Incomplete driver for Azure SQL Database prevents using Always Encrypted
When I follow instructions for setting JDBC to access Azure SQL Database with some columns protected by Always Encrypted, I run into an issue where my guess is not all java code necessary is available to the driver. It will probably quickly become obvious that I'm relatively inexperienced in the java environment, so may not be using terms quite right.
MS instructions for JDBC setup: Use Always Encrypted with the JDBC driver - JDBC Driver for SQL Server | Microsoft Learn
MSSQL JDBC Keyvaults with Always Encrypted: Key Vault authentication with Managed Identities · microsoft/mssql-jdbc Wiki · GitHub
Here's what I'm doing:
- Create a new Data Source using Azure SQL Server as the Driver -- jumping to the driver shows the following versions: SQL Server ver 12.2.0, MSAL4J ver 1.13.7
- Set server host, User, and Database values -- I am using Azure Active Directory interactive authentication
- Note that connecting at this point jumps to a browser for authenticating, and I can successfully get into the database with the driver connection properties for Always Encrypted turned off -- this means I see the cyphertext of encrypted columns, but demonstrates I have connectivity.
- Now we start altering the data source properties to enable Always Encrypted:
- Under Advanced tab, set the following: columnEncryptionSetting = Enabled, keyStorePrincipalId = <client ID -- known working>, keyStoreSecret= <client key -- known working> -- the best reference is the git link I provided, showing how to configure specifically for what I'm trying to do as of driver version 8.3 -- I see there are still fields in the DataGrip UI which this article calls deprecated -- I've tried both ways, and run into the same issue below...
- In the Advanced tab, the keyStoreAuthentication field only allows "JavaKeyStorePassword" but we need a different value -- jump back to the General tab, and add the following to the end of the url: "keyStoreAuthentication=KeyVaultClientSecret" -- note that not all values are allowed -- there is something verifying this value and "KeyVaultClientSecret" is an allowed value, and even shows back on the field in the Advanced tab. Odd.
- Click OK to save changes, open a new console, execute a select statement -- get error "Driver class 'com.azure.core.credential.TokenCredential' not found" with an option to Change driver class
- I have tried to get the jars for Azure Core SDK for Java, and dropped the jar next to the other driver files and in the Driver page added a custom JAR. This actually got the error message to change, but I seemingly started running into dependencies of Azure SDK being missing, so I started retrieving those jars and adding them, but was only able to get past about 5 missing classes before not knowing where to retrieve the missing classes.
It feels safe to say that in general the default Azure SQL Database driver I've downloaded automatically from DataGrip is incomplete for this attempted usage. Has anyone else been able to get past this? At this point, I'm kind of over my head, and wondering if anyone else has any suggestions on how to proceed?
Please sign in to leave a comment.
Hello,
Have you tried to install Microsoft Azure Toolkit for IntelliJ?
Hi, Yaroslav, thank you for the suggestion. It got me closer, but now I'm running into a subsequent problem. First, I was unable to load that plugin to current DataGrip because the plugin is older. I downloaded the latest "compatible" DataGrip, version 2022.2.5. Now I can load the plugin, but the plugin gives an error (on the Plugins settings page): "Requires plugin 'org.jetbrains.idea.maven' to be installed". I am unable to find that plugin.
However, I noticed that the toolkit ZIP had among other things a lib folder which included a lot of slightly older versions of packages I touched when was manually adding jars, so I went back to that approach and using the lib folder for guidance, got a set of jars which lets the "Test Connection" succeed:
This allows me to connect to the database and run queries which do not touch encrypted columns. Unfortunately, when I attempt to access an encrypted column, in the result cell instead of a value I see the following error:
I then saw two additional jars from the zip lib which I pulled in:
Unfortunately, the addition of these did not help, and I remain with the problem of seeing the above java exception in the result grid instead of the plaintext values.
To many dependencies are required.
I tried the following pom.xml:
with mvn dependency:copy-dependencies and got the following list of jar files:
So, make sure you've got all dependencies in class path.
Also, it's a good idea ask Microsoft to provide sample JAVA app or at least pom.xml for all required libs
I was able to make it work using the pom.xml here: https://github.com/microsoft/mssql-jdbc/blob/main/pom.xml
Caspar Due could you please give more details for people who are unfamiliar with how maven/java works?
I'll take a look at the provided pom.xml and try to update dependencies accordingly.
Caspar Due , thank you for update.
Amite15 , Caspar Due has added additional jars that were mentioned in pom.xml.
I eventually found a way to get all the required jars from a pom file (I also already forgot what the command was, but I should have it saved somewhere 🙂). I still had a problem authenticating with the key vault, I am not sure what authentication method I should use. When using SSMS for example, there is interactive authentication involved, but I don't think that would be possible to achieve with DataGrip.
Amite15 ,
Command is not important. It's enough to get jar list.
By the way, if interactive authentication is required, the driver does support it.