Cannot Connect to MS SQL Server Using Force Encryption
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Atlassian applications allow the use of SSL within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian can not guarantee providing any support for it.
- If assistance with conversions of certificates is required, please consult with the vendor who provided the certificate.
- If assistance with configuration is required, please raise a question on Atlassian Answers.
Symptoms
- JIRA fails to start when running the JIRA startup checks.
- The exception below is thrown even after importing the server certificate as suggested on the KB Unable to Connect to MS SQL Server Due to DB server closed connection.
The following appears in the atlassian-jira.log:
2013-10-07 11:20:02,731 main ERROR [NoModule] Error getting datasource via DBCP: JdbcDatasourceInfo{uri='jdbc:jtds:sqlserver://sqlserverhostname:1433/jiradb;ssl=true;', driverClassName='net.sourceforge.jtds.jdbc.Driver', username='jirauser', password='********', isolationLevel='null', connectionProperties=null, connectionPoolInfo=ConnectionPoolInfo{maxSize=15, minSize=2, initialSize=null, maxIdle=15, maxWait=60000, sleepTime=300000, lifeTime=600000, deadLockMaxWait=600000, deadLockRetryWait=10000, validationQuery=null, minEvictableTimeMillis=null, timeBetweenEvictionRunsMillis=null, poolPreparedStatements=null, testOnBorrow=null, testOnReturn=null, testWhileIdle=null, maxOpenPreparedStatements=null, numTestsPerEvictionRun=null, removeAbandonedTimeout=null, validationQueryTimeout=null, defaultCatalog=null}}
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (I/O Error: DB server closed connection.)
at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549)
(...)
at com.atlassian.jira.startup.LauncherContextListener.contextInitialized(LauncherContextListener.java:95) <+12> (StandardContext.java:4205) (StandardContext.java:4704) (ContainerBase.java:1053) (StandardHost.java:840) (ContainerBase.java:1053) (StandardEngine.java:463) (StandardService.java:525) (StandardServer.java:754) (Catalina.java:595) (NativeMethodAccessorImpl.java:39) (DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597) <+2> (Bootstrap.java:289) (Bootstrap.java:414)
Caused by: java.sql.SQLException: I/O Error: DB server closed connection.
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2311)
at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:603)
at net.sourceforge.jtds.jdbc.ConnectionJDBC2.<init>(ConnectionJDBC2.java:357)
at net.sourceforge.jtds.jdbc.ConnectionJDBC3.<init>(ConnectionJDBC3.java:50)
at net.sourceforge.jtds.jdbc.Driver.connect(Driver.java:184) <+2>
at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(BasicDataSource.java:1556)
at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1545)
... 47 moreCause
Oracle introduced a security fix for the SSL/TLS BEAST attack that is known to interfere with Microsoft JDBC/jTDS connections.
Setting the -Djsse.enableCBCProtection=false system variable will disable the fix and potentially allow the connection.
Resolution
Attention
- To be able to connect to MS SQL you will have to disable the fix for the SSL/TLS BEAST attack, and hence, the DB server will be vulnerable to this type of attack.
- Known bug ticket - JRASERVER-39866 - Java 1.8 and jTDS Sql Server SSL Connection Issues
Stop JIRA.
Include the parameter below in your JIRA startup as per the instructions on the Setting Properties and Options on Startup document:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djsse.enableCBCProtection=false"- Save the changes and start JIRA.
Please note that the DB connection string must have the "ssl=true" parameter.