Microsoft recently updated the Azure SQL database to only allow encrypted communication. Now communication between Azure SQL Database and your application requires encryption (SSL) at all times. If your client application does not validate certificates upon connection, your connection to SQL Database is susceptible to “man in the middle” attacks. This blog post covers the steps for successfully connecting to Azure SQL via JDBC SSL.
The following changes work only with Microsoft SQL Server JDBC driver version 4.0. You may have to upgrade or downgrade the version of Microsoft SQL Server JDBC driver based on your current version.
To make JDBC connections to Azure SQL database secure, the following changes need to be made in your Java AppServer.
- Fetch the database SSL Certificate.
- Import the SSL Certificate into a trust store using Java keytool.
- Add the keystore path to the JVM startup arguments.
- Change the JDBC URL in the Java application.
Fetch the SSL certificate
To fetch the SSL certificate from the database server, we will use openssl. Please note that the port we will be using to fetch the SSL certificate is 443. The following openssl command will fetch the Azure SQL server SSL certificate and remove extraneous information from the fetched SSL certificate. Make sure you replace $DB_FQDN with the name of your database server (as in dbserver.com). If you have problems on Windows, check out this post.
openssl s_client -showcerts -connect $DB_FQDN:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem
Import the SSL certificate into a trust store
Once the SSL certificate is fetched, it needs to be imported into a trust store. The JVM will reference this key store to see if the SSL certificate of the database host is valid.
keytool -import -v -trustcacerts -alias dbcert -file dbcertfile.pem -keystore dbkeystore.jks -storepass changeit
Add the keystore path to the JVM startup arguments
Once the trust store is created, we need to tell the JVM where to find it. Add the following line to the JVM startup arguments to define where the custom trust store is located.
Change the JDBC URL in the Java application
For Azure SQL SSL connectivity to be successful, the JDBC URL needs to be changed to make an encrypted connection. The following arguments must be added to the JDBC URL for the Microsoft SQL Server JDBC driver.
Once the changes are in place, a restart of the Java AppServer should enable SSL connectivity to Azure SQL.