Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
tutorial:adm:mssql_database_support [2019/05/06 11:52] kopro [Develop CzechIdM with MsSQL and a docker] |
tutorial:adm:mssql_database_support [2021/03/05 17:15] apeterova NTLM |
||
---|---|---|---|
Line 46: | Line 46: | ||
GO | GO | ||
-- grant permission for the schema (grant all is deprecated) | -- grant permission for the schema (grant all is deprecated) | ||
+ | -- sometimes this is not needed when the user is owner of the schema - then you get ' | ||
GRANT ALTER, CONTROL, CREATE SEQUENCE, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, TAKE OWNERSHIP, UPDATE, VIEW CHANGE TRACKING, VIEW DEFINITION ON SCHEMA:: | GRANT ALTER, CONTROL, CREATE SEQUENCE, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, TAKE OWNERSHIP, UPDATE, VIEW CHANGE TRACKING, VIEW DEFINITION ON SCHEMA:: | ||
GO | GO | ||
Line 55: | Line 56: | ||
GO | GO | ||
</ | </ | ||
+ | |||
+ | <note tip> | ||
+ | If you use a domain user to connect to the database, use this syntax: '' | ||
+ | |||
+ | If your domain user has a very long username (e.g. " | ||
+ | </ | ||
==== Download a JDBC driver ==== | ==== Download a JDBC driver ==== | ||
- | Please download a JDBC driver for MsSQL. For example: [[http:// | + | Please download a JDBC driver for MsSQL. For example: |
+ | |||
+ | The driver must be placed for example into */ | ||
+ | |||
+ | ==== Choose the type of authentication and set connection properties (application.properties) ==== | ||
- | The driver must be placed | + | The configuration depends on the type of authentication, |
+ | | ||
+ | | ||
- | ==== Add connection to property file (application.properties) ==== | + | === SQL Server Authentication |
The correct data source url and password are required. To see an example, visit the github page with [[https:// | The correct data source url and password are required. To see an example, visit the github page with [[https:// | ||
Line 72: | Line 85: | ||
spring.datasource.password=idmadmin | spring.datasource.password=idmadmin | ||
spring.datasource.driver-class-name=com.microsoft.sqlserver.jdbc.SQLServerDriver | spring.datasource.driver-class-name=com.microsoft.sqlserver.jdbc.SQLServerDriver | ||
- | spring.datasource.testOnBorrow=true | + | spring.datasource.test-on-borrow=true |
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
</ | </ | ||
- | An example | + | An example |
+ | |||
+ | If you need to use a domain user, set the property username like this: '' | ||
+ | |||
+ | === Windows Integrated Authentication === | ||
+ | |||
+ | This type of authentication can be used for a domain user account. It requires a bit more configuration, | ||
+ | |||
+ | This authentication is not supported by Microsoft JDBC drivers prior to the version 6. | ||
+ | |||
+ | Steps to setup: | ||
+ | |||
+ | 1. Set the **Apache Tomcat8 service** to **Log on as** the domain user which you will use to connect to the database (instead of "Local Service" | ||
+ | |||
+ | 2. Grant write access to the Tomcat directory (C:\Program Files\Apache Software Foundation\Tomcat 8.5) to the domain user (or simply Full control). | ||
+ | |||
+ | 3. Extract the file '' | ||
+ | |||
+ | 4. Put '' | ||
+ | |||
+ | 5. Add the option '' | ||
+ | |||
+ | 6. Set the '' | ||
+ | |||
+ | <code properties> | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.driver-class-name=com.microsoft.sqlserver.jdbc.SQLServerDriver | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | </ | ||
+ | The example is valid for SQL server running on the server " | ||
+ | |||
+ | 7. Add SQL server certificate to Java truststore (FIXME how?). Workaround: add property '' | ||
+ | </ | ||
+ | |||
+ | 8. Finally, restart the Apache Tomcat8 service so all changes take place. | ||
+ | |||
+ | === Windows Authentication with NTLM === | ||
+ | |||
+ | If you need to use Windows Authentication but can't use the integrated authentication as above (e.g. you are not running IdM on Windows), it's possible to use [[https:// | ||
+ | |||
+ | Example properties: | ||
+ | <code properties> | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=someserviceuser | ||
+ | spring.datasource.password=somepassword | ||
+ | spring.datasource.driver-class-name=com.microsoft.sqlserver.jdbc.SQLServerDriver | ||
+ | spring.datasource.test-on-borrow=true | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | </ | ||
+ | |||
+ | The example is valid for SQL server running on the server " | ||
==== Scheduler setup (quartz.properties) ==== | ==== Scheduler setup (quartz.properties) ==== | ||
Line 89: | Line 153: | ||
===== Supported version of MsSQL ===== | ===== Supported version of MsSQL ===== | ||
* **14.0** - 2017 SQL Server 2017 | * **14.0** - 2017 SQL Server 2017 | ||
+ | * Tested version: 14.0.3294.2 | ||
+ | * Unsupported version: 14.0.1000.169 - contains a bug, which causes failure of the task DeleteExecutedEventTaskExecutor with the following error: '' | ||
Line 95: | Line 161: | ||
* [[http:// | * [[http:// | ||
* [[http:// | * [[http:// | ||
+ | * [[https:// | ||
* *Not fully tested* [[https:// | * *Not fully tested* [[https:// | ||
Line 102: | Line 169: | ||
===== Develop CzechIdM with MsSQL and a docker ===== | ===== Develop CzechIdM with MsSQL and a docker ===== | ||
+ | Beware this is recommended only for develop. | ||
Run lasted MsSQL database (change < | Run lasted MsSQL database (change < | ||
$ docker run --name=test-mssql -e ' | $ docker run --name=test-mssql -e ' | ||
- | Copy the initial script (init script is described above, in our example the name of the script file is import.sql) | + | Copy the initial script (init script is described above. Just copy and create file with defined sql queries, in our example the name of the script file is import.sql) |
$ docker cp import.sql test-mssql:/ | $ docker cp import.sql test-mssql:/ | ||
Line 112: | Line 180: | ||
$ docker exec test-mssql / | $ docker exec test-mssql / | ||
+ | |||
+ | ===== Troubleshooting ===== | ||
+ | |||
+ | ==== Increase log level ==== | ||
+ | |||
+ | For debugging the problems when connecting to SQL Server database from CzechIdM, it's useful to turn on the Debug mode of the SQL Server JDBC Driver. Set C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\logging.properties like this: | ||
+ | |||
+ | <code properties> | ||
+ | 1.catalina.out.org.apache.juli.AsyncFileHandler.level = FINEST (instead of the original INFO) | ||
+ | |||
+ | com.microsoft.sqlserver.jdbc.level=FINEST | ||
+ | </ | ||
+ | After this, the file C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat.log shows detailed information about processing the different connection parameters and its results. | ||
+ | |||
+ | Make sure to change the settings back after you finish debugging. It generates **really big ** log files. | ||
+ | |||
+ | ==== Event Viewer ==== | ||
+ | |||
+ | If you have access to the Event Viewer on the server running the SQL Server, you will see the connection attempts under Windows Logs -> Application. The log level is Information even for unsuccessful atempts. You can see e.g.: | ||
+ | * if SQL server knows the account, which is used for connecting | ||
+ | * which type of authentication is used - e.g. if you use a domain account ("NT account" | ||
+ | |||
+ | ==== Instances and ports ==== | ||
+ | |||
+ | Usually, you don't need to specify the port when connecting to SQL Server. By default the driver calls built-in [[https:// | ||
+ | |||
+ | The default SQL Server port (1433) doesn' | ||