%3CLINGO-SUB%20id%3D%22lingo-sub-1441894%22%20slang%3D%22en-US%22%3EConnecting%20to%20Synapse%20SQL%20Pool%20from%20a%20Linux%20SSL%20enabled%20Java%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441894%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20order%20to%20connect%20to%20Synapse%20SQL%20Pool%20using%20a%20JDBC%20driver%20there%20are%20some%20additional%20aspects%20to%20consider%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fconnect%2Fjdbc%2Fmicrosoft-jdbc-driver-for-sql-server%3Fview%3Dazure-sqldw-latest%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fconnect%2Fjdbc%2Fmicrosoft-jdbc-driver-for-sql-server%3Fview%3Dazure-sqldw-latest%3C%2FA%3E%26nbsp%3B)%3C%2FP%3E%0A%3CP%3EYour%20newly%20created%20Java%20application%20might%20not%20be%20able%20to%20successfully%20connect%20from%20your%20SSL%20enabled%20Java%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDepending%20on%20your%20configuration%20you%20might%20encounter%20an%20error%20like%20the%20following%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%5Bcom.microsoft.sqlserver.jdbc.SQLServerException%3A%20The%20driver%20could%20not%20establish%20a%20secure%20connection%20to%20SQL%20Server%20by%20using%20Secure%20Sockets%20Layer%20(SSL)%20encryption.%20Error%3A%20'sun.security.validator.ValidatorException%3A%20PKIX%20path%20building%20failed%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20error%20means%20the%20certificate%20path%20could%20not%20be%20built%20for%20the%20secured%20connection%20to%20succeed.%3C%2FP%3E%0A%3CP%3EThe%20typical%20solution%20to%20this%20error%20is%20to%20download%20the%20certificate%20from%20the%20server%20you%20are%20connecting%20to%20and%20storing%20it%20in%20the%20local%20trust%20store.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EApplying%20this%20approach%20to%20an%20Azure%20Synapse%20SQL%20Pool%20is%20not%20ideal%2C%20as%20the%20user%20has%20no%20control%20over%20certificate%20management..%20Certificates%20update%20or%20roll%20over%20would%20cause%20the%20application%20to%20fail%20connection.%20In%20that%20case%20the%20new%20certificate%20must%20be%20downloaded%20and%20included%20in%20the%20application%20local%20store%20to%20re-establish%20connectivity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKeeping%20the%20above%20in%20mind%2C%20the%20approach%20will%20work%20for%20Azure%20Synapse%20SQL%20Pools.%3C%2FP%3E%0A%3CP%3EFor%20the%20purpose%20of%20this%20article%20we%20will%20be%20connecting%20to%20a%20SQL%20Pool%20instance%20named%20%3CSTRONG%3Emysqlpool%3C%2FSTRONG%3E%2C%20from%20a%20custom%20Java%20application%20we%20named%20%3CSTRONG%3EmyApp%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20won%E2%80%99t%20be%20covering%20the%20usage%20details%20of%20the%20Java%20tools%2C%20but%20you%20can%20refer%20to%20official%20online%20Java%20documentation%20for%20more%20information.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20you%20can%20go%20ahead%20and%20download%20the%20server%20certificate%20for%20the%20instance%20%3CSTRONG%3Emysqlpool%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20OpenSSL%20(-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fwww.openssl.org%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.openssl.org%2F%26nbsp%3B%3C%2FA%3E)%20or%20other%20tool%20that%20would%20allow%20you%20to%20download%20the%20server%20certificate%2C%20and%20issue%20a%20command%20similar%20to%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Eopenssl%20s_client%20-showcerts%20-connect%20mysqlpool.database.windows.net%3A1443%20%26lt%3B%20%2Fdev%2Fnull%20%7C%20openssl%20x509%20-outform%20DER%20%26gt%3B%20mysqlpoolcert.der%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20your%20certificate%20you%20can%20import%20it%20in%20your%20local%20trusts%20tore%20using%20the%20%3CSTRONG%3Ekeytool%3C%2FSTRONG%3E%20command%20that%20is%20included%20with%20the%20Java%20SDK.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20choose%20to%20apply%20the%20policy%20that%20best%20suits%20your%20application.%20In%20our%20case%20we%20have%20created%20a%20specific%20keyStore%20for%20our%20application%20to%20use%2C%20and%20have%20imported%20%3CSTRONG%3Emysqlpoolcert.der%3C%2FSTRONG%3E%20using%20the%20following%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Ekeytool%20-import%20-alias%201433%20-file%20mysqlpool.der%20-keystore%20myAppKS.jks%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20keystore%20doesn%E2%80%99t%20exist%2C%20you%20will%20be%20prompted%20with%20a%20set%20of%20information%20to%20set%20it%20up.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOk%20now%20that%20you%20have%20the%20server%20certificate%20you%20might%20want%20to%20start%20being%20productive%20with%20your%20application.%3C%2FP%3E%0A%3CP%3EYou%E2%80%99ll%20have%20to%20launch%20the%20application%20using%20-D%20option%20to%20set%20the%20trustStore%20property%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E-Djavax.net.ssl.trustStore%3D%20myAppKS.jks%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20executing%20from%20the%20command%20line%20something%20like%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Ejava%20-Djavax.net.ssl.trustStore%3DmyAppKS.jks%20myApp%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20to%20your%20surprise%20you%20still%20cannot%20connect%2C%20apparently%20receiving%20the%20same%20error%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%5Bcom.microsoft.sqlserver.jdbc.SQLServerException%3A%20The%20driver%20could%20not%20establish%20a%20secure%20connection%20to%20SQL%20Server%20by%20using%20Secure%20Sockets%20Layer%20(SSL)%20encryption.%20Error%3A%20'sun.security.validator.ValidatorException%3A%20PKIX%20path%20building%20failed%3A%20sun.security.provider.certpath.SunCertPathBuilderException%3A%20unable%20to%20find%20valid%20certification%20path%20to%20requested%20target'.%20ClientConnectionId%3A%20f4e109ba-a86e-47de-8703-7eee03c762dd%26nbsp%3B%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20error%20still%20references%20a%20path%20build%20exception%2C%20but%20you%20have%20the%20certificate%20loaded%20locally%2C%20so%20what%20is%20exactly%20happening%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20the%20application%20could%20load%20the%20server%20certificate%2C%20it%20could%20not%20build%20a%20trust%20chain%20with%20the%20required%20Certification%20Authorities%20to%20establish%20a%20secure%20connection.%3C%2FP%3E%0A%3CP%3EThe%20solution%20is%20to%20add%20the%20intermediate%20certificates%20needed%20to%20the%20keyStore%2C%20so%20to%20have%20the%20trust%20chain%20completely%20available%20to%20your%20application.%3C%2FP%3E%0A%3CP%3EMicrosoft%E2%80%99s%20PKI%20repository%20is%20public%20and%20can%20be%20found%20at%3A%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fpki%2Fmscorp%2Fcps%2Fdefault.htm%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fpki%2Fmscorp%2Fcps%2Fdefault.htm%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYour%20step%20to%20success%20is%20now%20to%20download%20and%20import%20the%20CAs%20certificates%20listed%20on%20the%20public%20page.%20Simply%20click%20on%20the%20link%20for%20the%20CA%20Certificate%20for%20all%20the%20listed%20CAs%20(at%20the%20time%20of%20this%20writing%20we%20have%20CA1%2C%20CA2%2C%20CA4%20and%20CA5)%2C%20and%20import%20them%20in%20the%20application%20keyStore%20using%20a%20syntax%20similar%20to%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Ekeytool%20-import%20-alias%20myAppCA1%20-file%20%22Microsoft%20IT%20TLS%20CA%201.crt%22%20-keystore%20myAppKS.jks%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERepeat%20the%20command%20(change%20the%20value%20for%20the%20-alias%20parameter)%20for%20all%20the%20certificates%20you%20have%20downloaded%2C%20then%20you%20can%20enjoy%20your%20working%2C%20secure%20connection%20to%20Synapse%20SQL%20Pool!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1441894%22%20slang%3D%22en-US%22%3E%3CP%3EConnecting%20applications%20to%20Azure%20Synapse%20SQL%20Pool%20using%20JDBC%20from%20a%20Linux%20Server%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1441894%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Support%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

In order to connect to Synapse SQL Pool using a JDBC driver there are some additional aspects to consider (https://docs.microsoft.com/en-us/sql/connect/jdbc/microsoft-jdbc-driver-for-sql-server?view=azure-sq... )

Your newly created Java application might not be able to successfully connect from your SSL enabled Java server.

 

Depending on your configuration you might encounter an error like the following:

 

[com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: 'sun.security.validator.ValidatorException: PKIX path building failed

 

The error means the certificate path could not be built for the secured connection to succeed.

The typical solution to this error is to download the certificate from the server you are connecting to and storing it in the local trust store.

 

Applying this approach to an Azure Synapse SQL Pool is not ideal, as the user has no control over certificate management.. Certificates update or roll over would cause the application to fail connection. In that case the new certificate must be downloaded and included in the application local store to re-establish connectivity.

 

Keeping the above in mind, the approach will work for Azure Synapse SQL Pools.

For the purpose of this article we will be connecting to a SQL Pool instance named mysqlpool, from a custom Java application we named myApp.

 

We won’t be covering the usage details of the Java tools, but you can refer to official online Java documentation for more information.

 

Now you can go ahead and download the server certificate for the instance mysqlpool.

You can use OpenSSL (https://www.openssl.org/ ) or other tool that would allow you to download the server certificate, and issue a command similar to:

 

openssl s_client -showcerts -connect mysqlpool.database.windows.net:1443 < /dev/null | openssl x509 -outform DER > mysqlpoolcert.der

 

Once you have your certificate you can import it in your local trusts tore using the keytool command that is included with the Java SDK.

 

You can choose to apply the policy that best suits your application. In our case we have created a specific keyStore for our application to use, and have imported mysqlpoolcert.der using the following command:

 

keytool -import -alias 1433 -file mysqlpool.der -keystore myAppKS.jks

 

If the keystore doesn’t exist, you will be prompted with a set of information to set it up.

 

Ok now that you have the server certificate you might want to start being productive with your application.

You’ll have to launch the application using -D option to set the trustStore property:

 

-Djavax.net.ssl.trustStore= myAppKS.jks

 

If executing from the command line something like:

 

java -Djavax.net.ssl.trustStore=myAppKS.jks myApp

 

But to your surprise you still cannot connect, apparently receiving the same error:

 

[com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: 'sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target'. ClientConnectionId: f4e109ba-a86e-47de-8703-7eee03c762dd 

 

The error still references a path build exception, but you have the certificate loaded locally, so what is exactly happening?

 

While the application could load the server certificate, it could not build a trust chain with the required Certification Authorities to establish a secure connection.

The solution is to add the intermediate certificates needed to the keyStore, so to have the trust chain completely available to your application.

Microsoft’s PKI repository is public and can be found at:

https://www.microsoft.com/pki/mscorp/cps/default.htm 

 

Your step to success is now to download and import the CAs certificates listed on the public page. Simply click on the link for the CA Certificate for all the listed CAs (at the time of this writing we have CA1, CA2, CA4 and CA5), and import them in the application keyStore using a syntax similar to:

 

keytool -import -alias myAppCA1 -file "Microsoft IT TLS CA 1.crt" -keystore myAppKS.jks

 

Repeat the command (change the value for the -alias parameter) for all the certificates you have downloaded, then you can enjoy your working, secure connection to Synapse SQL Pool!