I am working on a prototype for an upcoming big solution and wish to use Always Encrypted to encrypt certain sensitive database columns.
My setup is a follows:
Database Server: SQL Server 2016 installed
Application Server: Reporting Server 2016 installed pointing to the Database Server engine. IIS, .Net 4.6.2 etc. all setup as well.
The environment is also setup in a way that the DBA can't read the encrypted data even if from Management Studio he will add the 'Column Encryption Setting = Enabled' in the connection. So my certificate is installed on the Application Server while the CMK and CEK are installed on the Database Server database.
I can view the encrypted data from my Web App installed on the Application Server with no problem, and the DBA can't read the encrypted data directly from the database, so I am assuming that my environment is well set up.
As explained I have SSRS 2016 installed on the Application Server but pointing to the database with encrypted columns on the database server. I have done a basic dump report (for testing purposes) using Report Builder of course and all works well EXCEPT that the encrypted data is not displayed - it is remaining blank in the SSRS Table! The encrypted column is just a basic nvarchar(200)
In the datasource connection string I have added 'Column Encryption Setting = Enabled'. Without it the report display #Error as expected. So I am assuming that this is needed as well.
Something also that I noticed is that from the Query Designer I can read the encrypted column. if I remove 'Column Encryption Setting = Enabled' from the datasource the Query Designer displays VarBinary if I remember correctly. I am working with Report Builder and Query Designer directly on the Application server of course.
I tried to search for any tutorials on how to use SSRS with Always Encrypted but I couldn't find anything. All I found is a comment in a post that SSRS supports Always Encrypted.
Can someone please enlighten what I am doing wrong or what I am missing?
Thanks in advance.
Disclaimer: I am a Program Manager at Microsoft.
To troubleshoot your issue, please try to run the problematic query (the one that returns no data in Report Builder) from SQL Server Management Studio on the same machine (that you run Report Builder from) and as the same user, over a connection with 'Column Encryption Setting = Enabled' and see, if you get any error message.
I have seen a query against encrypted columns returning no results in Report Builder, if the certificate is not deployed on the machine, hosting Report Builder, or the user does not have a permission to access the certificate. Do you store the certificate (used as a column master key) in the Current User or Local Machine store? If it is in the Local Machine store, you need to ensure that you (the user who runs Report Builder) have the permissions to access the certificate (you can configure permissions on a certificate using Management Console).
The account that is running the SSRS service needs to have read permission on the Always Encrypted certificate in the Local Machine store. Right click the certificate, select All Tasks – Manage Private Keys and then provide the SSRS service account read permissions on the certificate.
Related
We are going to use Always Encryption on few of the columns in our database tables. I gone through some of the articles on this subject and stuck on two points.
Say I am going to use same server for my database and my web application. Now I can save the Column Master Key(CMK) in the Windows certificate store of the current machine. How can I ensure that except Administrator no other database user can access the plain text data from SSMS?
I have separate servers for database and web application. In the time of encryption, the CMK certificate get created in the database server. Now I can export the certificate and install it in web application server. Can I remove the certificate from the database server so that nobody can see the plain text data?
Thanks in advance
I am a total newbie in SQL/SQL server stuff, and I am using SSRS to make a new reporting server/service and upload some .rdl files to it
I have a reporting server on a machine, which has a lot of reports and data sources uploaded to it's database.
I created a new reporting server with a fresh database on another machine, and what I want to do is to copy the old database content to the fresh one (the reports and the datasources..etc)
I have no copy of the individual reports to upload them to the new server using localhost/reports
is there's a fast solution to what i am having? please do it in detail because I never worked with SQL before.
Different ways to do this:
Report Server Databases
Use the detach/attach or backup/restore instructions here. Both of these methods require a backup of encryption keys on the existing instance, which are then restored to the new report server instance. Instructions on backup/restore of encryption keys here. Migrating the ReportServer and ReportServerTempdb databases is the easiest way to ensure all content is available on the new server.
Report Object Scripting
Reporting Services Scripter is an older (but still working with SSRS 2008R2, not sure about 2012) tool that can be used to transfer objects (folders, shared data sources, shared data sets, reports, etc) between report servers. Good choice if you want to pick and choose what is migrated.
If you are receiving an error regarding unsupported scale-out deployment, this means you are running Standard edition and need to remove the old report server entry from the database in the new location. It can be done using Reporting Services Configuration Manager, or by using rskeymgmt at command line.
Reporting Services Configuration Manager
Open Reporting Services Configuration Manager and connect to the new report server instance.
Click on Scale-out Deployment to view registered report servers.
Select the old report server instance and click the Remove Server button.
Command line and rskeymgmt
Browse to the Tools\Binn folder of your SQL Server client installation.
Run the following to list registered report servers
rskeymgmt -l -i
Using the installation ID (GUID) of the old report server, remove it
rskeymgmt -r -i
More info on scale-out deployments and rskeymgmt here.
To migrate Reporting Services, use migration manual from MSDN (https://msdn.microsoft.com/en-us/library/ms143724(v=sql.120).aspx). If you encounter "the feature: scale-out deployment is not supported in this edition of reporting services. (rsoperation notsupported)" error, go to ReportServer database and remove the old encryption key from table dbo.Keys.
Public Domino server has a publicly available Lotus Notes database. That database has a form that an unauthenticated user can fill out and submit using his/her browser.
This publicly available form is only used for the post request and data must not be stored on that publicly available server. Instead, I need to connect to a database on an internal server and create the document there.
Obvious solution is a Lotus Script agent but when I worked on Notes, I remember non-user agents were prevented from opening databases on another server for security reasons. I certainly cannot introduce secure server setup. I need to find a way to do this that fits current setup. The servers are in two different Notes networks but mail is routed between them, so if I don't find a better solution, I will probably mail the document.
Any ideas? I have not worked with latest Notes servers. Anything in 8.5 that can help here?
In the server document on the security tab there is an Option called "Trusted Servers" if you could put the external server into that field, then the agent would be allowed to dirctly write into databases on the internal server.
If you are not able / allowed to do this, then you have to write to a "local" database (on external server) and replicate this database to internal server either by using a console command (NotesSession.SendConsoleCommand) or with the replicate method of the NotesDatabase class (not sure, if this will work due to the same security restrictions) or via scheduled replication.
If the database itself cannot be replicated on the external server, then you should use a container database and let an agent on the internal server copy the data to the internal database.
And the last possibility you already mentioned: compose the document and send it via mail. Make the target database a mailin- database and simply send you data there with NotesDocument.Send...
One of these options should solve your problem.
I have a SQL Server 2012 reporting Services in native mode. The report server url is:
http//hodentekwin7/ReportServer_Kailua
This which works fine.
I have SharePoint 2010 installed it is working fine, i.e. I can access Central administration. So far no problem.
I have installed SQL Server 2008 R2 for SharePoint Integrated mode, and have been able in SharePoint Adminsitration to:
Get database access with my login credentials
Successfully added to the WSS_WPG membership
Specified activation and deactivation in all site collections
However, when I try to set the Report Server site settings I get this error:
The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. (rsReportServerDisabled) Get Online Help
Bad Data. (Exception from HRESULT: 0x80090005)
Well, SQL Server 2008 R2's Configuration Manager is not even accessed even once to set up any kind of encryption. I cannot even access the server.
The Microsoft link for this error helps is a page which is not available.
The Report Server is working but cannot be configured. The Report server databases are present. SSRS 2008 R2 was never configured through the Configuration Manager of RS.
Some tips on MS Site regarding "deleting all encrypted keys" requires access to SSRS Configuration tool (which is not available for SSRS with SharePoint).
Any workaround?
Finally found the answer. I deleted all encrypted content. The funny thing is it was a fresh installed, never used service, where did the encrypted content come from? Perhaps out of the box item!
I just created a new database in "Microsoft SQL Server Management Studio Express" and now I'm in "ColdFusion Administrator" and I'm trying to add my database as a Data Source. How do I do that? I believe the servername is .\SQLEXPRESS but I'm not sure what the default username and password are. I've tried creating a new login through Management Studio with an actual username and password, but those aren't working either. The error I'm getting is:
Connection verification failed for data source: xxx
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The requested instance is either invalid or not running.
The root cause was that: java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The requested instance is either invalid or not running.
I can see that the service is running, and I can connect to it through management studio. I've tried following a couple tutorials online, but they don't seem to be working for me. Ideas?
Server name can be any resolvable hostname or domain name, in case of having SQL Server and CF server on same box localhost should work for you.
Also make sure that user you created has access to the particular database and needed operations. Look into the database permissions for this. This check is not required when using master account (often login is sa), but this is not recommended practice because of the security reasons.
Also make sure SQL Server and Windows Authentication mode is checked. I had an issue with permissions as well when I only had Windows Authentication enabled under:
right click on server (localhost) -> security
Then restart SQL Server Services to save changes. After that I was able to connect my ColdFusion datasource to SQL Server.
For testings sake use the same credentials that you are connected with in Management Studio, likely the "sa" user and password. Once you have it working with "sa" then go back into Management Studio and create an application level user for your CF app and then update the data source to use your new user / password.