Merge pull request #12 from berq/patch-12
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 \subsubsection{Oracle}
5 \todo{write this}
6
7 \subsubsection{SQL Server}
8 \todo{write this}
9
10
11
12
13 \subsubsection{MySQL}
14
15 \begin{description}
16 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
17
18 \item[Settings:] \mbox{}
19
20 \paragraph*{my.cnf}\mbox{}\\
21
22 \begin{lstlisting}[breaklines]
23 [mysqld]
24 ssl
25 ssl-ca=/etc/mysql/ssl/ca-cert.pem
26 ssl-cert=/etc/mysql/ssl/client-cert.pem
27 ssl-key=/etc/mysql/ssl/client-key.pem
28 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
29 \end{lstlisting}
30
31 \item[Additional settings:]
32
33
34 \item[Justification for special settings (if needed):]
35
36 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
37
38 \item[References:]
39
40 \todo{add references}
41
42 % add any further references or best practice documents here
43
44 \item[How to test:]
45
46 After restarting the server run the following query to see if the ssl settings are correct:
47 \begin{lstlisting}[breaklines]
48 show variables like '%ssl%';
49 \end{lstlisting}
50
51
52 \end{description}
53
54
55 \subsubsection{DB2}
56 \begin{description}
57 \item[Tested with Version:] not tested
58
59 \item[References:]
60 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
61
62
63 \paragraph*{ssl_cipherspecs}\mbox{}\\
64 In the link above the whole SSL-Configuration is in-depth described. The following command shows only the recommended ciphersuites.
65 \begin{lstlisting}[breaklines]
66 % it's out of scope to describe the whole SSL procedure
67 % # fully qualified path of the key database file
68 %db2 update dbm cfg using SSL_SVR_KEYDB /home/dba/sqllib/security/keystore/key.kdb
69 %
70 %# fully qualified path of the stash file
71 %db2 update dbm cfg using SSL_SVR_STASH /home/dba/sqllib/security/keystore/mydbserver.sth
72 %
73 %# label of the digital certificate of the server
74 %db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
75 %
76 # recommended and supported ciphersuites 
77
78 db2 update dbm cfg using SSL_CIPHERSPECS 
79 TLS_RSA_WITH_AES_256_CBC_SHA256,
80 TLS_RSA_WITH_AES_128_GCM_SHA256,
81 TLS_RSA_WITH_AES_128_CBC_SHA256,
82 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
83 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
84 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
85 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
86 TLS_RSA_WITH_AES_256_GCM_SHA384,
87 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
88 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
89 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
90 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
91 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
92 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
93 TLS_RSA_WITH_AES_256_CBC_SHA,
94 TLS_RSA_WITH_AES_128_CBC_SHA,
95 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
96 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
97
98 \end{lstlisting}
99
100
101 \subsubsection{Postgresql}
102
103 \begin{description}
104 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
105
106 \item[References:]
107
108 It's recommended to read 
109
110 {\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
111 (please change X.X with your preferred version e.g. 9.1).
112
113 \item[Settings:] \mbox{}
114
115
116 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
117
118 Starting with version 9.2, you have the possibility to set the path.
119
120 \begin{lstlisting}[breaklines]
121 ssl_key_file = '/your/path/server.key'
122 ssl_cert_file = '/your/path/server.crt'
123 ssl_ca_file = '/your/path/root.crt'
124 \end{lstlisting}
125
126 \paragraph*{postgresql.conf}\mbox{}\\
127
128 \begin{lstlisting}[breaklines]
129 #>=8.3
130 ssl = on 
131 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
132 \end{lstlisting}
133
134
135
136 \item[How to test:]
137 To test your ssl settings, run psql with the sslmode parameter:
138 \begin{lstlisting}[breaklines]
139 psql "sslmode=require host=postgres-server dbname=database" your-username
140 \end{lstlisting}
141
142 \end{description}
143