Installation
This section describes how to install and setup nShield Web Services SQLEKM for both standalone and clustered deployments.
Prerequisites to installing the nShield Web Services SQLEKM provider
-
Ensure that
Microsoft Visual C++ 2015-2022 Redistributable (x64)has been installed. A supported version is included on the nShield Web Services SQLEKM ISO underredistor can be downloaded from https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170. -
If you are using an SQL Server cluster, these installation steps should be repeated for each node in the cluster. The installation described here assumes Microsoft SQL Server and the nShield Web Services Option Pack are already installed.
-
Ensure that all the latest service packs, updates and hotfixes for Microsoft SQL Server software have been added.
-
SQL Server credentials and appropriate permissions are required for all users to install, configure, or use the Web Services SQLEKM provider.
-
If you are intending to migrate keys from an existing nDSOP environment, see Migrating nDSOP keys.
Install nShield Web Services SQLEKM provider
-
Sign in as Administrator or as a user with local administrator rights.
-
Using the provided installation media, launch
setup.msimanually. -
Follow the onscreen instructions.
-
Accept the license terms and select Next to continue.
-
Specify the installation directory and select Next to continue.
-
Enter the Web Services Option Pack Server host and port number and select Next to continue.
The host name must match the Web Services Option Pack Server’s certificate’s common name, see Install certificates for secure communication. The following registry entries can be used to change the host and port of the Web Services Option Pack Server:
-
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\SQLEKM\WebServices\Host(typeREG_SZ) -
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\SQLEKM\WebServices\Port(typeREG_DWORD)
-
-
Select Install to initiate installation.
-
Select Finish to complete the installation.
Install certificates for secure communication
The Web Services SQLEKM provider can only communicate securely with a Web Services Option Pack Server if the following certificates are installed:
-
The Web Services Option Pack Server’s CA certificate.
-
An appropriate client certificate (with each SQL Server node in a cluster using its own client certificate).
-
Any intermediate CA certificates that are to be used to form a complete chain to verify the client certificate on the Web Services Option Pack Server.
For information on these certificates, see nShield Web Services v3.3.1.
-
Install the Web Services Option Pack Server’s CA certificate chain into the
Rootstore usingcertutil.exeor a similar program.certutil.exe -addstore Root <ca_certificate.pem> -
Check that the certificate has been installed:
certutil.exe -store Root -
Install any intermediate CA certificates for the client certificate:
certutil.exe -addstore CA <intermediate_ca_certificate.pem> -
Install the client certificate and its private key with the
ws-sqlekm-cert-install.exetool. It is installed to the Web Services SQLEKMbindirectory, for exampleC:\Program Files\nCipher\WebServices\SQLEKM\bin. It expects the client certificate to be a PFX file that contains a single certificate and the associated private key.The PFX must not contain the full certificate chain. To install the client certificate to a specific store, use the
--installoption, specify the PFX file, the associated password (if applicable), and the certificate store:ws-sqlekm-cert-install.exe --install -p <password> -s My -x <client_certificate.pfx>If the certificate is installed, the installer returns the
Operation successfulmessage.The installation fails if:
-
More than one certificate is found in the PFX file.
-
A certificate containing the same subject name is found in the selected certificate store.
Remove the existing certificate and reattempt installation.
If deploying a SQL Server cluster, each node should have its own client certificate.
-