Merge branch 'master' of https://git.bettercrypto.org/ach-master
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 %% ---------------------------------------------------------------------- 
5 \subsection{Oracle}
6 %\subsubsection{Tested with Version}
7 \todo{not tested yet}
8
9 \subsubsection{References}
10 \begin{itemize}
11   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
12 \end{itemize}
13
14
15 %% ---------------------------------------------------------------------- 
16 \subsubsection{SQL Server}
17 \todo{write this}
18
19
20
21 %% ---------------------------------------------------------------------- 
22 \subsection{MySQL}
23 \subsubsection{Tested with Version}
24 \begin{itemize}
25   \item Debian 7.0 and MySQL 5.5
26 \end{itemize}
27
28
29 \subsubsection{Settings}
30 \paragraph*{my.cnf}
31 \begin{lstlisting}
32 [mysqld]
33 ssl
34 ssl-ca=/etc/mysql/ssl/ca-cert.pem
35 ssl-cert=/etc/mysql/ssl/client-cert.pem
36 ssl-key=/etc/mysql/ssl/client-key.pem
37 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
38 \end{lstlisting}
39
40 %\subsubsection{Additional settings}
41
42
43 %\subsubsection{Justification for special settings (if needed)}
44 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
45
46
47 \subsubsection{References}
48 \begin{itemize}
49   \item MySQL Documentation on SSl Connections: \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
50 \end{itemize}
51
52
53 \subsubsection{How to test}
54 After restarting the server run the following query to see if the ssl settings are correct:
55 \begin{lstlisting}
56 show variables like '%ssl%';
57 \end{lstlisting}
58
59
60 %% ---------------------------------------------------------------------- 
61 \subsection{DB2}
62 \subsubsection{Tested with Version}
63 \todo{not tested}
64
65
66 \subsubsection{References}
67 \begin{itemize}
68   \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
69 \end{itemize}
70
71
72 \subsubsection{Settings}
73 \paragraph*{ssl\_cipherspecs}
74 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites:
75 \begin{lstlisting}
76 # recommended and supported ciphersuites 
77
78 db2 update dbm cfg using SSL_CIPHERSPECS 
79 TLS_RSA_WITH_AES_256_CBC_SHA256,
80 TLS_RSA_WITH_AES_128_GCM_SHA256,
81 TLS_RSA_WITH_AES_128_CBC_SHA256,
82 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
83 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
84 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
85 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
86 TLS_RSA_WITH_AES_256_GCM_SHA384,
87 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
88 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
89 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
90 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
91 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
92 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
93 TLS_RSA_WITH_AES_256_CBC_SHA,
94 TLS_RSA_WITH_AES_128_CBC_SHA,
95 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
96 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
97 \end{lstlisting}
98
99
100 %% ---------------------------------------------------------------------- 
101 \subsection{PostgreSQL}
102 \subsubsection{Tested with Versions}
103 \begin{itemize}
104   \item Debian 7.0 and PostgreSQL 9.1
105   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
106 \end{itemize}
107
108
109 \subsubsection{References}
110 \begin{itemize}
111   \item It's recommended to read {\small \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}} (please edit the version with your preferred one).
112   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
113 \end{itemize}
114
115
116 \subsubsection{Settings}
117 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
118
119 Starting with version 9.2, you have the possibility to set the path manually.
120
121 \begin{lstlisting}
122 ssl_key_file = '/your/path/server.key'
123 ssl_cert_file = '/your/path/server.crt'
124 ssl_ca_file = '/your/path/root.crt'
125 \end{lstlisting}
126
127
128 \paragraph*{postgresql.conf}\mbox{}\\
129 \begin{lstlisting}
130 #>=8.3
131 ssl = on 
132 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
133 \end{lstlisting}
134
135
136 \subsubsection{How to test}
137 To test your ssl settings, run psql with the sslmode parameter:
138 \begin{lstlisting}
139 psql "sslmode=require host=postgres-server dbname=database" your-username
140 \end{lstlisting}
141