Summary: 

A customer may have a requirement to use SSL to encrypt the connection between CRM and SQL Server. It's possible to set up SQL Server to use SSL encryption as per the document below:

http://technet.microsoft.com/en-us/library/ms189067.aspx


More info:

The eWare DLL should just work once this is set up, but you'll need to modify your webapps' jdbc.properties to work with SSL. An example connection string is below:

jdbc.url=jdbc:log4jdbc:jtds:sqlserver://servername:1433/CRM;ssl=require 

Current issues:

Changes were introduced to the Oracle JRE in Java 6 update 29 that cause issues when the Force Encryption option is enabled. These changes were introduced in response to the SSL BEAST security vulnerability. As a result of these changes, all JDBC driver providers must make changes to drivers in order for them to work with SSL.

An update was introduced to Microsoft's JDBC driver that supports the changes. A discussion of this (which also includes a description of the technical issues involved) is available here:

http://support.microsoft.com/kb/2653857

Our issue is that CRM uses the JTDS driver in order to establish a connection between the CRM webapps and SQL Server. There is an outstanding issue, either in the Java Runtime Engine or the JTDS driver, which results in an inability to establish SSL connections using JTDS. This appears to have been introduced by Oracle's fix, which affected both the JTDS and Microsoft JDBC drivers for SQL Server. The SQL Server driver appears to have been fixed in a later patch, while no fix appears to be present in the current latest build of JTDS. There is a useful discussion of the problem here:

http://stackoverflow.com/questions/8988945/java7-sqljdbc4-sql-error-08s01-on-getconnection

As of JTDS 1.3.1, the only available method for encrypting a JDBC connection between Sage CRM and the database involves disabling the SSL BEAST fix. This can be done by adding an additional option to the Tomcat startup settings in the registry, under HKLM\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\<CRM instance>Tomcat6\Parameters\Java\Options. The corresponding location for Tomcat 7 will work if you are using Sage CRM 7.2 or later.

Adding the following switch will disable the SSL BEAST protection:

-Djsse.enableCBCProtection=false

Since the SSL BEAST attack is a man-in-the-middle (MITM) attack, disabling the protection should be low-risk, so long as you control the network connection between the CRM and SQL servers.

This KBA was last updated on 30th September 2016, and all information is current as of that date. The last JRE version tested was 8u92, and the last JTDS release tested was 1.3.1.