Upgrading to 12.3 and later: Fixing Microsoft SQL Server JDBC driver-related issues
In Spotfire Server version 12.3, the included Microsoft JDBC Driver for SQL Server was updated to a version in which the default values for some encryption settings were changed. Due to this change, you might have to make some changes if you use the driver in your environment, for example for the connection to the Spotfire database, Information Services data sources, the action logging database, or for a default join database. In this article, you can find information about the issues that might occur, and what changes you must make.
For details about the changes in the JDBC driver, see the official documentation from Microsoft.
Overview
In the updated version of the Microsoft JDBC Driver for SQL Server, the default values for the following connection properties have changed to:
encrypt=true
trustServerCertificate=false
With the new default settings, TLS encryption is enabled, and a valid, not self-signed, server certificate is required. If you have configured parts of your Spotfire environment using the included driver, and you have not specified values for the above properties (thus falling back to the driver default values), you might see encryption-related errors.
What do I need to do?
If you use the included Microsoft JDBC Driver for SQL Server, with the default settings, for any of the functionality listed above, you must make sure that you can still connect to the Microsoft SQL Server instance with the updated driver. If the Microsoft SQL Server instance is already configured for encryption with a valid server certificate, the connection should work as expected. If the Microsoft SQL Server instance is not configured with a valid server certificate, you must either configure the instance, or change the connection URL for the affected databases.
- Configuring your Microsoft SQL Server
- For any Microsoft SQL Server instances in your environment, in particular in production environments, you should generally use valid, not self-signed, server certificates. This enables you to use encryption, with validation of the server certificates, in your connections. For instructions, see the official documentation from Microsoft.
- Changing the connection URL
-
Warning: Before you make any changes to connection URLs, make sure you understand the security implications of turning on the settingIf you choose not to change the configuration of your Microsoft SQL Server, another option is to update the connection URL/connection string to the database in Spotfire. If you add the setting
trustServerCertificate
in connections with the Microsoft JDBC Driver for SQL Server.trustServerCertificate=true
to the connection URL, the connection will be encrypted, but self-signed server certificates will be accepted.
Data sources in Information Services
You might have many Information Services data sources that are affected by the change in the driver. The Spotfire upgrade tool can help you identify, and, optionally, update the data sources with a change to the connection URL.
- Which sources do I have to update?
- Data sources that use the Microsoft JDBC Driver for SQL Server,
and for which you have not configured the connection properties
encrypt
andtrustServerCertificate
in the Connection URL in Information Designer will be affected. Specifically, data sources for which the following is true likely need to be updated: - How do I identify and update affected data sources?
-
Tip: You can also perform the scan described below after upgrading Spotfire, with the CLI command sqlserver-datasource-update-script.
- Updating data sources with the script file
-
- When you run the Spotfire Server upgrade tool, if any data sources that require updating are identified, the file SQLServerDatasourceUpgradeScript.txt is created in the directory where you started the upgrade tool.
- Review the contents of the SQLServerDatasourceUpgradeScript.txt file, to see which data sources the script will update when you run it.
- To update all the
data sources in the script file, open a command line as an administrator, and
run the following command:
Windows:
<installation dir>/tomcat/spotfire-bin/config.bat run --fail-on-undefined-variable -Vtoolpassword=<config tool password> -VlibraryAdmin=<library admin user> -Vvalidate=true SQLServerDatasourceUpgradeScript.txt
Linux:<installation dir>/tomcat/spotfire-bin/config.sh run --fail-on-undefined-variable -Vtoolpassword=<config tool password> -VlibraryAdmin=<library admin user> -Vvalidate=true SQLServerDatasourceUpgradeScript.txt
Note: The user specified byVlibraryAdmin
must be in the default domain.