Use compact lists of mdwlist, save space
[ach-master.git] / src / practical_settings / DBs.tex
1 %%\subsection{Database Systems}
2 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
3
4 %% ---------------------------------------------------------------------- 
5 \subsection{Oracle}
6 \subsubsection{Tested with Versions}
7 \todo{not tested yet}
8
9
10 \subsubsection{References}
11 \begin{itemize*}
12   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
13 \end{itemize*}
14
15
16
17 %% ---------------------------------------------------------------------- 
18 %%\subsection{SQL Server}
19 %%\todo{write this}
20
21
22
23 %% ---------------------------------------------------------------------- 
24 \subsection{MySQL}
25
26
27 \subsubsection{Tested with Versions}
28 \begin{itemize*}
29   \item Debian Wheezy and MySQL 5.5
30 \end{itemize*}
31
32
33 \subsubsection{Settings}
34 \paragraph*{my.cnf}
35 \begin{lstlisting}
36 [mysqld]
37 ssl
38 ssl-ca=/etc/mysql/ssl/ca-cert.pem
39 ssl-cert=/etc/mysql/ssl/server-cert.pem
40 ssl-key=/etc/mysql/ssl/server-key.pem
41 ssl-cipher=%*\cipherStringB*)
42 \end{lstlisting}
43
44
45 %\subsubsection{Additional settings}
46
47
48 %\subsubsection{Justification for special settings (if needed)}
49 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
50
51
52 \subsubsection{References}
53 \begin{itemize*}
54   \item MySQL Documentation on SSl Connections: \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
55 \end{itemize*}
56
57
58 \subsubsection{How to test}
59 After restarting the server run the following query to see if the ssl settings are correct:
60 \begin{lstlisting}
61 show variables like '%ssl%';
62 \end{lstlisting}
63
64
65 %% ---------------------------------------------------------------------- 
66 \subsection{DB2}
67 \subsubsection{Tested with Version}
68 \todo{not tested}
69
70
71 \subsubsection{References}
72 \begin{itemize*}
73   \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
74 \end{itemize*}
75
76
77 \subsubsection{Settings}
78 \paragraph*{ssl\_cipherspecs}
79 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
80 \begin{lstlisting}
81 # recommended and supported ciphersuites 
82
83 db2 update dbm cfg using SSL_CIPHERSPECS 
84 TLS_RSA_WITH_AES_256_CBC_SHA256,
85 TLS_RSA_WITH_AES_128_GCM_SHA256,
86 TLS_RSA_WITH_AES_128_CBC_SHA256,
87 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
88 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
89 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
90 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
91 TLS_RSA_WITH_AES_256_GCM_SHA384,
92 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
93 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
94 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
95 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
96 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
97 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
98 TLS_RSA_WITH_AES_256_CBC_SHA,
99 TLS_RSA_WITH_AES_128_CBC_SHA,
100 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
101 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
102 \end{lstlisting}
103
104
105 %% ---------------------------------------------------------------------- 
106
107 \subsection{PostgreSQL}
108 \subsubsection{Tested with Versions}
109 \begin{itemize*}
110   \item Debian Wheezy and PostgreSQL 9.1
111   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
112 \end{itemize*}
113
114
115 \subsubsection{References}
116 \begin{itemize*}
117   \item It's recommended to read \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY} (please edit the version with your preferred one).
118   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
119   \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
120 \end{itemize*}
121
122
123 \subsubsection{Settings}
124 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
125
126 Starting with version 9.2, you have the possibility to set the path manually.
127
128 \begin{lstlisting}
129 ssl_key_file = '/your/path/server.key'
130 ssl_cert_file = '/your/path/server.crt'
131 ssl_ca_file = '/your/path/root.crt'
132 \end{lstlisting}
133
134 \paragraphDiamond{postgresql.conf}
135 \begin{lstlisting}
136 #>=8.3
137 ssl = on 
138 ssl_ciphers = '%*\cipherStringB*)'
139 \end{lstlisting}
140
141
142 \subsubsection{How to test}
143 To test your ssl settings, run psql with the sslmode parameter:
144 \begin{lstlisting}
145 psql "sslmode=require host=postgres-server dbname=database" your-username
146 \end{lstlisting}
147