restructure into subsections - since we now use the report style
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 %% ---------------------------------------------------------------------- 
5 \subsubsection{Oracle}
6
7 \begin{description}
8 \item[Tested with Version:] not tested
9
10 \item[References:] (German)
11 {\small \url{www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
12
13 Please read the following pages about SSL and ciphersuites:\\
14 p. 129 -Req 396 and Req 397 \\
15
16 \end{description}
17
18 %% ---------------------------------------------------------------------- 
19 \subsubsection{SQL Server}
20 \todo{write this}
21
22
23
24
25 %% ---------------------------------------------------------------------- 
26 \subsubsection{MySQL}
27
28 \begin{description}
29 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
30
31 \item[Settings:] \mbox{}
32
33 \paragraph*{my.cnf}\mbox{}\\
34
35 \begin{lstlisting}[breaklines]
36 [mysqld]
37 ssl
38 ssl-ca=/etc/mysql/ssl/ca-cert.pem
39 ssl-cert=/etc/mysql/ssl/client-cert.pem
40 ssl-key=/etc/mysql/ssl/client-key.pem
41 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
42 \end{lstlisting}
43
44 \item[Additional settings:]
45
46
47 \item[Justification for special settings (if needed):]
48
49 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
50
51 \item[References:]
52
53 \todo{add references}
54
55 % add any further references or best practice documents here
56
57 \item[How to test:]
58
59 After restarting the server run the following query to see if the ssl settings are correct:
60 \begin{lstlisting}[breaklines]
61 show variables like '%ssl%';
62 \end{lstlisting}
63
64
65 \end{description}
66
67
68 %% ---------------------------------------------------------------------- 
69 \subsubsection{DB2}
70 \begin{description}
71 \item[Tested with Version:] not tested
72
73 \item[References:]
74 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
75
76
77 \paragraph*{ssl\_cipherspecs}\mbox{}\\
78 In the link above the whole SSL-Configuration is in-depth described. The following command shows only the recommended ciphersuites.
79 \begin{lstlisting}[breaklines]
80 % it's out of scope to describe the whole SSL procedure
81 % # fully qualified path of the key database file
82 %db2 update dbm cfg using SSL_SVR_KEYDB /home/dba/sqllib/security/keystore/key.kdb
83 %
84 %# fully qualified path of the stash file
85 %db2 update dbm cfg using SSL_SVR_STASH /home/dba/sqllib/security/keystore/mydbserver.sth
86 %
87 %# label of the digital certificate of the server
88 %db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
89 %
90 # recommended and supported ciphersuites 
91
92 db2 update dbm cfg using SSL_CIPHERSPECS 
93 TLS_RSA_WITH_AES_256_CBC_SHA256,
94 TLS_RSA_WITH_AES_128_GCM_SHA256,
95 TLS_RSA_WITH_AES_128_CBC_SHA256,
96 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
97 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
98 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
99 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
100 TLS_RSA_WITH_AES_256_GCM_SHA384,
101 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
102 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
103 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
104 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
105 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
106 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
107 TLS_RSA_WITH_AES_256_CBC_SHA,
108 TLS_RSA_WITH_AES_128_CBC_SHA,
109 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
110 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
111
112 \end{lstlisting}
113
114 \end{description}
115
116 %% ---------------------------------------------------------------------- 
117
118 \subsubsection{Postgresql}
119
120 \begin{description}
121 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
122
123 \item[References:]
124
125 It's recommended to read 
126
127 {\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
128 (please change X.X with your preferred version e.g. 9.1).
129
130 \item[Settings:] \mbox{}
131
132
133 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
134
135 Starting with version 9.2, you have the possibility to set the path.
136
137 \begin{lstlisting}[breaklines]
138 ssl_key_file = '/your/path/server.key'
139 ssl_cert_file = '/your/path/server.crt'
140 ssl_ca_file = '/your/path/root.crt'
141 \end{lstlisting}
142
143 \paragraph*{postgresql.conf}\mbox{}\\
144
145 \begin{lstlisting}[breaklines]
146 #>=8.3
147 ssl = on 
148 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
149 \end{lstlisting}
150
151
152
153 \item[How to test:]
154 To test your ssl settings, run psql with the sslmode parameter:
155 \begin{lstlisting}[breaklines]
156 psql "sslmode=require host=postgres-server dbname=database" your-username
157 \end{lstlisting}
158
159 \end{description}
160