SQL Server "Force Encryption"

Similar Messages

• Coldfusion - Microsoft SQL Server Traffic Encryption

  Hi,
       have someone tried/managed to encrypt traffic from coldfusion to SQL Server?
  Please share if you don't mind
  Thanks

  I've not used the SSL features of JDBC but you might start in the documentation.
  With bundled CF drivers
  http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS70f0d54f063b9b08238ab6dc122b1a20785-800 0.html
  If you are using the Microsoft JDBC driver, not the one bundled with CF.
  http://msdn.microsoft.com/en-us/library/bb879935%28SQL.90%29.aspx
  You *may* need to import your SSL certificate so that it will be recognized
  http://go.adobe.com/kb/ts_kb400977_en-us

• Sql Server 2012 Encrypted Connection Accept only Internal IP

  Hi Friends,
  As we are using sqlserver 2012 is it possible we can configure  Sql Server to Accept  connection only internal ip (local) network as wel encrypted connections only , if possible please let me know how we can A chive this .
  thank you.
  Regards,
  asad

  Hello,
  SQL Server TCP/IP protocol is a common protocol widely used over the Internet. It communicates across interconnected networks of computers that have diverse hardware architectures and various operating systems. Named Pipes is a protocol developed for
  local area networks. In this case, you can configure SQL Server only use Named Pipes protocol via SQL Server Configuration Manager.
  Choosing a Network Protocol:
  http://technet.microsoft.com/en-us/library/ms187892(v=sql.105).aspx
  Regards,
  Elvis Long
  TechNet Community Support

• Use of PVKConverter with SQL Server 2012 SP2

  I am trying to convert a certificate that was exported from our database server to be used by SQL Server for database encryption.  When I run the PVKConverter, not Private Key File (PVK) is generated.
  The certificate has Server and Client Authentication as the purposes of the certificate. 
  What purpose or purposes does the certificate need in order to be able to be used by SQL Server 2012 SP2?
  Why doesn't the PVKConverter generate a private key file?
  I can use the command makecerts to generate a self signed certificate and have it work with SQL Server database encryption.
  Thanks.
  DJ

  Hi DJ,
  Based on my research, SQL Server supports the importing of existing security certificates, specified as a pair of files that are encoded in PVK/DER format. Below Transact-SQL script displays the basic key file format for SQL Server database encryption.
  CREATE CERTIFICATE <Certificate name>
  FROM FILE = '<PVK/DER format file>.cer'
  WITH PRIVATE KEY (FILE = '<PVK/DER format file>.pvk',
  DECRYPTION BY PASSWORD = '<Encryption password>');
  According to your description, PVKConverter doesn’t generate a private key file. PVKConverter is used to generate PVK/DER encoded security certificates from existing PFX encoded security certificates. Thus, please ensure that your certificate is encoded in
  PFX format and make sure you perform all the steps properly as described in the
  KB article.
  There is also a related blog for your reference.
  http://blogs.msdn.com/b/sql_pfe_blog/archive/2014/02/04/generating-a-trusted-tde-certificate-in-the-proper-format-from-a-certificate-authority.aspx
  Thanks,
  Lydia Zhang
  Lydia Zhang
  TechNet Community Support

• Force encryption on SQL Server not working?

  Hello Everyone,
  I'm running SQL Server 2008 64-bit. I've installed a self-signed cert on the box and set  "Force Encryption"  and restarted SQL server. 
  I setup a client machine to trust the authority of the cert installed on the server. When I connect to that SQL server from SSMS from a client machine and select the "encrypt connection" option in the client Connection properties, SSMS correctly complains
  that the cert on the server does not match the computer name I asked to log into . This is because, although the cert is trusted, the dns name dos not match the CN in the cert <- Perfect, exactly what I am expecting.
  When I connect to the same SQL server from the same client but  UNCHECK "encrypt connection" on the client, I'm able to login. Considering I've checked the "Force Encryption" on the server, the server should have rejected the connection. Why not?
  Ameer Deen

  Hi all,
  We are implementing a Merge Synchronization solution which involves three SQL Servers located on three Azure locations worldwide and one on-premises location. We need to secure communications between all servers. We are evaluating the encryption of all server
  communications through SSL:
  http://technet.microsoft.com/en-us/library/ms191192.aspx
  When we configure one server (let’s call it server A) to accept only encrypted connections (with Force Encryption=Yes) we still can connect from other server (let’s call it server B) that do not have the certificate installed. We would expect the server
  B to fail in the attempt of connect as server A should only accept encrypted communications and those should need the certificated to encrypt/decrypt everything (commands and data).
  We have also review the following forum post that is very similar to this one:
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/bde679d9-ff83-4fa7-b402-42e336a97106/force-encryption-on-sql-server-not-working
  In all cases the Microsoft answer is:
  “When the
  Force Encryption option for the Database Engine is set to YES, all communications between client and server is encrypted no matter whether the “Encrypt
  connection” option (such as from SSMS) is checked or not. You can check it using the following DMV statement”
  When we run the provided DMV statement to check if encryption is enabled:
  -- To check whether connections are encrypted between server and clients
  SELECT encrypt_option
  FROM sys.dm_exec_connections
  We get “TRUE”. So theoretically encryption is enabled.
  Then:
  Why can we run SQL statements against server A from server B (with SSMS) without any certificate?
  Are we wrong when we expect server A to refuse any client that do not have the right certificate?
  How can server B, without any certificate, decrypt the data encrypted by server A?
  Our intention is to encrypt all server in the same way so all of them will accept only encrypted communications. We are assuming that the Merge Agent will be able to communicate with the Publisher and the Subscriber through this encrypted environment. May
  anyone please confirm ti?
  Thanks for your help.
  Best Regards
  Benjamin Moles

• Encrypting communication between an app that uses an ODBC/DSN (with ADODB) and SQL Server 2008 R2

  I've been doing a lot of reading the last couple of days on how we can encrypt db communication between our product app and a customer's SQL Server db, but cannot make it work as expected. The app uses a ODBC/DSN to connect to the SQL Server db. I use this
  ODBC app to setup the DSN (on a Windows 7 PC):
  C:\Windows\SysWOW64\odbcad32.exe
  The  DSNconnection uses the SQL Server driver 6.01.7601.17514 and has these properties:
  - WinNT authentication.
  - Client Config button: TCP/IP to <server-name>\<instance.-name>
  - Change to default db: <name-of-app-db>
  - Everything else is default setting.
  SQL Server is on the same Windowns 7 PC and has a self-signed cert installed (used IIS to generate it) and has the Force Enryption set to "yes".
  I have a test C# program that uses the ADODB 2.7.0.0 COM-wrapper, made by Visual Studio after adding a reference to the ADO 2.7 library version 6.1.7601.17857. The program creates an ADODB.Connection object that has a simple connection string: "DSN=<san-name>;UID=<user>;PWD=<password>". The
  program then creates an ADODB.Recordset object and reads and displays a field from a table.
  Works fine.
  If I go into SQL Server and set Force Encryption to "no," clear the cert, restart the SQL service, and then re-run the program, it works fine.
  Here's the kick. If I go into the DSN and select "Use strong encryption for data" the Test button on the DSN works—why does it work? The SQL Server is no longer encrypting the connection so an error should occur. If I run the test program, it works
  as well—why? I can look at the connection properties in the test program and see that ADODB has added the ";Encrypt-yes" stuff to the end of the connection string. Yet that option seems to have no effect.
  If I set the SQL instance back to Force Encryption:yes, enable the cert, restart the SQL service, and clear the DSN's "Use strong encryption for data" option, I can still connect to the db with the
  test program—why?
  What am I doing wrong? I need to be able to ensure that the communication between our app product and the SQL instance is encrypted, and that we get an error if the SQL instance does not support encrypted communications. We really don't want the customer
  to have to enable Force Encryption because they have other db's on their SQL Server that do not use encrypted communication, but they want to know that our product's communication channel with the db is encrypted.
  No, I can't change the app product's code at this point in time. I'm stuck with working with what a DSN called from ADODB has to offer.
  Also, how can I be sure that communications are encrypted? I mean, I've tried things like "SELECT * FROM sys.dm_exec_connections" but that doesn't help because I have no idea how to tie the list of sessions shown back to my test program, although
  I guess it's a good thing that some of the sessions listed show encrypt_option as TRUE.
  -glenn-

  Ah yes, very good point. It's easy to miss because you have to delete then recreate the DSN in order to change drivers. So I switched the DSN over to the SQL Native 11 driver.
  Now when I try to connect to the SQL instance as <computer-name>\<instance-name>, and without a cert on the server, I get "the target principal name is incorrect". Perfect; now we're getting somewhere!
  Change my DSN to use <fqdn>\<instance-name> and it works. This tells me that SQL Server has auto-generated a cert and named it <fqdn>. I would have expected the "cert fail" error, not a cert
  name mismatch, because I'm not using Trust Server Cert.
  So I load up my self-signed cert, and that works too.
  I am still confused as to why I'm not seeing the "cert fail" error when I have no cert loaded on the SQL Server. I am not using Force Encryption on the server at all, so wouldn't expect SQL Server to auto-create a cert when an Encrypt=yes request comes in,
  but apparently it does?
  I also ran into a problem with this:
  select c.session_id, c.encrypt_option, s.client_interface_name
  from sys.dm_exec_connections c
  join sys.sysprocesses s
    on c.session_id = s.session_id
  where s.dbid = db_id('MyDatabase')
  There is no s.client_interface_name, probably should be s.hostname. There's also no s.session_id. I thought maybe this should be s.sid, but then no rows ever come back. The c.session_id looks like 51 and 52, but the s.sid looks like a very long binary number,
  so these two fields cannot be joined. I don't know how to convert the sid's properly so that the join would work. Ah wait, I just found the s.spid column; the join works when that column is used (I assume that's correct anyhow).
  If I add a Thread.Sleep(30 seconds) to my C# program just before the connection is closed, this query shows me the session for the correct hostname has encrypt_option=TRUE.
  And I have to keep my fingers crossed that all the app I/O will still work properly after
  changing the driver. Probably a safe bet though.
  Think I'm ready to throw in the towel on getting the "cert fail/no SSL" error to appear.
  It does look like I am able to sufficiently show that the connection is encrypted when Encrypt=yes is used with the newer driver.
  Thank for all the help!
  -glenn-

• Encryption strenght with SQL Server self-signed certificate

  I have SQL Server 2008 R2 Standard (64-bits) on Windows Server 2008 R2 Enterprise (64-bits) and client computers running on Windows 7 Professional (64-bits). If I set "Encrypt=True;TrustServerCertificate=True;" in connection strings, I'm wondering
  what encryption level or strength (40bits, 128bits, or other) are the connections getting?
  Microsoft is not clear about this topic:
  "The level of encryption used by SSL, 40-bit or 128-bit, depends on the version of the Microsoft Windows operating system that is running on the application and database computers."
  I appreciate any comment.

  Please see the discussion thread on this other post:
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/ee159a8b-0b07-4637-83e7-d0487fc63a9e/which-cipher-current-supported-after-force-encryption?forum=sqlsecurity
  Hopefully this information will help.
  -Raul Garcia
    SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• SQL Server TDE stuck encryption state 4

  I'm trying to create a robust script that runs backups, backs up current certificate, creates a new certificate, backs up new certificate and regenerates database encryption keys with the new certificate. Obviously to do all this you're talking about a pretty
  complicated script! i've tried to make it as robust as possible, however when running the script the databases have gotten stuck in encryption state 4. (this has happened before which is why i'm testing this to destruction.) now before i delete and recreate
  these databases is there any way to force them out of state 4? It will not allow you to turn encryption off you get the following error : Cannot disable database encryption while an encryption, decryption, or key change scan is in progress.
  I'm not sure what happened to get them into this state but want to prevent it at all costs.
  Please see my script. You should be able to test this easily by creating a couple db's.
  Any improvements would be greatly appreciated, and this will be extremely useful to anyone in a TDE environment.
  *** UPDATED ***
  USE master
  DECLARE @Name NVARCHAR(50) , -- Database Name
  @Path NVARCHAR(100) , -- Path for backup files
  @FileName NVARCHAR(256) , -- Filename for backup
  @FileDate NVARCHAR(20) , -- Used for file name
  @BackupSetName NVARCHAR(50) ,
  @SQLScript NVARCHAR(MAX) ,
  @Live AS NCHAR(3) = 'No'
  -- *** MAKE SURE YOU CHECK THIS BEFORE RUNNING ***
  -- specify database backup directory
  SET @Path = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup\'
  -- specify filename format
  SET @FileDate = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
  IF CURSOR_STATUS('global', 'db_cursor') >= -1
  DEALLOCATE db_cursor
  DECLARE db_cursor CURSOR
  FOR
  SELECT Name
  FROM sys.databases
  WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
  AND is_encrypted = 1
  OPEN db_cursor
  FETCH NEXT FROM db_cursor INTO @Name
  WHILE @@FETCH_STATUS = 0
  BEGIN TRY
  SET @FileName = @Path + @Name + '_' + @FileDate + '.bak'
  SET @SQLScript = 'BACKUP DATABASE ' + @Name + ' TO DISK = '''
  + @FileName + ''' WITH NOFORMAT, INIT, SKIP, STATS = 10
  RESTORE VERIFYONLY FROM DISK = ''' + @FileName + ''' BACKUP LOG '
  + @Name + ' TO DISK = ''' + @Path + @Name + '_log.ldf'''
  PRINT '*** STEP ONE Backing up Databases ***'
  PRINT @SQLScript
  IF @Live = 'Yes'
  EXEC (@SQLScript)
  FETCH NEXT FROM db_cursor INTO @Name
  END TRY
  BEGIN CATCH
  PRINT 'Error Completing Backups'
  SELECT ERROR_NUMBER() AS ErrorNumber ,
  ERROR_SEVERITY() AS ErrorSeverity ,
  ERROR_STATE() AS ErrorState ,
  ERROR_PROCEDURE() AS ErrorProcedure ,
  ERROR_LINE() AS ErrorLine ,
  ERROR_MESSAGE() AS ErrorMessage;
  RETURN
  END CATCH
  CLOSE db_cursor
  DEALLOCATE db_cursor
  -- Get current certificate statuses
  SELECT DB_NAME(database_id) AS DatabaseName ,
  Name AS CertificateName ,
  CASE encryption_state
  WHEN 0 THEN 'No database encryption key present, no encryption'
  WHEN 1 THEN 'Unencrypted'
  WHEN 2 THEN 'Encryption in progress'
  WHEN 3 THEN 'Encrypted'
  WHEN 4 THEN 'Key change in progress'
  WHEN 5 THEN 'Decryption in progress'
  END AS encryption_state_desc ,
  create_date ,
  regenerate_date ,
  modify_date ,
  set_date ,
  opened_date ,
  key_algorithm ,
  key_length ,
  encryptor_thumbprint ,
  percent_complete ,
  certificate_id ,
  principal_id ,
  pvt_key_encryption_type ,
  pvt_key_encryption_type_desc ,
  issuer_name ,
  cert_serial_number ,
  subject ,
  expiry_date ,
  start_date ,
  thumbprint ,
  pvt_key_last_backup_date
  FROM sys.dm_database_encryption_keys AS e
  LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
  -- TDE cannot be started while backup is running
  WHILE EXISTS ( SELECT *
  FROM master.dbo.sysprocesses
  WHERE dbid IN ( DB_ID('*** DATABASE ***') )
  AND cmd LIKE 'BACKUP%' )
  BEGIN
  PRINT 'Waiting for backups to complete'
  WAITFOR DELAY '00:01:00'
  END
  --Code for backing up certificate and generating new certificate
  DECLARE @CurrentCertificateName AS NVARCHAR(100) ,
  @CertificateBackupFile AS NVARCHAR(256) ,
  @KeyBackup AS NVARCHAR(256) ,
  @KeyStore AS NVARCHAR(256) = 'E:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Key Backup\' ,
  @SecurePass AS NVARCHAR(50) = '*** Password ***'
  -- Get current certificate name
  SELECT @CurrentCertificateName = c.name
  FROM sys.dm_database_encryption_keys AS e
  LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint
  WHERE DB_NAME(e.database_id) = @Name
  -- backup the current certificate
  SET @CertificateBackupFile = @KeyStore + @CurrentCertificateName + '.cer'
  SET @KeyBackup = @KeyStore + @CurrentCertificateName + '.pvk'
  SET @SQLScript = 'BACKUP CERTIFICATE ' + @CurrentCertificateName
  + +' TO FILE = ''' + @CertificateBackupFile + ''' WITH PRIVATE KEY'
  + ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
  + @SecurePass + ''')'
  PRINT '*** STEP TWO Backing up current certificate: ' + @SQLScript + ' ***'
  IF @Live = 'Yes'
  BEGIN TRY
  EXEC ( @SQLScript )
  END TRY
  BEGIN CATCH
  PRINT 'Could not back up existing Certificate. Job Cancelled'
  SELECT ERROR_NUMBER() AS ErrorNumber ,
  ERROR_SEVERITY() AS ErrorSeverity ,
  ERROR_STATE() AS ErrorState ,
  ERROR_PROCEDURE() AS ErrorProcedure ,
  ERROR_LINE() AS ErrorLine ,
  ERROR_MESSAGE() AS ErrorMessage;
  RETURN
  END CATCH
  -- Generate the new certificate.
  DECLARE @Now AS NVARCHAR(12) = REPLACE(REPLACE(REPLACE(CONVERT(NVARCHAR(20), GETDATE(), 120),
  DECLARE @NewCertificateName AS NVARCHAR(50) = 'PCI_Compliance_Certificate_'
  + @Now
  -- Manually set certificate name
  --SELECT @NewCertificateName = 'PCI_Compliance_Certificate_201312231546'
  -- Generate a new certificate
  DECLARE @NewCertificateDescription AS NVARCHAR(100) = 'PCI DSS Compliance Certificate for 2014'
  SET @SQLScript = 'CREATE CERTIFICATE ' + @NewCertificateName
  + ' WITH SUBJECT = ''' + @NewCertificateDescription + ''''
  PRINT '*** STEP THREE Creating New Certificate: ' + @SQLScript + ' ***'
  IF @Live = 'Yes'
  BEGIN TRY
  EXEC ( @SQLScript
  END TRY
  BEGIN CATCH
  PRINT 'Could not create the new Certificate. Job Cancelled'
  SELECT ERROR_NUMBER() AS ErrorNumber ,
  ERROR_SEVERITY() AS ErrorSeverity ,
  ERROR_STATE() AS ErrorState ,
  ERROR_PROCEDURE() AS ErrorProcedure ,
  ERROR_LINE() AS ErrorLine ,
  ERROR_MESSAGE() AS ErrorMessage;
  RETURN
  END CATCH
  -- Back up the new certificate
  SET @CertificateBackupFile = @KeyStore + @NewCertificateName + '.cer'
  SET @KeyBackup = @KeyStore + @NewCertificateName + '.pvk'
  SET @SQLScript = 'BACKUP CERTIFICATE ' + @NewCertificateName
  + +' TO FILE = ''' + @CertificateBackupFile + '''' + ' WITH PRIVATE KEY'
  + ' (FILE = ''' + @KeyBackup + ''',' + ' ENCRYPTION BY PASSWORD = '''
  + @SecurePass + ''')'
  PRINT '*** STEP FOUR Backing up New Certificate: ' + @SQLScript + ' ***'
  IF @Live = 'Yes'
  BEGIN TRY
  EXEC ( @SQLScript
  END TRY
  BEGIN CATCH
  PRINT 'Error: Could not back up New Certificate.'
  SELECT ERROR_NUMBER() AS ErrorNumber ,
  ERROR_SEVERITY() AS ErrorSeverity ,
  ERROR_STATE() AS ErrorState ,
  ERROR_PROCEDURE() AS ErrorProcedure ,
  ERROR_LINE() AS ErrorLine ,
  ERROR_MESSAGE() AS ErrorMessage;
  RETURN
  END CATCH
  --Encrypt database with new certificate
  WHILE EXISTS ( SELECT *
  FROM master.dbo.sysprocesses
  WHERE dbid IN ( DB_ID('*** DATABASE ***') )
  AND cmd LIKE 'BACKUP%' )
  BEGIN
  PRINT 'Waiting for backups to complete'
  WAITFOR DELAY '00:01:00'
  END
  DECLARE db_cursor CURSOR
  FOR
  SELECT Name
  FROM sys.databases
  WHERE Name NOT IN ( 'master', 'model', 'msdb', 'tempdb' )
  AND is_encrypted = 1
  OPEN db_cursor
  FETCH NEXT FROM db_cursor INTO @Name
  WHILE @@FETCH_STATUS = 0
  BEGIN TRY
  SET @SQLScript = 'USE ' + @Name
  + ' ALTER DATABASE ENCRYPTION KEY REGENERATE WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE '
  + 'PCI_Compliance_Certificate_' + @Now
  PRINT '*** STEP FIVE Encrypting Databases ***'
  PRINT @SQLScript
  IF @Live = 'Yes'
  EXEC (@SQLScript)
  FETCH NEXT FROM db_cursor INTO @Name
  END TRY
  BEGIN CATCH
  PRINT 'Error Encrypting Databases'
  SELECT ERROR_NUMBER() AS ErrorNumber ,
  ERROR_SEVERITY() AS ErrorSeverity ,
  ERROR_STATE() AS ErrorState ,
  ERROR_PROCEDURE() AS ErrorProcedure ,
  ERROR_LINE() AS ErrorLine ,
  ERROR_MESSAGE() AS ErrorMessage;
  RETURN
  END CATCH
  CLOSE db_cursor
  DEALLOCATE db_cursor
  -- Inspect the new state of the databases
  SELECT DB_NAME(e.database_id) AS DatabaseName ,
  e.database_id ,
  e.encryption_state ,
  CASE e.encryption_state
  WHEN 0 THEN 'No database encryption key present, no encryption'
  WHEN 1 THEN 'Unencrypted'
  WHEN 2 THEN 'Encryption in progress'
  WHEN 3 THEN 'Encrypted'
  WHEN 4 THEN 'Key change in progress'
  WHEN 5 THEN 'Decryption in progress'
  END AS encryption_state_desc ,
  c.name ,
  e.percent_complete
  FROM sys.dm_database_encryption_keys AS e
  LEFT JOIN master.sys.certificates AS c ON e.encryptor_thumbprint = c.thumbprint

  Hello,
  State 4 means (as you've noted in your script) that there is a key change in process. When a key change happens with TDE, all of the data must first be decrypted with the old keys and encrypted with the new keys which takes time. However long it takes to
  decrypt and encrypt your entire database (depending on how many key changes there are in the hierarchy) is how long it will take.
  There is also a very niche scenario where database corruption can cause issues with TDE while encrypting or decrypting. You could run a CHECKDB and validate this is not the case (you can also check suspect_pages at a quick glance).
  Sean Gallardy | Blog |
  Twitter

• MS sql server  2005 and encryption

  I've got a Microsoft SQL Server 2005 database server set up
  with encryption forced on. I managed to get the MS 1.1 jdbc driver
  from Microsoft, I then tried to configure it into Coldfusion v
  7.0.2 as an Other data source. The problem I've got now is that I
  get the error
  "com.microsoft.sqlserver.jdbc.SQLServerException: The SQL
  Server login requires an SSL connection."
  I previously tried to use the SQL Server data source type but
  that didn't work either.
  So how do I get past this hurdle?

  There is currently no SSL support for JDBC connections.
  Microsoft addresses it regarding SQL Server 2005 on this mdsn
  forum thread:
  http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1071465&SiteID=1

• How to Perform Forced Manual Failover of Availability Group (SQL Server) and WSFC (Windows Server Failover Cluster)

  I have a scenario with the three nodes with server 2012 standard, each running an instance of SQL Server 2012 enterprise, participate in a
  single Windows Server Failover Cluster (WSFC) that spans two data centers.
  If the nodes in the primary data center are unavailable due to data center outage. Then how I can able to access node in the WSFC (Windows Server Failover Cluster) in the secondary disaster recovery data center automatically with some script.
  I want to write script that can be able to check primary data center by pinging some IP after every 5 or 10 minutes.
  If that IP is unable to respond then script can be able to Perform Forced Manual Failover of Availability Group (SQL Server) and WSFC (Windows Server Failover Cluster)
  Can you please guide me for script writing for automatic failover in case of primary datacenter outage?

  please post you question on failover clusters in the cluster forum.  THey will explain how this works and point you at scipts.
  You should also look in the Gallery for cluster management scripts.
  ¯\_(ツ)_/¯

• How to Perform Forced Manual Failover of Availability Group (SQL Server) and WSFC (Windows Server Failover Cluster) with scrpiting

  I have a scenario with the three nodes with server 2012 standard, each running an instance of SQL Server 2012 enterprise, participate in a
  single Windows Server Failover Cluster (WSFC) that spans two data centers.
  If the nodes in the primary data center are unavailable due to data center outage. Then how I can able to access node in the WSFC (Windows Server Failover Cluster) in the secondary disaster recovery data center automatically with some script.
  I want to write script that can be able to check primary data center by pinging some IP after every 5 or 10 minutes.
  If that IP is unable to respond then script can be able to Perform Forced Manual Failover of Availability Group (SQL Server) and WSFC (Windows Server Failover Cluster)
  Can you please guide me for script writing for automatic failover in case of primary datacenter outage?

  You are trying to implement manually what should be happening automatically in the cluster. If the primary SQL Server becomes unavailable in the data center, it should fail over to the secondary SQL Server automatically.  Is that not working?
  You also might want to run this configuration by some SQL experts.  I am not a SQL expert, but if you have both hosts in the data center in a cluster, there is no need for replication between those two nodes as they would be accessing
  the database from some form of shared storage.  Then it looks like you are trying to implement Always On to the DR site.  I'm not sure you can mix both types of failover in a single configuration.
  FYI, it would make more sense to establish a file share witness in your DR site instead of placing a third node in the data center for Node Majority quorum.
  . : | : . : | : . tim

• Urgent!!!! - Problem in storing encrypte word into SQL Server database

  Hi,
  I want to encrypt a word using DES algorithm and store in the database.I am using Microsoft SQL Server 2000 database. I have tried giving the datatype as varchar,binary etc. but i am not able to store a byte array.Here is my code. Plz help me to store the encrypted word in the database.
  import javax.crypto.Cipher;
     import javax.crypto.BadPaddingException;
     import javax.crypto.IllegalBlockSizeException;
     import javax.crypto.KeyGenerator;
     import java.security.Key;
     import java.security.InvalidKeyException;
     import java.io.*;
     import java.sql.*;
     public class PwdEnc {
          private static String algorithm = "DESede";
          private static Key key = null;
          private static Cipher cipher = null;
          private static void setUp() throws Exception {
              key = KeyGenerator.getInstance(algorithm).generateKey();
              cipher = Cipher.getInstance(algorithm);
          public static void main(String[] args)
             throws Exception {
              setUp();
              byte[] encryptionBytes = null;
              String input = "akshatha34";
              encryptionBytes = encrypt(input);
              try
                 Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
                 Connection con=DriverManager.getConnection("jdbc:odbc:SQLDB1","sa","projguru");
                 Statement st=con.createStatement();
                 System.out.println(encryptionBytes);
            //     String s1="Insert into tblLogin values("+encryptionBytes+","+encryptionBytes+")";
                 String s1="Insert into tblLogin values("+encryptionBytes+")";
                 System.out.println(s1);
                 int rs=st.executeUpdate(s1);
                 if(rs>=1)
                 System.out.println("inserted");
                 else
                 System.out.println("failed");
            }catch(Exception e){
                 System.out.println(e);
                 for(int i=0;i<encryptionBytes.length;i++)
                      System.out.println(encryptionBytes);
                 System.out.println(encryptionBytes);
  private static byte[] encrypt(String input)
  throws InvalidKeyException,
  BadPaddingException,
  IllegalBlockSizeException {
  cipher.init(Cipher.ENCRYPT_MODE, key);
  byte[] inputBytes = input.getBytes();
  return cipher.doFinal(inputBytes);
  thanks,
  Akshatha

  Try using a Prepared statement and setBytes;
  PreparedStatment insert = con.prepareStatement("Insert into tblLogin values(?)");
  insert.setBytes(1, encryptionBytes);
  insert.executeUpdate();

• How to Encrypt Column in SQL Server?

  Hi all,
  I am using ColdFusion MX 7 and Microsoft SQL Server 2000
  database. I have a column that contains social security numbers of
  my users and am feeling the need to encrypt that column.
  Trouble is, I have no clue how to do this in SQL Server or
  how I could display the data from that column in my web app once
  the column is encrypted.
  Can anyone offer any suggestions?
  Thanks in advance!

  Here's one way...
  To encrypt:
  URLEncodedFormat(Encrypt(yourSStoencrypt,
  application.encKey)) then
  store this value in MSSQL
  To decrypt:
  Decrypt(URLDecode(yourSStodecryptfromDB), application.encKey)
  HTH
  Tim Carley
  www.recfusion.com
  [email protected]

• Decrypt the encrypted store procedure through the T-SQL programming in SQL Server 2005

  HI ,
  I have a encrypted store procedure in my production server .Right now I do not have the script now I want do some modification.
  Please any one can help me to decrypt the store procedure it will be a great help for me.
  For any suggestion thanks
   in advance.
  " Education is the beginning of transformation. Dedicate yourself to daily learning via Blogs/Forums/books and coaching "
  Click here to read my blog

  I have modified Jon's post so it also supports functions correctly, jon's version gave a syntax error on functions because the dummy func sql was invalid
  1. Connect using "admin:server\instance"  instead of "server\instance" (enable dac if you havent already, its an sp_reconfigure command)
  2. create the below proc
  3. exec SqlDecryptor 'dbo', 'function_or_stored_proc_name'
  ALTER -- CREATE
  proc SqlDecryptor (@objschemaname nvarchar(255), @objname nvarchar(255))
  AS
  DECLARE @objid INT,@objtype NVARCHAR(50),@objtypicalstm NVARCHAR(4000),@objencrypted BIT
  SELECT TOP 1 @objid=o,@objname = n,@objtype = t,@objtypicalstm=s,@objencrypted = (SELECT ([encrypted]) FROM syscomments WHERE [id] = x.o and colid = 1)
  FROM
  SELECT object_id o, name n,
  CASE WHEN [type] = 'P' THEN N'PROCEDURE'
  WHEN [type] = 'V' THEN 'VIEW'
  WHEN [type] IN ('FN','TF','IF') THEN N'FUNCTION'
  ELSE [type]
  END t,
  CASE WHEN [type] = 'P' THEN N'WITH ENCRYPTION AS'
  WHEN [type] = 'V' THEN N'WITH ENCRYPTION AS SELECT 123 ABC'
  WHEN [type] IN ('FN','TF','IF') THEN N' () RETURNS INT WITH ENCRYPTION AS BEGIN RETURN 1 END'
  ELSE [type]
  END s
  FROM sys.all_objects WHERE [type] NOT IN ('S','U','PK','F','D','SQ','IT','X','PC','FS','AF')
  AND name = @objname AND (SCHEMA_NAME([schema_id]) = COALESCE(@objschemaname,'dbo'))
  --UNION ALL SELECT object_id,name,'TRIGGER',N'ON ALL SERVER WITH ENCRYPTION FOR DDL_LOGIN_EVENTS AS SELECT 1' FROM sys.server_triggers WHERE name = @objname
  --UNION ALL SELECT object_id,name,'TRIGGER',N'ON DATABASE WITH ENCRYPTION FOR CREATE_TABLE AS SELECT 1' FROM sys.triggers WHERE name = @objname
  ) x
  --SELECT @objid,@objname,@objtype,@objtypicalstm,@objencrypted
  SET NOCOUNT ON
  IF @objencrypted <> 0
  BEGIN
  IF EXISTS
  SELECT * FROM sys.dm_exec_connections ec JOIN sys.endpoints e
  on (ec.[endpoint_id]=e.[endpoint_id])
  WHERE e.[name]='Dedicated Admin Connection'
  AND ec.[session_id] = @@SPID
  BEGIN
  DECLARE @ChunkNumber INT,@ChunkPiece NVARCHAR(MAX),@CompareChunksAtPosition INT,@DummyChunk NVARCHAR(MAX),@DummyObject VARBINARY(MAX),@EncryptedChunk NVARCHAR(MAX),@EncryptedObject VARBINARY(MAX),@p INT,@p1 NVARCHAR(MAX),@p2 NVARCHAR(MAX),@QueryForDummyObject NVARCHAR(MAX),@ReplacementText NVARCHAR(4000)
  SELECT @EncryptedObject = [imageval] FROM [sys].[sysobjvalues] WHERE [objid] = @objid AND [valclass] = 1
  BEGIN TRANSACTION
  SET @p = 1
  SET @p1= N'ALTER'+SPACE(1)+@objtype+SPACE(1)+ISNULL((@objschemaname+'.'),'')+@objname +SPACE(1)+@objtypicalstm;
  SET @p1=@p1+REPLICATE('-',4000-LEN(@p1))
  SET @p2 = REPLICATE('-',8000)
  SET @QueryForDummyObject = N'EXEC(@p1'
  WHILE @p <=CEILING(DATALENGTH(@EncryptedObject) / 8000.0)
  BEGIN
  SET @QueryForDummyObject=@QueryForDummyObject+N'+@f'
  SET @p =@p +1
  END
  SET @QueryForDummyObject=@QueryForDummyObject+')'
  EXEC sp_executesql @QueryForDummyObject,N'@p1 NVARCHAR(4000),@f VARCHAR(8000)',@p1=@p1,@f=@p2
  SET @DummyObject=(SELECT [imageval] FROM [sys].[sysobjvalues] WHERE [objid] = @objid and [valclass] = 1)
  ROLLBACK TRANSACTION
  SET @ChunkNumber=1
  WHILE @ChunkNumber<=CEILING(DATALENGTH(@EncryptedObject) / 8000.0)
  BEGIN
  SELECT @EncryptedChunk = SUBSTRING(@EncryptedObject, (@ChunkNumber - 1) * 8000 + 1, 8000)
  SELECT @DummyChunk = SUBSTRING(@DummyObject, (@ChunkNumber - 1) * 8000 + 1, 8000)
  IF @ChunkNumber=1
  BEGIN
  SET @ReplacementText=N'CREATE'+SPACE(1)+@objtype+SPACE(1)+ISNULL((@objschemaname+'.'),'')+@objname +SPACE(1)+@objtypicalstm+REPLICATE('-',4000)
  END
  ELSE
  BEGIN
  SET @ReplacementText=REPLICATE('-', 4000)
  END
  SET @ChunkPiece = REPLICATE(N'A', (DATALENGTH(@EncryptedChunk) / 2))
  SET @CompareChunksAtPosition=1
  WHILE @CompareChunksAtPosition<=DATALENGTH(@EncryptedChunk)/2
  BEGIN
  SET @ChunkPiece = STUFF(@ChunkPiece, @CompareChunksAtPosition, 1, NCHAR(UNICODE(SUBSTRING(@EncryptedChunk, @CompareChunksAtPosition, 1)) ^ (UNICODE(SUBSTRING(@ReplacementText, @CompareChunksAtPosition, 1)) ^ UNICODE(SUBSTRING(@DummyChunk, @CompareChunksAtPosition, 1)))))
  SET @CompareChunksAtPosition=@CompareChunksAtPosition+1
  END
  PRINT @ChunkPiece
  SET @ChunkNumber=@ChunkNumber+1
  END
  END
  ELSE
  BEGIN
  PRINT 'Use a DAC Connection'
  END
  END
  ELSE
  BEGIN
  PRINT 'Object not encrypted or not found'
  END
  SET QUOTED_IDENTIFIER OFF
  GO

• Encrypt Excel Export from SQL Server Reporting Services prior to attaching to e-mail

  Does SSRS 2012 have a secure e-mail Delivery Extension that would allow the Excel document to be encrypted?
  Or is there sample code?
  Or is the best approach to consider a Microsoft Partner product such as Database Potential, Inc.'s "Secure Delivery Pack for SQL Server Reporting Services"?
  http://www.databasepotential.com/product-p/sdp.htm
  Thanks in advance for any thoughts or feedback regarding this topic.
  Boyd

  Hi Boyd,
  Currently, it’s not supported a delivery extension that encrypts documents before sending them in Reporting Services. If you have the SQL Server Integration Services (SSIS) environment, you can use the following workaround:
  1. Using SSIS Script Task to encrypt the report before exporting it to the Excel file.
  2. Add a Send Mail Task to send the Excel files to the recipients.
  For the details, please refer to the document below:
  http://microsoft-ssis.blogspot.in/2011/10/encrypt-files-in-ssis.html
  In addition, we can try to use .NET API approach. In this scenario, we need capture the Excel file using the WQL Query of FileWatcher, and then encrypt the file, finally email the Excel File.
  For the details, please refer to the blog as shown below:
  http://microsoft-ssis.blogspot.in/2010/12/continuously-watching-files-with-wmi.html
  If you need more assistance, please feel free to contact me.
  Regards,
  Heidi Duan
  If you have any feedback on our support, please click
  here.
  Heidi Duan
  TechNet Community Support