MSSQL JDBC Driver Default Encrypt Solution

In Liquibase Enterprise 8.5 MSSQL JDBC driver is updated from 8.4.1 to 12.4.0. Between these versions an important default behavior for the encrypt parameter was changed from false to true. This guide covers how to navigate the potential issues caused by this update.

Solution 1: TrustServerCertificate (easier but less safe)

If the trustServerCertificate property is enabled it will encrypt JDBC traffic. This means that your database is open to attacks and data leaks because authority certification is not mandatory. This means that your database is accessible to outside networks and can be insecure.

If you decide to use this option - you will need to add trustServerCertificate=true to mssql_driver.properties files. There are two files:

1. On the GUI level
   
   

   Open

   

2. On the CLI (hammer) level (repl folder)
   
   

   Open

   

Solution 2: Configure Truststore (more complicated, but safe)

1. Import the certificate which is used by your database into Java’s default Truststore. Java’s default Truststore is located in PATH_TO_JAVA_HOME_USED_BY_DATICAL/lib/security/cacerts and its default password is changeit.

2. To import the certificate, run:

After it is successfully imported, the error should resolved. Learn more from MSSQL’s documentation: https://learn.microsoft.com/en-us/sql/connect/jdbc/configuring-the-client-for-ssl-encryption?view=sql-server-ver16

Solution 2A: Use a custom Truststore

If you have a custom Truststore and would like to use it instead of the Java’s default one follow the below instructions.

1. Implement your custom Truststore with the CLI or GUI by adding the two properties listed below into the mssql_driver.properties file.

Properties:

1. trustStore ← path to the truststore, e.g. trustStore=/Users/datical/my_custom_store

2. trustStorePassword ← truststore password, e.g. trustStorePassword=Customstorepass