After upgrading from 8.1.13 to 8.1.32 I have a one DB is down between tens of DBs

Dears,

I can log to a database directly from mssql and i defined this DB in ignition before and it was valid , but now after upgrading from 8.1.13 to 8.1.32 i find this DB failed to connect from ignition gateway although this DB is healthy .

What's the error message?

java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]". ClientConnectionId:bad00221-c19c-47c3-a71b-62eede591102) at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:656) at org.apache.commons.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:534) at org.apache.commons.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:734) at com.inductiveautomation.ignition.gateway.datasource.DatasourceImpl.getConnectionInternal(DatasourceImpl.java:300) at com.inductiveautomation.ignition.gateway.datasource.DatasourceImpl.runTest(DatasourceImpl.java:253) at com.inductiveautomation.ignition.gateway.datasource.DatasourceManagerImpl$FaultedDatasourceRetryer.lambda$newRetryRunnable$0(DatasourceManagerImpl.java:1096) at com.inductiveautomation.ignition.common.execution.impl.BasicExecutionEngine$TrackedTask.run(BasicExecutionEngine.java:587) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.runAndReset(Unknown Source) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]". ClientConnectionId:bad00221-c19c-47c3-a71b-62eede591102 at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2887) at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1881) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2452) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2103) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1950) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1162) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:735) at org.apache.commons.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:52) at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:357) at org.apache.commons.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:103) at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:652) ... 12 more Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12] at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(Unknown Source) at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(Unknown Source) at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source) at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source) at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1799) ... 21 more 8.1.32 (b2023091211) Azul Systems, Inc. 11.0.18

Support solved it

Starting with Java 11.0.11, TLS v1.0 and TLS v1.1 protocols are disabled by default. You will need to either enable TLS1.2 on the SQL Server or re-enable TLS1.0 and TLS1.1 on the Ignition Gateway. The suggested method is to enable TLS1.2 on the SQL Server since it's more secure. The process to do this can be found from Microsoft, and is based on the version of SQL Server you're using.

I have included the steps for the second option below, assuming you are running Windows. The steps vary a little if you are running Linux. Let me know if you have any questions.

Steps to re-enable TLS V1 and TLS V1.1:

* https://support.inductiveautomation.com/hc/en-us/articles/4417310204813-TLS-v1-0-and-v1-1-Microsoft-SQL-Server-Database-connection-issue

1. Launch the Notepad application as an Administrator
2. Open the java.security file located in `C:\Program Files\Inductive Automation\Ignition\lib\runtime\jre-win\conf\security`
3. Remove TLS V1 and TLS V1.1 from the list of `jdk.tls.disabledAlgorithms`
4. Restart the Gateway Service

TLS 1.2 Support for Microsoft SQL Server: [https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe ](https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe)

I hope they explained this is a stopgap solution to use until you upgrade your ancient insecure SQL Server instance.

3 Likes

Here's a better way to solve it if you can't upgrade the DB (and I couldn't):

  • TLS settings won't be overwritten on your next upgrade.
  • All your other DB connections will have security left as they should be.

It just works!

1 Like