Installation

This section describes how to install and setup nShield Web Services SQLEKM for both standalone and clustered deployments.

Prerequisites to installing the nShield Web Services SQLEKM provider

  • Ensure that Microsoft Visual C++ 2015-2022 Redistributable (x64) has been installed. A supported version is included on the nShield Web Services SQLEKM ISO under redist or can be downloaded from https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170.

  • If you are using an SQL Server cluster, these installation steps should be repeated for each node in the cluster. The installation described here assumes Microsoft SQL Server and the nShield Web Services Option Pack are already installed.

  • Ensure that all the latest service packs, updates and hotfixes for Microsoft SQL Server software have been added.

  • SQL Server credentials and appropriate permissions are required for all users to install, configure, or use the Web Services SQLEKM provider.

  • If you are intending to migrate keys from an existing nDSOP environment, see Migrating nDSOP keys.

Install nShield Web Services SQLEKM provider

  1. Sign in as Administrator or as a user with local administrator rights.

  2. Using the provided installation media, launch setup.msi manually.

  3. Follow the onscreen instructions.

  4. Accept the license terms and select Next to continue.

  5. Specify the installation directory and select Next to continue.

  6. Enter the Web Services Option Pack Server host and port number and select Next to continue.

    The host name must match the Web Services Option Pack Server’s certificate’s common name, see Install certificates for secure communication. The following registry entries can be used to change the host and port of the Web Services Option Pack Server:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\SQLEKM\WebServices\Host (type REG_SZ)

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\SQLEKM\WebServices\Port (type REG_DWORD)

  7. Select Install to initiate installation.

  8. Select Finish to complete the installation.

Install certificates for secure communication

The Web Services SQLEKM provider can only communicate securely with a Web Services Option Pack Server if the following certificates are installed:

  • The Web Services Option Pack Server’s CA certificate.

  • An appropriate client certificate (with each SQL Server node in a cluster using its own client certificate).

  • Any intermediate CA certificates that are to be used to form a complete chain to verify the client certificate on the Web Services Option Pack Server.

For information on these certificates, see nShield Web Services v3.3.1.

  1. Install the Web Services Option Pack Server’s CA certificate chain into the Root store using certutil.exe or a similar program.

    certutil.exe -addstore Root <ca_certificate.pem>
  2. Check that the certificate has been installed:

    certutil.exe -store Root
  3. Install any intermediate CA certificates for the client certificate:

    certutil.exe -addstore CA <intermediate_ca_certificate.pem>
  4. Install the client certificate and its private key with the ws-sqlekm-cert-install.exe tool. It is installed to the Web Services SQLEKM bin directory, for example C:\Program Files\nCipher\WebServices\SQLEKM\bin. It expects the client certificate to be a PFX file that contains a single certificate and the associated private key.

    The PFX must not contain the full certificate chain.

    To install the client certificate to a specific store, use the --install option, specify the PFX file, the associated password (if applicable), and the certificate store:

    ws-sqlekm-cert-install.exe --install -p <password> -s My -x <client_certificate.pfx>

    If the certificate is installed, the installer returns the Operation successful message.

    The installation fails if:

    • More than one certificate is found in the PFX file.

    • A certificate containing the same subject name is found in the selected certificate store.

      Remove the existing certificate and reattempt installation.

    If deploying a SQL Server cluster, each node should have its own client certificate.

Changes to the number of SQL Server instances

If the number of SQL Server instances changes, it will be necessary to ensure all instances are able to use the client certificate by running the following:

ws-sqlekm-cert-install.exe --pk-perms