src/practical_settings/DBs.tex

   1 %%\subsection{Database Systems}
   2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
   3
   4 %% ----------------------------------------------------------------------
   5 \subsubsection{Oracle}
   6 \begin{description}
   7 \item[Tested with Version:] not tested
   8
   9 \item[References:] (German)
  10 {\small \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
  11
  12 Please read the following pages about SSL and ciphersuites:\\
  13 p. 129 -Req 396 and Req 397 \\
  14
  15 \end{description}
  16
  17 %% ----------------------------------------------------------------------
  18 %%\subsubsection{SQL Server}
  19 %%\todo{write this}
  20
  21
  22
  23
  24 %% ----------------------------------------------------------------------
  25 \subsubsection{MySQL}
  26
  27 \begin{description}
  28 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
  29
  30 \item[Settings:] \mbox{}
  31
  32 \paragraph*{my.cnf}\mbox{}\\
  33
  34 \begin{lstlisting}[breaklines]
  35 [mysqld]
  36 ssl
  37 ssl-ca=/etc/mysql/ssl/ca-cert.pem
  38 ssl-cert=/etc/mysql/ssl/server-cert.pem
  39 ssl-key=/etc/mysql/ssl/server-key.pem
  40 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
  41 \end{lstlisting}
  42
  43 \item[Additional settings:]
  44
  45
  46 \item[Justification for special settings (if needed):]
  47
  48 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
  49
  50 \item[References:]
  51 <<<<<<< HEAD
  52 +{\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
  53
  54
  55 % add any further references or best practice documents here
  56 =======
  57 {\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
  58
  59 >>>>>>> upstream/master
  60
  61 \item[How to test:]
  62
  63 After restarting the server run the following query to see if the ssl settings are correct:
  64 \begin{lstlisting}[breaklines]
  65 show variables like '%ssl%';
  66 \end{lstlisting}
  67
  68
  69 \end{description}
  70
  71
  72 %% ----------------------------------------------------------------------
  73 \subsubsection{DB2}
  74 \begin{description}
  75 \item[Tested with Version:] not tested
  76
  77 \item[References:]
  78 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
  79
  80
  81 \paragraph*{ssl\_cipherspecs}\mbox{}\\
  82 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
  83 \begin{lstlisting}[breaklines]
  84 # recommended and supported ciphersuites
  85
  86 db2 update dbm cfg using SSL_CIPHERSPECS
  87 TLS_RSA_WITH_AES_256_CBC_SHA256,
  88 TLS_RSA_WITH_AES_128_GCM_SHA256,
  89 TLS_RSA_WITH_AES_128_CBC_SHA256,
  90 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  91 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  92 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  93 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  94 TLS_RSA_WITH_AES_256_GCM_SHA384,
  95 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  96 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  97 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  98 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  99 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 100 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 101 TLS_RSA_WITH_AES_256_CBC_SHA,
 102 TLS_RSA_WITH_AES_128_CBC_SHA,
 103 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 104 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 105
 106 <<<<<<< HEAD
 107 \subsubsection{DB2}
 108 \todo{write this}
 109
 110 %
 111
 112 % ssl_ciphersepcs v9r7:
 113 % http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.config.doc%2Fdoc%2Fr0053617.html
 114
 115 % Configuring Secure Sockets Layer (SSL) support in a DB2 instance v9r7
 116 % http://pic.dhe.ibm.com/infocenter/db2luw/v10r5/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html
 117
 118
 119 =======
 120 \end{lstlisting}
 121 >>>>>>> upstream/master
 122
 123 \end{description}
 124
 125 %% ----------------------------------------------------------------------
 126
 127 \subsubsection{PostgreSQL}
 128
 129 \begin{description}
 130 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
 131
 132 \item[References:]
 133
 134 It's recommended to read
 135
 136 {\small \url{http://www.postgresql.org/docs/current/static/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SECURITY}}
 137 {\small \url{http://www.postgresql.org/docs/current/static/ssl-tcp.html}}
 138 {\small \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}}
 139
 140 \item[Settings:] \mbox{}
 141
 142
 143 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 144
 145 Starting with version 9.2, you have the possibility to set the path.
 146
 147 \begin{lstlisting}[breaklines]
 148 ssl_key_file = '/your/path/server.key'
 149 ssl_cert_file = '/your/path/server.crt'
 150 ssl_ca_file = '/your/path/root.crt'
 151 \end{lstlisting}
 152
 153 \paragraph*{postgresql.conf}\mbox{}\\
 154
 155 \begin{lstlisting}[breaklines]
 156 #>=8.3
 157 ssl = on
 158 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
 159 \end{lstlisting}
 160
 161
 162
 163 \item[How to test:]
 164 To test your ssl settings, run psql with the sslmode parameter:
 165 \begin{lstlisting}[breaklines]
 166 psql "sslmode=require host=postgres-server dbname=database" your-username
 167 \end{lstlisting}
 168
 169 \end{description}
 170