Merge remote-tracking branch 'upstream/master'
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 %% ---------------------------------------------------------------------- 
5 \subsubsection{Oracle}
6 \begin{description}
7 \item[Tested with Version:] not tested
8
9 \item[References:] (German)
10 {\small \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
11
12 Please read the following pages about SSL and ciphersuites:\\
13 p. 129 -Req 396 and Req 397 \\
14
15 \end{description}
16
17 %% ---------------------------------------------------------------------- 
18 %%\subsubsection{SQL Server}
19 %%\todo{write this}
20
21
22
23
24 %% ---------------------------------------------------------------------- 
25 \subsubsection{MySQL}
26
27 \begin{description}
28 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
29
30 \item[Settings:] \mbox{}
31
32 \paragraph*{my.cnf}\mbox{}\\
33
34 \begin{lstlisting}[breaklines]
35 [mysqld]
36 ssl
37 ssl-ca=/etc/mysql/ssl/ca-cert.pem
38 ssl-cert=/etc/mysql/ssl/server-cert.pem
39 ssl-key=/etc/mysql/ssl/server-key.pem
40 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
41 \end{lstlisting}
42
43 \item[Additional settings:]
44
45
46 \item[Justification for special settings (if needed):]
47
48 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
49
50 \item[References:]
51 <<<<<<< HEAD
52 +{\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
53
54
55 % add any further references or best practice documents here
56 =======
57 {\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
58
59 >>>>>>> upstream/master
60
61 \item[How to test:]
62
63 After restarting the server run the following query to see if the ssl settings are correct:
64 \begin{lstlisting}[breaklines]
65 show variables like '%ssl%';
66 \end{lstlisting}
67
68
69 \end{description}
70
71
72 %% ---------------------------------------------------------------------- 
73 \subsubsection{DB2}
74 \begin{description}
75 \item[Tested with Version:] not tested
76
77 \item[References:]
78 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
79
80
81 \paragraph*{ssl\_cipherspecs}\mbox{}\\
82 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
83 \begin{lstlisting}[breaklines]
84 # recommended and supported ciphersuites 
85
86 db2 update dbm cfg using SSL_CIPHERSPECS 
87 TLS_RSA_WITH_AES_256_CBC_SHA256,
88 TLS_RSA_WITH_AES_128_GCM_SHA256,
89 TLS_RSA_WITH_AES_128_CBC_SHA256,
90 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
91 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
92 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
93 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
94 TLS_RSA_WITH_AES_256_GCM_SHA384,
95 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
96 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
97 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
98 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
99 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
100 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
101 TLS_RSA_WITH_AES_256_CBC_SHA,
102 TLS_RSA_WITH_AES_128_CBC_SHA,
103 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
104 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
105
106 <<<<<<< HEAD
107 \subsubsection{DB2}
108 \todo{write this}
109
110
111
112 % ssl_ciphersepcs v9r7:
113 % http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.config.doc%2Fdoc%2Fr0053617.html
114
115 % Configuring Secure Sockets Layer (SSL) support in a DB2 instance v9r7
116 % http://pic.dhe.ibm.com/infocenter/db2luw/v10r5/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html
117
118
119 =======
120 \end{lstlisting}
121 >>>>>>> upstream/master
122
123 \end{description}
124
125 %% ---------------------------------------------------------------------- 
126
127 \subsubsection{PostgreSQL}
128
129 \begin{description}
130 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
131
132 \item[References:]
133
134 It's recommended to read 
135
136 {\small \url{http://www.postgresql.org/docs/current/static/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SECURITY}}
137 {\small \url{http://www.postgresql.org/docs/current/static/ssl-tcp.html}}
138 {\small \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}}
139
140 \item[Settings:] \mbox{}
141
142
143 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
144
145 Starting with version 9.2, you have the possibility to set the path.
146
147 \begin{lstlisting}[breaklines]
148 ssl_key_file = '/your/path/server.key'
149 ssl_cert_file = '/your/path/server.crt'
150 ssl_ca_file = '/your/path/root.crt'
151 \end{lstlisting}
152
153 \paragraph*{postgresql.conf}\mbox{}\\
154
155 \begin{lstlisting}[breaklines]
156 #>=8.3
157 ssl = on 
158 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
159 \end{lstlisting}
160
161
162
163 \item[How to test:]
164 To test your ssl settings, run psql with the sslmode parameter:
165 \begin{lstlisting}[breaklines]
166 psql "sslmode=require host=postgres-server dbname=database" your-username
167 \end{lstlisting}
168
169 \end{description}
170