force protocal encryption ?

Hi,
I could like to understand the SSL "force protocal encryption" on SQL 2000,
if I do this:
1: how much extra resource it will take to do encryption?
2: What certificate should we use, must we use certicate from public certifi
cation authority?
3: how will the client side affected after I turn on force protocal encrypti
on? should it be transparent to them if we install public certificate on the
server?
4: Can client still connect to server using IP address, or must FQDN is requ
ired?
Thanks
FrankHi Frank,
I'll try to address each concern:
1: how much extra resource it will take to do encryption?
-- there is some additional handshakes done to check the certificate during
the initial connection request.
You can see this via network trace. You could also use the SQL client
"Show CLient Statistics" to measure performance with and
without SSL in your environment.
2: What certificate should we use, must we use certicate from public
certification authority?
- The certificate is a Server cert issued to the FQDN of the server. It
has the same requirements a IIS server cert uses.
The subject name == FQDN and not the IP address of the server.
3: how will the client side affected after I turn on force protocal
encryption? should it be transparent to them if we install public
certificate on the server?
-- If you enable it on the Serverside, there is nothing needed on the
client.
4: Can client still connect to server using IP address, or must FQDN is
required?
-- No. You'll need to pass the netbios name or FQDN in the connection
string.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Hi Kevin,
Thanks for your reply.
For question 2, what i read seems to be confusing(
http://support.microsoft.com/defaul...kb;en-us;318605), it says A
certificate is required because SSL encryption works only with instances of
SQL Server 2000 that are running on a computer that has a certificate
assigned from a public certification authority.
However, you seem to say we can also use server certificate assigned from
our own CA.
Thanks,
Frank
"Kevin McDonnell [MSFT]" <kevmc@.online.microsoft.com> wrote in message
news:iIaaeRNBFHA.1680@.cpmsftngxa10.phx.gbl...
> Hi Frank,
> I'll try to address each concern:
> 1: how much extra resource it will take to do encryption?
> -- there is some additional handshakes done to check the certificate
during
> the initial connection request.
> You can see this via network trace. You could also use the SQL client
> "Show CLient Statistics" to measure performance with and
> without SSL in your environment.
> 2: What certificate should we use, must we use certicate from public
> certification authority?
> - The certificate is a Server cert issued to the FQDN of the server. It
> has the same requirements a IIS server cert uses.
> The subject name == FQDN and not the IP address of the server.
> 3: how will the client side affected after I turn on force protocal
> encryption? should it be transparent to them if we install public
> certificate on the server?
> -- If you enable it on the Serverside, there is nothing needed on the
> client.
> 4: Can client still connect to server using IP address, or must FQDN is
> required?
> -- No. You'll need to pass the netbios name or FQDN in the connection
> string.
>
> Thanks,
> Kevin McDonnell
> Microsoft Corporation
> This posting is provided AS IS with no warranties, and confers no rights.
>
>|||Hi Frank,
You can use a Server certificate from you own internal CA or a Public CA.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.sql