src/practical_settings/DBs.tex

   1 %%\subsection{Database Systems}
   2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
   3
   4 %% ----------------------------------------------------------------------
   5 \subsection{Oracle}
   6 %\subsubsection{Tested with Version}
   7 \todo{not tested yet}
   8
   9 \subsubsection{References}
  10 \begin{itemize}
  11   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
  12 \end{itemize}
  13
  14
  15 %% ----------------------------------------------------------------------
  16 \subsection{SQL Server}
  17 \todo{write this}
  18
  19
  20 %% ----------------------------------------------------------------------
  21 \subsection{MySQL}
  22 \subsubsection{Tested with Version}
  23 \begin{itemize}
  24   \item Debian 7.0 and MySQL 5.5
  25 \end{itemize}
  26
  27
  28 \subsubsection{Settings}
  29 \paragraph*{my.cnf}
  30 \begin{lstlisting}
  31 [mysqld]
  32 ssl
  33 ssl-ca=/etc/mysql/ssl/ca-cert.pem
  34 ssl-cert=/etc/mysql/ssl/client-cert.pem
  35 ssl-key=/etc/mysql/ssl/client-key.pem
  36 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
  37 \end{lstlisting}
  38
  39 %\subsubsection{Additional settings}
  40
  41
  42 %\subsubsection{Justification for special settings (if needed)}
  43 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
  44
  45
  46 \subsubsection{References}
  47 \begin{itemize}
  48   \item MySQL Documentation on SSl Connections: \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
  49 \end{itemize}
  50
  51
  52 \subsubsection{How to test}
  53 After restarting the server run the following query to see if the ssl settings are correct:
  54 \begin{lstlisting}
  55 show variables like '%ssl%';
  56 \end{lstlisting}
  57
  58
  59 %% ----------------------------------------------------------------------
  60 \subsection{DB2}
  61 \subsubsection{Tested with Version}
  62 \todo{not tested}
  63
  64
  65 \subsubsection{References}
  66 \begin{itemize}
  67   \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
  68 \end{itemize}
  69
  70
  71 \subsubsection{Settings}
  72 \paragraph*{ssl\_cipherspecs}
  73 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites:
  74 \begin{lstlisting}
  75 # recommended and supported ciphersuites
  76
  77 db2 update dbm cfg using SSL_CIPHERSPECS
  78 TLS_RSA_WITH_AES_256_CBC_SHA256,
  79 TLS_RSA_WITH_AES_128_GCM_SHA256,
  80 TLS_RSA_WITH_AES_128_CBC_SHA256,
  81 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  82 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  83 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  84 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  85 TLS_RSA_WITH_AES_256_GCM_SHA384,
  86 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  87 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  88 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  89 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  90 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  91 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  92 TLS_RSA_WITH_AES_256_CBC_SHA,
  93 TLS_RSA_WITH_AES_128_CBC_SHA,
  94 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  95 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  96 \end{lstlisting}
  97
  98
  99 %% ----------------------------------------------------------------------
 100 \subsection{PostgreSQL}
 101 \subsubsection{Tested with Versions}
 102 \begin{itemize}
 103   \item Debian 7.0 and PostgreSQL 9.1
 104   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
 105 \end{itemize}
 106
 107
 108 \subsubsection{References}
 109 \begin{itemize}
 110   \item It's recommended to read {\small \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}} (please edit the version with your preferred one).
 111   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
 112 \end{itemize}
 113
 114
 115 \subsubsection{Settings}
 116 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 117
 118 Starting with version 9.2, you have the possibility to set the path manually.
 119
 120 \begin{lstlisting}
 121 ssl_key_file = '/your/path/server.key'
 122 ssl_cert_file = '/your/path/server.crt'
 123 ssl_ca_file = '/your/path/root.crt'
 124 \end{lstlisting}
 125
 126
 127 \paragraph*{postgresql.conf}\mbox{}\\
 128 \begin{lstlisting}
 129 #>=8.3
 130 ssl = on
 131 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
 132 \end{lstlisting}
 133
 134
 135 \subsubsection{How to test}
 136 To test your ssl settings, run psql with the sslmode parameter:
 137 \begin{lstlisting}
 138 psql "sslmode=require host=postgres-server dbname=database" your-username
 139 \end{lstlisting}
 140