatic Discovery of Kerberos Keys by Agents.

      Kerberos keys detected by agents are associated automatically with specific services. For more information, see (Recommended) Associating a Service with Kerberos Keys.

      To view discovered Kerberos keys and MSSQL certificates in SecureSphere:

      1. In the Main workspace, select Setup > Agents.
      2. In the Views pane, select Workbench, and in the Details pane, select an agent. Extended details about the agent are displayed in the bottom pane.
      3. In the extended details pane, select Encryption Support. The Discovered Kerberos Keys and Discovered Certificates tables are displayed.

        Note: The Encryption Support tab appears only when Kerberos keys or MSSQL certificates have been discovered.

      The Discovered Kerberos Keys table includes:

      • Account Name: Name of the account for which the discovered Kerberos keys are defined.
      • Last Updated: The most recent date and time that the Kerberos keys were updated.
      • IPs: Lists the IPs that use the account’s Kerberos keys.
      • The Discovered Certificates table includes:
      • Server Name: Name of the server on which the certificate is installed.
      • Database Instance: When the server type is Default, lists the name of the database instance where the certificate is discovered. When there are multiple database instances, lists each database instance in a separate row.
      • Type: Lists the type of certificate. Possible values include:
      • Installed: The certificate was manually installed on the database server.
      • Default: The certificate was generated by the MSSQL server upon startup (MSSQL 2005 and newer).
      • Non Exportable: The certificate was manually installed and was configured so it cannot be exported. Non exportable certificates do not allow SecureSphere to decrypt traffic. Knowing that a certificate is not exportable may assist in troubleshooting.
      • Valid Through: Lists the expiration date of the certificate as defined by the certificate originator. Only available with manually installed certificates.
      • Last Updated: The most recent date and time that the certificate was updated.

      Note: When the MSSQL server is restarted, a new default MSSQL certificate is created and it may take up to two minutes for SecureSphere to receive the new certificate. To speed up the process of issuing a new certificate to the SecureSphere MX and Gateway, restart the SecureSphere Agent after restarting MSSQL.

      Was this topic helpful?