src/practical_settings/DBs.tex

   1 %%\subsection{Database Systems}
   2 % This list is based on : https://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
   3
   4 %% ----------------------------------------------------------------------
   5 \subsection{Oracle}
   6 \subsubsection{Tested with Versions}
   7 \begin{itemize*}
   8 \item We do not test this here, since we only reference other papers for Oracle so far.
   9 \end{itemize*}
  10
  11
  12 \subsubsection{References}
  13 \begin{itemize*}
  14   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
  15 \end{itemize*}
  16
  17
  18
  19 %% ----------------------------------------------------------------------
  20 %%\subsection{SQL Server}
  21 %%\todo{write this}
  22
  23
  24
  25 %% ----------------------------------------------------------------------
  26 \subsection{MySQL}
  27
  28
  29 \subsubsection{Tested with Versions}
  30 \begin{itemize*}
  31   \item Debian Wheezy and MySQL 5.5
  32 \end{itemize*}
  33
  34
  35 \subsubsection{Settings}
  36 \paragraph*{my.cnf}
  37 \begin{lstlisting}
  38 [mysqld]
  39 ssl
  40 ssl-ca=/etc/mysql/ssl/ca-cert.pem
  41 ssl-cert=/etc/mysql/ssl/server-cert.pem
  42 ssl-key=/etc/mysql/ssl/server-key.pem
  43 ssl-cipher=%*\cipherStringB*)
  44 \end{lstlisting}
  45
  46
  47 %\subsubsection{Additional settings}
  48
  49
  50 %\subsubsection{Justification for special settings (if needed)}
  51 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
  52
  53
  54 \subsubsection{References}
  55 \begin{itemize*}
  56   \item MySQL Documentation on SSl Connections: \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
  57 \end{itemize*}
  58
  59
  60 \subsubsection{How to test}
  61 After restarting the server run the following query to see if the ssl settings are correct:
  62 \begin{lstlisting}
  63 show variables like '%ssl%';
  64 \end{lstlisting}
  65
  66
  67 %% ----------------------------------------------------------------------
  68 \subsection{DB2}
  69 \subsubsection{Tested with Version}
  70 \begin{itemize*}
  71 \item  We do not test this here, since we only reference other papers for DB2 so far.
  72 \end{itemize*}
  73
  74
  75 \subsubsection{Settings}
  76 \paragraph{ssl\_cipherspecs:}
  77 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
  78 \begin{lstlisting}
  79 # recommended and supported ciphersuites
  80
  81 db2 update dbm cfg using SSL_CIPHERSPECS
  82 TLS_RSA_WITH_AES_256_CBC_SHA256,
  83 TLS_RSA_WITH_AES_128_GCM_SHA256,
  84 TLS_RSA_WITH_AES_128_CBC_SHA256,
  85 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  86 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  87 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  88 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  89 TLS_RSA_WITH_AES_256_GCM_SHA384,
  90 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  91 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  92 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  93 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  94 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  95 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  96 TLS_RSA_WITH_AES_256_CBC_SHA,
  97 TLS_RSA_WITH_AES_128_CBC_SHA,
  98 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  99 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 100 \end{lstlisting}
 101
 102
 103 \subsubsection{References}
 104 \begin{itemize*}
 105   \item IBM Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
 106 \end{itemize*}
 107
 108 %% ----------------------------------------------------------------------
 109
 110 \subsection{PostgreSQL}
 111 \subsubsection{Tested with Versions}
 112 \begin{itemize*}
 113   \item Debian Wheezy and PostgreSQL 9.1
 114   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
 115 \end{itemize*}
 116
 117
 118 \subsubsection{Settings}
 119 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 120
 121 Starting with version 9.2, you have the possibility to set the path manually.
 122
 123 \begin{lstlisting}
 124 ssl_key_file = '/your/path/server.key'
 125 ssl_cert_file = '/your/path/server.crt'
 126 ssl_ca_file = '/your/path/root.crt'
 127 \end{lstlisting}
 128
 129 \paragraph*{postgresql.conf}
 130 \begin{lstlisting}
 131 #>=8.3
 132 ssl = on
 133 ssl_ciphers = '%*\cipherStringB*)'
 134 \end{lstlisting}
 135
 136
 137 \subsubsection{References}
 138 \begin{itemize*}
 139   \item It's recommended to read \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY} (please edit the version with your preferred one).
 140   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
 141   \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
 142 \end{itemize*}
 143
 144
 145 \subsubsection{How to test}
 146 To test your ssl settings, run psql with the sslmode parameter:
 147 \begin{lstlisting}
 148 psql "sslmode=require host=postgres-server dbname=database" your-username
 149 \end{lstlisting}
 150