src/practical_settings/DBs.tex

   1 %%\subsection{Database Systems}
   2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
   3
   4 \subsubsection{Oracle}
   5 \item[Tested with Version:] not tested
   6
   7 \item[References:] (German)
   8 {\small \url{www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
   9
  10 Please read the following pages about SSL and ciphersuites:\\
  11 p. 129 -Req 396 and Req 397 \\
  12
  13
  14 \subsubsection{SQL Server}
  15 \todo{write this}
  16
  17
  18
  19
  20 \subsubsection{MySQL}
  21
  22 \begin{description}
  23 \item[Tested with Version:] Debian 7.0 and MySQL 5.5
  24
  25 \item[Settings:] \mbox{}
  26
  27 \paragraph*{my.cnf}\mbox{}\\
  28
  29 \begin{lstlisting}[breaklines]
  30 [mysqld]
  31 ssl
  32 ssl-ca=/etc/mysql/ssl/ca-cert.pem
  33 ssl-cert=/etc/mysql/ssl/client-cert.pem
  34 ssl-key=/etc/mysql/ssl/client-key.pem
  35 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
  36 \end{lstlisting}
  37
  38 \item[Additional settings:]
  39
  40
  41 \item[Justification for special settings (if needed):]
  42
  43 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
  44
  45 \item[References:]
  46
  47 \todo{add references}
  48
  49 % add any further references or best practice documents here
  50
  51 \item[How to test:]
  52
  53 After restarting the server run the following query to see if the ssl settings are correct:
  54 \begin{lstlisting}[breaklines]
  55 show variables like '%ssl%';
  56 \end{lstlisting}
  57
  58
  59 \end{description}
  60
  61
  62 \subsubsection{DB2}
  63 \begin{description}
  64 \item[Tested with Version:] not tested
  65
  66 \item[References:]
  67 {\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
  68
  69
  70 \paragraph*{ssl_cipherspecs}\mbox{}\\
  71 In the link above the whole SSL-Configuration is in-depth described. The following command shows only the recommended ciphersuites.
  72 \begin{lstlisting}[breaklines]
  73 % it's out of scope to describe the whole SSL procedure
  74 % # fully qualified path of the key database file
  75 %db2 update dbm cfg using SSL_SVR_KEYDB /home/dba/sqllib/security/keystore/key.kdb
  76 %
  77 %# fully qualified path of the stash file
  78 %db2 update dbm cfg using SSL_SVR_STASH /home/dba/sqllib/security/keystore/mydbserver.sth
  79 %
  80 %# label of the digital certificate of the server
  81 %db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
  82 %
  83 # recommended and supported ciphersuites
  84
  85 db2 update dbm cfg using SSL_CIPHERSPECS
  86 TLS_RSA_WITH_AES_256_CBC_SHA256,
  87 TLS_RSA_WITH_AES_128_GCM_SHA256,
  88 TLS_RSA_WITH_AES_128_CBC_SHA256,
  89 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  90 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  91 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  92 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  93 TLS_RSA_WITH_AES_256_GCM_SHA384,
  94 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  95 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  96 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  97 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  98 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  99 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 100 TLS_RSA_WITH_AES_256_CBC_SHA,
 101 TLS_RSA_WITH_AES_128_CBC_SHA,
 102 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 103 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 104
 105 \end{lstlisting}
 106
 107
 108 \subsubsection{Postgresql}
 109
 110 \begin{description}
 111 \item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
 112
 113 \item[References:]
 114
 115 It's recommended to read
 116
 117 {\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
 118 (please change X.X with your preferred version e.g. 9.1).
 119
 120 \item[Settings:] \mbox{}
 121
 122
 123 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 124
 125 Starting with version 9.2, you have the possibility to set the path.
 126
 127 \begin{lstlisting}[breaklines]
 128 ssl_key_file = '/your/path/server.key'
 129 ssl_cert_file = '/your/path/server.crt'
 130 ssl_ca_file = '/your/path/root.crt'
 131 \end{lstlisting}
 132
 133 \paragraph*{postgresql.conf}\mbox{}\\
 134
 135 \begin{lstlisting}[breaklines]
 136 #>=8.3
 137 ssl = on
 138 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
 139 \end{lstlisting}
 140
 141
 142
 143 \item[How to test:]
 144 To test your ssl settings, run psql with the sslmode parameter:
 145 \begin{lstlisting}[breaklines]
 146 psql "sslmode=require host=postgres-server dbname=database" your-username
 147 \end{lstlisting}
 148
 149 \end{description}
 150