Symantec Control Compliance Suite 11, Error: [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.

Article:TECH205821  |  Created: 2013-05-02  |  Updated: 2013-05-02  |  Article URL http://www.symantec.com/docs/TECH205821
Article Type
Technical Solution


Issue



A data collection reports the error in the messages tab, the query or standard in question has a check that uses the SQL datasource: "Server Logins", field: "Is password same as login name?" and it returns the below error.

 


Error



01/05/2013 13:38:30,SQL Data Collector: query returned with message(s).,"{HOSTNAME.EN_US}\{INSTANCE.EN_US} sa: [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.=0AThe above error might have occured due to the following reasons:=0A1. Encryption is not enabled on SQL Server.=0A2. Certificate is invalid.=0A3. Certificate is not issueed to fully qualified domain of computer.=0A4. Multiple certificates installed.=0A5. Only SQL server name instead of FQDN used in the cross domain setup.=0AFor more information, see the Troubleshooting section of the bv-Control for Microsoft SQL Server help.",Error,{HOSTNAME.EN_US}\{INSTANCE.EN_US},SQL Server,,

 


Environment



Any version of CCS11

MS SQL 2005, 2008, 2008 R2

Windows 2003, 2008, 2008R2, 2012

 


Cause



The CCS datasource (or Entity/Category): SQL -> "Server Logins" uses SSL by default when connecting to the SQL asset. If SSL is not enabled on the SQL server or incorrectly configured, the query will fail with the error described.

note: Other queries/checks might work fine for the same asset and standard but are probably other datasources (Entities/Categories).

 


Solution



The most likely cause is that SSL encryption is not enabled on the SQL server and is possibly not required or wanted within the environment. In that case you can configure CCS not to try and use encryption when querying this particular datasource:

Cause:

Solution:

During execution of a query that uses the Server Logins data source, the message "Encryption not supported on SQL Server" occurred in the dataset report. By default, the communication between the Information Server and the SQL Server is encrypted. However, this communication between the Information Server and the SQL Server does not take place as the SQL Server does not support encrypted communication.

You can disable encrypted communication with the creation of a string value under the registry key on the CCS Manager(s) in the data collection Role.


  • For Windows 32bit based CCS managers:

Create a string value, PasswordEncryptionEnable, under the registry key, at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\BindView

Double-click the string value PasswordEncryptionEnable, type False and click OK to disable the encrypted communication.

restart the "Symantec Data Processing Service" service

 

  • For Windows 64bit based CCS managers:

Create a string value, PasswordEncryptionEnable, under the registry key, at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BindView

Double-click the string value PasswordEncryptionEnable, type False and click OK to disable the encrypted communication.

restart the "Symantec Data Processing Service" service

 Example registry entry for 64bit Windows based CCS Manager 

Fig. 1 Example registry entry for 64bit Windows based CCS Manager

 

 

 Alternatively if SSL encryption is required and expected to work, here are some other solutions that could help.

Cause:

Solution:

Encryption is not enabled on SQL Server.

Check if the encryption is enabled on the Target SQL Server. See http://support.microsoft.com/kb/316898

Certificate is invalid.

Check if the certificate provided is valid.

Certificate is not issued to fully qualified domain of computer.

Check if the certificate is issued to the fully qualified domain name of the computer; otherwise, SQL Server considers the certificate invalid.

Multiple certificates installed.

Check if there are more than one certificate installed. If multiple certificates are installed, specify which certificate should be used for SQL Server.

  • Create a Certificate value of type REG_BINARY in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MSSQLServer\MSSQLServer\SuperSocketNetLib

  • Click on the Certificate value, and then type the thumbprint property value of the certificate in the data column.

SQL server name instead of FQDN used in the cross-domain setup.

Check if in the cross-domain setup, a fully qualified domain name is used to register the SQL server.

 




Article URL http://www.symantec.com/docs/TECH205821


Terms of use for this information are found in Legal Notices