oracle - points to the telekom technische sicherheitsanforderungen
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 \subsubsection{Oracle}
5 \item[Tested with Version:] not tested
6
7 \item[References:] (German)
8 {\small \url{www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
9
10 Please read the following pages about SSL and ciphersuites:\\
11 p. 129 -Req 396 and Req 397 \\
12
13
14 \subsubsection{SQL Server}
15 \todo{write this}
16
17
18
19
20 \subsubsection{MySQL}
21
22 \begin{description}
23 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
24
25 \item[Settings:] \mbox{}
26
27 \paragraph*{my.cnf}\mbox{}\\
28
29 \begin{lstlisting}[breaklines]
30 [mysqld]
31 ssl
32 ssl-ca=/etc/mysql/ssl/ca-cert.pem
33 ssl-cert=/etc/mysql/ssl/client-cert.pem
34 ssl-key=/etc/mysql/ssl/client-key.pem
35 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
36 \end{lstlisting}
37
38 \item[Additional settings:]
39
40
41 \item[Justification for special settings (if needed):]
42
43 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
44
45 \item[References:]
46
47 \todo{add references}
48
49 % add any further references or best practice documents here
50
51 \item[How to test:]
52
53 After restarting the server run the following query to see if the ssl settings are correct:
54 \begin{lstlisting}[breaklines]
55 show variables like '%ssl%';
56 \end{lstlisting}
57
58
59 \end{description}
60
61
62
63
64
65
66 \subsubsection{DB2}
67 \todo{write this}
68
69
70
71
72
73 \subsubsection{Postgresql}
74
75 \begin{description}
76 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
77
78 \item[References:]
79
80 It's recommended to read 
81
82 {\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
83 (please change X.X with your preferred version e.g. 9.1).
84
85 \item[Settings:] \mbox{}
86
87
88 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
89
90 Starting with version 9.2, you have the possibility to set the path.
91
92 \begin{lstlisting}[breaklines]
93 ssl_key_file = '/your/path/server.key'
94 ssl_cert_file = '/your/path/server.crt'
95 ssl_ca_file = '/your/path/root.crt'
96 \end{lstlisting}
97
98 \paragraph*{postgresql.conf}\mbox{}\\
99
100 \begin{lstlisting}[breaklines]
101 #>=8.3
102 ssl = on 
103 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
104 \end{lstlisting}
105
106
107
108 \item[How to test:]
109 To test your ssl settings, run psql with the sslmode parameter:
110 \begin{lstlisting}[breaklines]
111 psql "sslmode=require host=postgres-server dbname=database" your-username
112 \end{lstlisting}
113
114 \end{description}
115
116
117
118
119 \subsubsection{Informix}
120 \todo{write this}