Connection to MSSQL(2014) lost when updated to 8.1 (from 7.9)

I am upgrading Ignition to 8.1. I had no problem receiving data from KEPServerEX after the change, however I have lost connection to my DB (MSSQL) and the log is giving me the following error:

java.lang.Exception: Failed connecting to LDAP server.

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:294)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:339)

at com.inductiveautomation.ignition.gateway.authentication.impl.ActiveDirectoryUserSource.getRoles(ActiveDirectoryUserSource.java:276)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.doGetRoles(UserSourceWrapper.java:424)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:305)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$RoleCacheImpl.doUpdate(UserSourceWrapper.java:300)

at com.inductiveautomation.ignition.gateway.authentication.AbstractCache$UpdateTask.run(AbstractCache.java:118)

at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: javax.naming.CommunicationException: scada-dc:389

at java.naming/com.sun.jndi.ldap.Connection.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapClient.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at java.naming/javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at java.naming/javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at java.naming/javax.naming.InitialContext.init(Unknown Source)

at java.naming/javax.naming.ldap.InitialLdapContext.(Unknown Source)

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.openContext(LDAPHelper.java:276)

… 11 common frames omitted

Caused by: java.net.UnknownHostException: scada-dc

at java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)

at java.base/java.net.SocksSocketImpl.connect(Unknown Source)

at java.base/java.net.Socket.connect(Unknown Source)

at java.base/java.net.Socket.connect(Unknown Source)

at java.base/java.net.Socket.(Unknown Source)

at java.base/java.net.Socket.(Unknown Source)

Any ideas?

I’m not sure this error has anything to do with your database connection. This looks like a user profile failing to connect to the AD server because the hostname “scada-dc” can’t be resolved.

Can you upload the full logs somewhere? Is there more information in the gateway on the database status or connection?

I dont think I can share the whole logs (large size file).

This is the error I get from the Gateway>Status>Connections>Databases (clicking on the ERROR symbol):

java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “No appropriate protocol (protocol is disabled or cipher suites are inappropriate)”.)
at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:656)
at org.apache.commons.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:534)
at org.apache.commons.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:734)
at com.inductiveautomation.ignition.gateway.datasource.DatasourceImpl.getConnectionInternal(DatasourceImpl.java:299)
at com.inductiveautomation.ignition.gateway.datasource.DatasourceImpl.runTest(DatasourceImpl.java:252)
at com.inductiveautomation.ignition.gateway.datasource.DatasourceManagerImpl$FaultedDatasourceRetryer.lambda$newRetryRunnable$0(DatasourceManagerImpl.java:1096)
at com.inductiveautomation.ignition.common.execution.impl.BasicExecutionEngine$TrackedTask.run(BasicExecutionEngine.java:582)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.runAndReset(Unknown Source)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “No appropriate protocol (protocol is disabled or cipher suites are inappropriate)”.
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1368)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1412)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1058)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:833)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:716)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:841)
at org.apache.commons.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:52)
at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:357)
at org.apache.commons.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:103)
at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:652)
… 12 more
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at java.base/sun.security.ssl.HandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.ClientHandshakeContext.(Unknown Source)
at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1379)
… 20 more

8.1.15 (b2022030114)
Azul Systems, Inc. 11.0.14.1

How can I change the user profile used by Ignition? I dont recognize scada-dc as one of the user I manage.

This thread (and its linked threads) should cover your SQL Server problem: SQL Server Connection Faulted

Basically, your old version of SQL Server does not support TLS 1.2, and by default newer Java versions have deprecated and do not support TLS 1.0 or 1.1. So you either need to upgrade SQL Server or hack up your Java install to enable the insecure protocols.

User sources are managed in the gateway. All I know is you have a user source trying to a connect to an AD server at hostname “scada-dc”. Classic Authentication Strategy - Ignition User Manual 8.1 - Ignition Documentation

Thank you Kevin. I have taken good note of this issue and will address the require SQL update during the software specification discussion with the end user. Reducing the security of the Java install is not an option.

:+1:

I wish more of the other people who ran into this issue came to the same conclusion.

3 Likes

I am working very closely with the ICS Security team at the corporate level. They are making sure there are no cracks in the configuration. In fact, that is one of the main drives for the software updates. In the same line, would you have any additional security guidelines (in the form of official Inductive documentation) that I can refer to, other than those guidelines described in the general manual?

Have you seen this yet?

Thank you!

You can actually remove TLS1.0 and TLS1.1 from the disabledAlgorithms variable in the java.security file, which is located at "C:\Program Files\Inductive Automation\Ignition\lib\runtime\jre-win\conf\security", and use TLS1.0 and TLS1.1 in 8.1, but as @Kevin.Herron pointed out, the right thing to do is upgrade SQL and use TLS1.2.