Due to known vulnerabilities that have been reported against SSL and earlier versions of Transport Layer Security (TLS), it is recommended to upgrade to TLS 1.2 for secure communication. However after enabling TLS 1.2, it may happen that existing working connections of TIBCO Spotfire Statistics Services (TSSS) to the jobs database may stop working, and instead sees an error like:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL)

For example, in case of Microsoft SQL Server database, the following error message can be seen in SplusServer.log:  

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.insightful.splusserver.SplusStateInitializer#0' defined in class path resource [applicationContext-job-execution.xml]: Invocation of init method failed; nested exception is org.springframework.transaction.CannotCreateTransactionException: Could not open JDBC Connection for transaction; nested exception is org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:7c930e69-ee98-4358-88b4-87e608944d78".)

By default, TSSS uses an H2 database as the jobs database.

 

This articles describes cause and resolution when TSSS stops communicating with its Jobs database after TLS 1.2 enabled on database machine.

The reason why the TSSS server stops communicating to the jobs database is that the JDBC driver used may not be compatible to use with TLS 1.2. To resolve the issue, verify with the database vendor the minimum driver version which supports TLS 1.2 and use that version or higher. To update the driver version used, first stop the TSSS services. Then:

• For a clustered TSSS installation: Overwrite new existing driver with the new driver in the folder <Cluster shared Path>\endorsed 
• For a standalone TSSS installation: Overwrite new existing driver with the new driver in the folder <TSSS installation directory>\endorsed 

For example, if it is Microsoft SQL Server database then Microsoft JDBC driver 6.4 or later must be used. 

There may also be required modifications in the connection string in database.properties (<TSSS installation directory>\conf folder). For example: For Microsoft SQL server database, the property ‘sslProtocol=TLSv1.2’ must be added to the existing connection string. For example, after this change the database.properties may look like:

#Bootstrapped by default
#Tue Apr 10 21:15:04 PDT 2018
database.password=3DES{tSrd6Kwp+0OY5clP6/YVMA\=\=}
database.url=jdbc\:sqlserver\://11.22.33.44\:60210;DatabaseName\=TSSS-JOBS;sslProtocol=TLSv1.2
database.type=MSSQL
database.maxActive=1
database.username=sa
jdbc.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
database.maxIdle=1

Restart the TIBCO Spotfire Statistics Services (TSSS) server services after making the above changes.

Doc: Job database requirements

• https://docs.tibco.com/pub/sf_statsvcs/7.11.0/doc/html/TIB_sf_statsvcs_7.11.0_installation/GUID-4DA9528D-327F-41F0-B785-17EDD1003863.html?scroll=GUID-4DA9528D-327F-41F0-B785-17EDD1003863

External: MS SQL SSL Protocol:

• https://github.com/Microsoft/mssql-jdbc/wiki/SSLProtocol

External: TLS 1.2 support for Microsoft SQL Server:

• https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server