Web service call using client certificate in SSIS script task resulting in SSL/TLS issue

0
votes

I've got an SSIS package in which I'm making a web service request and retrieving some data. The API provider requires that a client certificate be submitted alongside the request for security reasons.

I can get it to work perfectly fine if I run the package from the VS Shell (or even a VS console application) but when I deploy it and run the package via SQLAgent, firing it from SSMS, I get the following error:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'mywebservice.com/endpoint:6185'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.ServiceModel.Channels.HttpChannelFactory'1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result) --- End of inner exception stack trace --- at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result) at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass5'1.b__4(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory'1.FromAsyncCoreLogic(IAsyncResult iar, Func'2 endFunction, Action'1 endAction, Task'1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at ST_1ccd678422b8432a8ea14ce911c575f3.Myclass.<>c__DisplayClass39.<b__22>d__55.MoveNext()

I'm running the job as NT SERVICE\SQLAgent$Instance and the certificate has been placed in Local Machine, in the following stores: Personal, Trusted Root Certification Authorities, and Trusted People. This doesn't seem to be the issue though since I can get it to work with any of these when I debug via the VS shell/Data Tools.

I'd appreciate any help in advance, thanks!

1
c#sslssis

1 Answers

0
votes

Solved it by doing the following:

  1. Set the job owner to sa.
  2. Created a proxy account under SQL Server Agent --> Proxies --> SSIS Package Execution and set the Principal to my SQL login (domain) account. Also added the SQLAgent Reader, User, and Operator roles under the Principal.
  3. Updated the SSIS job step by changing the SQL Server Agent Service Account to my new Proxy account

Hope this helps someone else.