src/practical_settings/DBs.tex

   1 %hack.
   2 \gdef\currentsectionname{DBs}
   3 %%\subsection{Database Systems}
   4 % This list is based on : https://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
   5
   6 %% ----------------------------------------------------------------------
   7 \subsection{Oracle}
   8 \subsubsection{Tested with Versions}
   9 \begin{itemize*}
  10 \item We do not test this here, since we only reference other papers for Oracle so far.
  11 \end{itemize*}
  12
  13
  14 \subsubsection{References}
  15 \begin{itemize*}
  16   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
  17 \end{itemize*}
  18
  19
  20
  21 %% ----------------------------------------------------------------------
  22 %%\subsection{SQL Server}
  23 %%\todo{write this}
  24
  25
  26
  27 %% ----------------------------------------------------------------------
  28 \subsection{MySQL}
  29
  30
  31 \subsubsection{Tested with Versions}
  32 \begin{itemize*}
  33   \item Debian Wheezy and MySQL 5.5
  34 \end{itemize*}
  35
  36
  37 \subsubsection{Settings}
  38 \configfile{my.cnf}{31-31,104-109}{SSL configuration fo MySQL}
  39
  40
  41 %\subsubsection{Additional settings}
  42
  43
  44 %\subsubsection{Justification for special settings (if needed)}
  45 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
  46
  47
  48 \subsubsection{References}
  49 \begin{itemize*}
  50   \item MySQL Documentation on SSL Connections.\\\url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
  51 \end{itemize*}
  52
  53
  54 \subsubsection{How to test}
  55 After restarting the server run the following query to see if the ssl settings are correct:
  56 \begin{lstlisting}
  57 show variables like '%ssl%';
  58 \end{lstlisting}
  59
  60
  61 %% ----------------------------------------------------------------------
  62 \subsection{DB2}
  63 \subsubsection{Tested with Version}
  64 \begin{itemize*}
  65 \item  We do not test this here, since we only reference other papers for DB2 so far.
  66 \end{itemize*}
  67
  68
  69 \subsubsection{Settings}
  70 \paragraph{ssl\_cipherspecs:}
  71 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
  72 \begin{lstlisting}
  73 # recommended and supported ciphersuites
  74
  75 db2 update dbm cfg using SSL_CIPHERSPECS
  76 TLS_RSA_WITH_AES_256_CBC_SHA256,
  77 TLS_RSA_WITH_AES_128_GCM_SHA256,
  78 TLS_RSA_WITH_AES_128_CBC_SHA256,
  79 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  80 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  81 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  82 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  83 TLS_RSA_WITH_AES_256_GCM_SHA384,
  84 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  85 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  86 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  87 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  88 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  89 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  90 TLS_RSA_WITH_AES_256_CBC_SHA,
  91 TLS_RSA_WITH_AES_128_CBC_SHA,
  92 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  93 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  94 \end{lstlisting}
  95
  96
  97 \subsubsection{References}
  98 \begin{itemize*}
  99   \item IBM Db2 Documentation on \emph{Supported cipher suites}.\\\url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
 100 \end{itemize*}
 101
 102 %% ----------------------------------------------------------------------
 103
 104 \subsection{PostgreSQL}
 105 \subsubsection{Tested with Versions}
 106 \begin{itemize*}
 107   \item Debian Wheezy and PostgreSQL 9.1
 108   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
 109 \end{itemize*}
 110
 111
 112 \subsubsection{Settings}
 113 \configfile{9.1/postgresql.conf}{80-81}{Enabling SSL in PostgreSQL}
 114
 115 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 116
 117 Starting with version 9.2, you have the possibility to set the path manually.
 118 \configfile{9.3/postgresql.conf}{85-87}{Certificate locations in PostgreSQL \(\geq\) 9.2}
 119
 120
 121
 122 \subsubsection{References}
 123 \begin{itemize*}
 124   \item It's recommended to read ``Security and Authentication'' in the manual\footnote{\url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html}}.
 125   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
 126   \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
 127 \end{itemize*}
 128
 129
 130 \subsubsection{How to test}
 131 To test your ssl settings, run psql with the sslmode parameter:
 132 \begin{lstlisting}
 133 psql "sslmode=require host=postgres-server dbname=database" your-username
 134 \end{lstlisting}
 135