Versions Compared

Old Version 20

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Roderick Bowser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

There are the following types of connection and authentication (security) options available in Datical DB:

...

  • Microsoft SQL Server with the SQL Authentication and Integrated Security

  • Azure SQL Database and Azure SQL Managed Instance with:

    • SQL Authentication

    • Active Directory Integrated Authentication

    • Active Directory Password Authentication

    • Active Directory MSI Authentication

SQL Authentication

SQL Authentication refers to the authentication of a user when connecting to an Azure SQL Database and using username and password.

...

Info

Add the IP address of the machine running sqlcmd to Azure Resource Group.

Azure Active Directory Authentication

The Azure Active Directory authentication refers to the authentication of a user when connecting to an Azure SQL Database and using identities in Azure Active Directory.

Prerequisites

To use the Azure Active Directory authentication mode, you need to:

...

Info

For more information, see Use Azure Active Directory authentication.

Active Directory Integrated Authentication

The Active Directory Integrated Authentication is a mechanism of connecting to an Azure SQL Database by using an integrated mode with Azure Active Directory.

To use the Active Directory Integrated Security authentication option, follow these steps:

  1. Log in with the admin user and create USER [username] from EXTERNAL PROVIDER; on the database you use.

  2. Add ddladmin, datawriter, and datareader roles for checking the status and Deploy Packager processes:
    EXEC sp_addrolemember 'db_ddladmin', 'datical_user';
    EXEC sp_addrolemember 'db_datawriter', 'datical_user';
    EXEC sp_addrolemember 'db_datareader', 'datical_user';

  3. Make sure that you federated the on-premise Active Directory Federation Services (AD FS) with the Azure Active Directory in the cloud.

  4. Make the connection from a domain-joined machine that is federated with Azure Active Directory. You can access an Azure SQL Database without entering credentials when you're logged in to a domain-joined machine. Additionally, a database user representing your Azure Active Directory principal, or one of the groups to which the user belongs, needs to exist in the database and have the CONNECT permission.

  5. Install the OLE DB Driver. This msi installer should add adal.dll to System32 and Syswow64 folders.

  6. Install the ODBC Driver.

  7. Ensure that the SQL Server JDBC Driver Authentication Library is in \Windows\System32. The file is named mssql-jdbc_auth-<version>.x64.dll where <version> is a version number for the file.

    1. If the mssql-jdbc_auth-<version>.x64.dll library is not already in \Windows\System32, it can be extracted from the following file (if you have installed the SQL Server JDBC Driver for Liquibase Enterprise/Datical): <datical-install>\plugins\com.datical.db.drivers.mssql_<version>.jar

    2. Using an archive utility, open or extract the com.datical.db.drivers.mssql_<version>.jar file to access its contents.

    3. The DLL is located in the following archive location: com.datical.db.drivers.mssql_1.0.24.jar\auth\x64\mssql-jdbc_auth-<version>.x64.dll

    4. Put the mssql-jdbc_auth-<version>.x64.dll file in \Windows\System32

  8. Make sure sqlcmd (version 13.1 or higher) is installed and on your PATH. To install sqlcmd, go to the sqlcmd Utility page.

...

Info

If you have any issues, refer to Troubleshooting Issues with Active Directory Authentication and Azure SQL Database.

Active Directory Password Authentication

As the Azure Active Directory Password Authentication is a mechanism of connecting to an Azure SQL Database by using identities in Azure Active Directory, you can connect to applications by using an Azure Active Directory user name and password.

To connect using the Active Directory Password authentication, follow these steps:

  1. Log in with the admin user and create USER [username] from EXTERNAL PROVIDER; on the database you use.

  2. Add ddladmin, datawriter, and datareader roles for checking the status and Deploy Packager processes:
    EXEC sp_addrolemember 'db_ddladmin', 'datical_user';
    EXEC sp_addrolemember 'db_datawriter', 'datical_user';
    EXEC sp_addrolemember 'db_datareader', 'datical_user';

  3. Install the SQL Server JDBC Driver Authentication Library - mssql-jdbc_auth-<version>-<arch>.dll file on your machine. The file is located in the <datical-install>\DaticalDB\plugins\ directory.

    1. Copy com.datical.db.drivers.mssql_1.x.x.jar to a temporary directory and unzip it (<unzip directory>). 

    2. On Windows systems you can:

      o Use <java-install-path>\JAVA\jar.exe xf <name>.jar

      o Change the extension of the file from .jar to .zip and then unzip it.

    3. Go to <unzip directory>\auth\, then go to the folder for your version of the Java Virtual Machine (JVM). 

  4. Put the mssql-jdbc_auth-<version>-<arch>.dll file in \Windows\System32. There are 32-bit and 64-bit versions of the .dll file included with the Microsoft SQL Server JDBC driver. For example: mssql-jdbc_auth-8.4.1.x64.dll.

...

Also, enter your hostname, port, application name, database name, instance name, username, and password.

Active Directory MSI Authentication

You can use the Active Directory MSI Authentication for connection from inside of an Azure Resource with the Identity feature.

...

Optionally, to acquire the accessToken for establishing the connection, you can specify msiClientId in the Connection or DataSource properties along with the Active Directory MSI Authentication mode, which must include the Client ID of a Managed Identity.

To get msiClientId, create Managed Identity with the resource group. Check https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql and https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity for more details about managed identities.

Info

For more information about the configuration of the ActiveDirectoryMSI authentication, see Connecting using ActiveDirectoryMSI authentication mode.

...

  • Go to your Liquibase Enterprise/Datical installation directory (such as C:\Apps\DaticalDB_7.13).

  • Edit the file called mssql_driver.properties.

  • Add these two lines to your mssql_driver.properties file:

trustServerCertificate=truehosttrue

NameInCertificatehostNameInCertificate=*.azure.<domain>

(Replace <domain> with your actual domain name. For example: hostNameInCertificate=*.azure.acme.com.)

...

)

...

Note

The appdba:sqlcmd change type is not supported when using MSI Authentication:

  • In the GUI do not use the change set type called “Execute with sqlcmd for Microsoft SQL Server & Azure SQL Databases”. Please use the “Execute a SQL script file using JDBC” change set type with MSI Authentication instead.

  • In Packager do not use the DDL_DIRECT,DATA_DML, DIRECT, or CONVERT package methods which are the defaults for the “ddl_direct”, “data_dml”, “ddl“ddl”, and “sql_direct” folders. Please use only the SQLFILE and STOREDLOGICpackage methods with MSI Authentication instead. Read more about setting packageMethod in metadata.properties here: