Security tab
- Last Updated: October 14, 2024
- 1 minute read
- DataDirect Connectors
- ODBC
- Microsoft SQL Server 8.0
- Documentation
The Security Tab allows you to specify your security settings. The fields are optional unless otherwise noted. On this tab, provide values for the options in the following table; then, click Apply.
See "Using security" for a general description of authentication and encryption and their configuration requirements.
| Connection Options: Security | Description |
|---|---|
| User Name |
Specifies one of the following identifiers used for authentication:
Default: None |
| Authentication Method | Specifies the method the driver uses to authenticate the user to
the server when a connection is established. If set to 1 - Encrypt Password, the driver sends the user ID in clear text and an encrypted password to the server for authentication. If set to 4 - Kerberos Authentication, the driver uses Kerberos authentication. This method supports both Microsoft Entra Kerberos and MIT Kerberos environments. Setting this value to 4 - Kerberos Authentication also enables NTLMv2 and NTLMv1 authentication on Windows platforms. The protocol used for a connection is determined by the local security policy settings for the client. If set to 13 - Active Directory Password, the driver authenticates using an Entra ID user name and password when connecting to a Azure SQL Database data store. All communications between the service are encrypted using TLS/SSL. If set to 36 - Active Directory Service Principal, the driver authenticates using an Entra ID service principal when establishing a connection to an Azure SQL Database data store. All communications between the service are encrypted using TLS/SSL. If set to 37 - Active Directory Manged Identity, the driver authenticates using a managed identity when accessing Azure resources. All communications between the service are encrypted using TLS/SSL. Default: 1 - Encrypt Password |
| GSS Client Library | The name of the GSS client library that
the driver uses to communicate with the Key Distribution Center (KDC). Default: native (the driver uses the GSS client for Windows Kerberos.) |
| Encryption Method | The method the driver uses to encrypt
data sent between the driver and the database server. If set to 0 - None, data is not encrypted. If set to 1 - SSL, data is encrypted using the TLS/SSL protocols specified in the Crypto Protocol Version connection option. If set to 6 - RequestSSL, the login request and data are encrypted using TLS/SSL if the server is configured for TLS/SSL. If the server is not configured for TLS/SSL, an unencrypted connection is established. The TLS/SSL protocol used is determined by the setting of the Crypto Protocol Version connection option. If set to 7 - LoginSSL, the login request is encrypted using TLS/SSL regardless of whether the server is configured for TLS/SSL. The data is encrypted using TLS/SSL if the server is configured for TLS/SSL, and the data is unencrypted if the server is not configured for TLS/SSL. The TLS/SSL protocol used is determined by the setting of the Crypto Protocol Version connection option. If set to 8 -
Strict, the driver uses the TDS (Tabular Data Stream) 8.0 protocol to
support TLSv1.3 encryption for SQL Server connections. You must specify this value
when your server is configured with Force Strict
Encryption=yes. Important: When
using strict connection encryption:
Note: When establishing a connection to Microsoft Azure Synapse
Analytics or Microsoft Analytics Platform System, the driver will enable TLS/SSL
data encryption by default (1 -
SSL). Default:
0 - None |
| Crypto Protocol Version | Specifies the cryptographic protocols to use when TLS/SSL is
enabled using the Encryption Method connection option (EncryptionMethod=1 | 6 |
7 | 8). Default: TLSv1.3,TLSv1.2 Note: TLSv1.3 is only selectable when Encryption Method is set
to 8 - Strict.
|
| Validate Server Certificate | Determines whether the driver validates
the certificate that is sent by the database server when TLS/SSL encryption is enabled
(EncryptionMethod=1 |
6 | 7 | 8). If enabled, the driver validates the certificate that is sent by the database server. Any certificate from the server must be issued by a trusted CA in the truststore file. If the Host Name In Certificate option is specified, the driver also validates the certificate using a host name. The Host Name In Certificate option provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the driver is connecting to is the server that was requested. If disabled, the driver does not validate the certificate that is sent by the database server. The driver ignores any truststore information specified by the Trust Store and Trust Store Password options. Default: Enabled |
| Enable FIPS | Determines whether the OpenSSL library uses cryptographic
algorithms from the FIPS provider or the default provider when TLS/SSL encryption is
enabled (EncryptionMethod=1 |
6 | 7 |
8). If disabled, the OpenSSL library uses cryptographic algorithms from the default provider. If enabled, the OpenSSL library uses cryptographic algorithms from the FIPS provider. Default: Disabled |
| Trust Store | Specifies either the path and file name of the truststore file
or the contents of the TLS/SSL certificates to be used when TLS/SSL is enabled
(EncryptionMethod=1 |
6 | 7 | 8) and
server authentication is used. Default: None |
| Trust Store Password | Specifies the password that is used to access the truststore
file when TLS/SSL is enabled (EncryptionMethod=1 | 6 |
7 | 8) and server authentication is
used. Default: None |
| Host Name In Certificate | A host name for certificate validation
when TLS/SSL encryption is enabled (EncryptionMethod=1 | 6 |
7 | 8) and validation is enabled
(Validate Server Certificate=1). Default: None |
| Column Encryption | Specifies whether the driver is enabled
for Always Encrypted functionality when accessing data from encrypted columns. If set to Enabled, the driver fully supports Always Encrypted functionality. The driver transparently decrypts result sets and returns them to the application. In addition, the driver transparently encrypts parameter values that are associated with encrypted columns. If set to ResultsetOnly, the driver transparently decrypts result sets and returns them to the application. Queries containing parameters that affect encrypted columns will return an error. If set to Disabled, the driver does not use Always Encrypted functionality. The driver does not attempt to decrypt data from encrypted columns, but will return data as binary formatted cipher text. However, statements containing parameters that reference encrypted columns are not supported and will return an error. Default: Disabled |
| Key Cache Time To Live | Determines whether the driver caches
column encryption
keys.
This option is used when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly). If set to -1, the driver caches column encryption keys on a per connection basis. The keys remain in the cache until the connection is closed or the application exits. If set to 0, the driver does not cache column encryption keys. Note: While caching can improve performance, column encryption keys are
designed to be deleted periodically from the cache as a security measure.
Therefore, we do not recommend caching keys for applications that remain connected
for long periods of time. Default: -1 |
| Key Store Principal Id | Specifies the principal ID used to
authenticate against the Azure Key Vault. This option is used only when Always
Encrypted is enabled (ColumnEncryption=Enabled
| ResultsetOnly) and Azure Key Vault is the
keystore provider. The Azure Key Vault stores the column master key used for Always
Encrypted functionality. To access the column master key, the principal ID and Client
Secret must be used to authenticate against the Azure Key Vault. Note: The driver
currently supports only Azure App Registration as the principal ID. Default: None |
| Key Store Secret | Specifies the Client Secret used to
authenticate against the Azure Key Vault. This option is used only when the Always
Encrypted feature is enabled (ColumnEncryption=Enabled | ResultsetOnly) and the Azure Key Vault is the keystore provider. The
Azure Key Vault stores the column master key used for Always Encrypted functionality.
To access the column master key, the Client Secret and principal ID must be used to
authenticate against the Azure Key Vault. Default: None |
| AE Keystore Location | Specifies the absolute path to the PKCS #12 file. This
option is used only when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly) and the PKCS #12 file is the keystore provider. Default: None |
| AE Keystore Secret | Specifies the password used to access the PKCS #12 file.
This option is used only when Always Encrypted is enabled (ColumnEncryption=Enabled | ResultsetOnly) and a password-protected PKCS #12 file is the keystore
provider. Default: None |
If you finished configuring your driver, proceed to Step 6 in "Data source configuration through a GUI." Optionally, you can further configure your driver by clicking on the following tabs. The following sections provide details on the fields specific to each configuration tab:
- General tab allows you to configure options that are required for creating a data source.
- Advanced tab allows you to configure advanced behavior.
- Failover tab allows you to specify failover data source settings.
- Pooling tab allows you to specify connection pooling settings.
- Bulk tab allows you to specify data source settings for DataDirect Bulk Load.