Configuring Provider and EKM Logs
This section describes the following topics:
Configuring CAKM for Microsoft SQL Server EKM Provider in Microsoft SQL Server
Configuring CAKM for Microsoft SQL Server EKM Provider in SQL Cluster
Configuring CAKM for Microsoft SQL Server EKM Provider in Microsoft SQL Server
To configure the CAKM for Microsoft SQL Server EKM Provider in the Microsoft SQL Server database:
Enabling EKM in Your Microsoft SQL Server Database
Perform the following steps to enable EKM in your Microsoft SQL Server Database:
Execute the below query on the Microsoft SQL Server.
sp_configure 'show advanced options', 1; RECONFIGURE;
Now, run the query mentioned below.
sp_configure 'EKM provider enabled', 1; RECONFIGURE;
Only the users with the sysadmin or serveradmin privileges can execute the sp_configure
query to change the server configuration. Whereas, the other users can run this command only to view the server configuration.
Loading the DLL
• Before loading the DLL, ensure that NAE_IP
and Log_File
parameters are configured. You can also configure the other parameters as per your requirement. For more details, refer Configuring Properties File
• Only the users with the sysadmin privileges can load the DLL.
To load the DLL, execute the following query. This will create a new cryptographic provider named <provider_name>
. Provider name is visible under Security\Cryptographic Providers in Microsoft SQL Server Management Studio.
CREATE CRYPTOGRAPHIC PROVIDER <provider_name>
FROM FILE = '<Installation_Directory>\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.dll'
Alter the file location if you did not accept the default installation directory.
Creating Credentials with Microsoft SQL Server
To create a SQL credential, execute the following query. This will create a new credential named <credential_name>
. The credential is visible under Security\Credentials in Microsoft SQL Server Management Studio.
CREATE CREDENTIAL <credential_name> WITH IDENTITY='<cipherTrust_manager_user>',
SECRET='<cipherTrust_manager_user_password>'
FOR CRYPTOGRAPHIC PROVIDER <provider_name>
You must use a user/password combination that exists on the CipherTrust Manager and that user must have at least Key Admins privileges.
To map this new credential to an existing login on the Microsoft SQL Server, execute the following query:
ALTER LOGIN <Sql_server_login> ADD CREDENTIAL <credential_name>
Configuring CAKM for Microsoft SQL Server EKM Provider in SQL Cluster
CAKM for Microsoft SQL Server EKM Provider can be used in SQL cluster. Install and configure the provider in the cluster environment.
Install the CAKM for Microsoft SQL Server EKM Provider on all the nodes. For more details, refer Installing CAKM for Microsoft SQL Server EKM Provider
On all nodes, modify the required properties in the cakm_mssql_ekm.properties file.
Configure SQL EKM only on one database node, using the following steps:
Create the key (if needed) only on one node. For more details, refer Creating Keys.
Configuring EKM Logs
EKM logs are generated at the file location mentioned in the MS_Sql_Ekm_Log
property in the cakm_mssql_ekm.properties
file
The default path is C:\EKM\EKMSql.log
.
You can update the file location where you want EKM logs to be generated. For example:
MS_Sql_Ekm_Log = <log_file_path>
You can configure separate log files for different database instances.