d27378dbde5f3786c729cb03945c7189b4b3658e
[ach-master.git] / src / practical_settings / DBs.tex
1 %hack.
2 \gdef\currentsectionname{DBs}
3 %%\subsection{Database Systems}
4 % This list is based on : https://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
5
6 %% ---------------------------------------------------------------------- 
7 \subsection{Oracle}
8 \subsubsection{Tested with Versions}
9 \begin{itemize*}
10 \item We do not test this here, since we only reference other papers for Oracle so far.
11 \end{itemize*}
12
13
14 \subsubsection{References}
15 \begin{itemize*}
16   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
17 \end{itemize*}
18
19
20
21 %% ---------------------------------------------------------------------- 
22 %%\subsection{SQL Server}
23 %%\todo{write this}
24
25
26
27 %% ---------------------------------------------------------------------- 
28 \subsection{MySQL}
29
30
31 \subsubsection{Tested with Versions}
32 \begin{itemize*}
33   \item Debian Wheezy and MySQL 5.5
34 \end{itemize*}
35
36
37 \subsubsection{Settings}
38 \configfile{my.cnf}{31-31,104-109}{SSL configuration fo MySQL}
39
40
41 %\subsubsection{Additional settings}
42
43
44 %\subsubsection{Justification for special settings (if needed)}
45 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
46
47
48 \subsubsection{References}
49 \begin{itemize*}
50   \item MySQL Documentation on SSL Connections.\\\url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
51 \end{itemize*}
52
53
54 \subsubsection{How to test}
55 After restarting the server run the following query to see if the ssl settings are correct:
56 \begin{lstlisting}
57 show variables like '%ssl%';
58 \end{lstlisting}
59
60
61 %% ---------------------------------------------------------------------- 
62 \subsection{DB2}
63 \subsubsection{Tested with Version}
64 \begin{itemize*}
65 \item  We do not test this here, since we only reference other papers for DB2 so far.
66 \end{itemize*}
67
68
69 \subsubsection{Settings}
70 \paragraph{ssl\_cipherspecs:}
71 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
72 \begin{lstlisting}
73 # recommended and supported ciphersuites 
74
75 db2 update dbm cfg using SSL_CIPHERSPECS 
76 TLS_RSA_WITH_AES_256_CBC_SHA256,
77 TLS_RSA_WITH_AES_128_GCM_SHA256,
78 TLS_RSA_WITH_AES_128_CBC_SHA256,
79 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
80 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
81 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
82 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
83 TLS_RSA_WITH_AES_256_GCM_SHA384,
84 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
85 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
86 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
87 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
88 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
89 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
90 TLS_RSA_WITH_AES_256_CBC_SHA,
91 TLS_RSA_WITH_AES_128_CBC_SHA,
92 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
93 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
94 \end{lstlisting}
95
96
97 \subsubsection{References}
98 \begin{itemize*}
99   \item IBM Db2 Documentation on \emph{Supported cipher suites}.\\\url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
100 \end{itemize*}
101
102 %% ---------------------------------------------------------------------- 
103
104 \subsection{PostgreSQL}
105 \subsubsection{Tested with Versions}
106 \begin{itemize*}
107   \item Debian Wheezy and PostgreSQL 9.1
108   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
109 \end{itemize*}
110
111
112 \subsubsection{Settings}
113 \configfile{9.1/postgresql.conf}{80-81}{Enabling SSL in PostgreSQL}
114
115 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
116
117 Starting with version 9.2, you have the possibility to set the path manually.
118 \configfile{9.3/postgresql.conf}{85-87}{Certificate locations in PostgreSQL \(\geq\) 9.2}
119
120
121
122 \subsubsection{References}
123 \begin{itemize*}
124   \item It's recommended to read ``Security and Authentication'' in the manual\footnote{\url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html}}.
125   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
126   \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
127 \end{itemize*}
128
129
130 \subsubsection{How to test}
131 To test your ssl settings, run psql with the sslmode parameter:
132 \begin{lstlisting}
133 psql "sslmode=require host=postgres-server dbname=database" your-username
134 \end{lstlisting}
135