feedback from Torge Riedel on mailinglist
[ach-master.git] / src / practical_settings / DBs.tex
1 %hack.
2 \gdef\currentsectionname{DBs}
3 %%\subsection{Database Systems}
4 % This list is based on : https://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
5
6 %% ---------------------------------------------------------------------- 
7 \subsection{Oracle}
8 \subsubsection{Tested with Versions}
9 \begin{itemize*}
10 \item We do not test this here, since we only reference other papers for Oracle so far.
11 \end{itemize*}
12
13
14 \subsubsection{References}
15 \begin{itemize*}
16   \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
17 \end{itemize*}
18
19
20
21 %% ---------------------------------------------------------------------- 
22 %%\subsection{SQL Server}
23 %%\todo{write this}
24
25
26
27 %% ---------------------------------------------------------------------- 
28 \subsection{MySQL}
29
30
31 \subsubsection{Tested with Versions}
32 \begin{itemize*}
33   \item MySQL 5.5 on Debian Wheezy
34   \item MySQL 5.7.20 on Ubuntu 16.04.3
35 \end{itemize*}
36
37
38 \subsubsection{Settings}
39 \configfile{my.cnf}{31-31,104-109}{SSL configuration fo MySQL}
40
41
42 %\subsubsection{Additional settings}
43
44
45 %\subsubsection{Justification for special settings (if needed)}
46 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
47
48
49 \subsubsection{References}
50 \begin{itemize*}
51   \item MySQL Documentation on SSL Connections.\\\url{https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html}
52 \end{itemize*}
53
54
55 \subsubsection{How to test}
56 After restarting the server run the following query to see if the ssl settings are correct:
57 \begin{lstlisting}
58 show variables like '%ssl%';
59 \end{lstlisting}
60
61
62 %% ---------------------------------------------------------------------- 
63 \subsection{DB2}
64 \subsubsection{Tested with Version}
65 \begin{itemize*}
66 \item  We do not test this here, since we only reference other papers for DB2 so far.
67 \end{itemize*}
68
69
70 \subsubsection{Settings}
71 \paragraph{ssl\_cipherspecs:}
72 In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
73 \begin{lstlisting}
74 # recommended and supported ciphersuites 
75
76 db2 update dbm cfg using SSL_CIPHERSPECS 
77 TLS_RSA_WITH_AES_256_CBC_SHA256,
78 TLS_RSA_WITH_AES_128_GCM_SHA256,
79 TLS_RSA_WITH_AES_128_CBC_SHA256,
80 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
81 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
82 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
83 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
84 TLS_RSA_WITH_AES_256_GCM_SHA384,
85 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
86 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
87 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
88 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
89 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
90 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
91 TLS_RSA_WITH_AES_256_CBC_SHA,
92 TLS_RSA_WITH_AES_128_CBC_SHA,
93 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
94 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
95 \end{lstlisting}
96
97
98 \subsubsection{References}
99 \begin{itemize*}
100   \item IBM Db2 Documentation on \emph{Supported cipher suites}.\\\url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
101 \end{itemize*}
102
103 %% ---------------------------------------------------------------------- 
104
105 \subsection{PostgreSQL}
106 \subsubsection{Tested with Versions}
107 \begin{itemize*}
108   \item Debian Wheezy and PostgreSQL 9.1
109   \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
110 \end{itemize*}
111
112
113 \subsubsection{Settings}
114 \configfile{9.1/postgresql.conf}{80-81}{Enabling SSL in PostgreSQL}
115
116 To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
117
118 Starting with version 9.2, you have the possibility to set the path manually.
119 \configfile{9.3/postgresql.conf}{85-87}{Certificate locations in PostgreSQL \(\geq\) 9.2}
120
121
122
123 \subsubsection{References}
124 \begin{itemize*}
125   \item It's recommended to read ``Security and Authentication'' in the manual\footnote{\url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html}}.
126   \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
127   \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
128 \end{itemize*}
129
130
131 \subsubsection{How to test}
132 To test your ssl settings, run psql with the sslmode parameter:
133 \begin{lstlisting}
134 psql "sslmode=require host=postgres-server dbname=database" your-username
135 \end{lstlisting}
136