reformat ECC section
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 %% ---------------------------------------------------------------------- 
5 \subsubsection{Oracle}
6 \begin{description}
7 \item[Tested with Version:] not tested
8
9 \item[References:] (German)
10 {\small \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
11
12 Please read the following pages about SSL and ciphersuites:\\
13 p. 129 -Req 396 and Req 397 \\
14
15 \end{description}
16
17 %% ---------------------------------------------------------------------- 
18 \subsubsection{SQL Server}
19
20
21
22
23 %% ---------------------------------------------------------------------- 
24 \subsubsection{MySQL}
25
26 \begin{description}
27 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
28
29 \item[Settings:] \mbox{}
30
31 \paragraph*{my.cnf}\mbox{}\\
32
33 \begin{lstlisting}[breaklines]
34 [mysqld]
35 ssl
36 ssl-ca=/etc/mysql/ssl/ca-cert.pem
37 ssl-cert=/etc/mysql/ssl/client-cert.pem
38 ssl-key=/etc/mysql/ssl/client-key.pem
39 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
40 \end{lstlisting}
41
42 \item[Additional settings:]
43
44
45 \item[Justification for special settings (if needed):]
46
47 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
48
49 \item[References:]
50 {\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
51
52
53 \item[How to test:]
54
55 After restarting the server run the following query to see if the ssl settings are correct:
56 \begin{lstlisting}[breaklines]
57 show variables like '%ssl%';
58 \end{lstlisting}
59
60
61 \end{description}
62
63
64 %% ---------------------------------------------------------------------- 
65 \subsubsection{DB2}
66 \begin{description}
67 \item[Tested with Version:] not tested
68
69 \item[References:]
70 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
71
72
73 \paragraph*{ssl\_cipherspecs}\mbox{}\\
74 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
75 \begin{lstlisting}[breaklines]
76 # recommended and supported ciphersuites 
77
78 db2 update dbm cfg using SSL_CIPHERSPECS 
79 TLS_RSA_WITH_AES_256_CBC_SHA256,
80 TLS_RSA_WITH_AES_128_GCM_SHA256,
81 TLS_RSA_WITH_AES_128_CBC_SHA256,
82 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
83 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
84 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
85 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
86 TLS_RSA_WITH_AES_256_GCM_SHA384,
87 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
88 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
89 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
90 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
91 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
92 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
93 TLS_RSA_WITH_AES_256_CBC_SHA,
94 TLS_RSA_WITH_AES_128_CBC_SHA,
95 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
96 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
97
98 \end{lstlisting}
99
100 \end{description}
101
102 %% ---------------------------------------------------------------------- 
103
104 \subsubsection{PostgreSQL}
105
106 \begin{description}
107 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
108
109 \item[References:]
110
111 It's recommended to read 
112
113 {\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
114 (please change X.X with your preferred version e.g. 9.1).
115
116 \item[Settings:] \mbox{}
117
118
119 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
120
121 Starting with version 9.2, you have the possibility to set the path.
122
123 \begin{lstlisting}[breaklines]
124 ssl_key_file = '/your/path/server.key'
125 ssl_cert_file = '/your/path/server.crt'
126 ssl_ca_file = '/your/path/root.crt'
127 \end{lstlisting}
128
129 \paragraph*{postgresql.conf}\mbox{}\\
130
131 \begin{lstlisting}[breaklines]
132 #>=8.3
133 ssl = on 
134 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
135 \end{lstlisting}
136
137
138
139 \item[How to test:]
140 To test your ssl settings, run psql with the sslmode parameter:
141 \begin{lstlisting}[breaklines]
142 psql "sslmode=require host=postgres-server dbname=database" your-username
143 \end{lstlisting}
144
145 \end{description}
146