aceec15371
Better follow conventions, especially: * remove Latinism like via and i.e. * use variable lists * Add missing <filename> * wrap long lines Change-Id: I2a537df78ddf4fbeb127b058bf05caaf42441d5f
104 lines
5.2 KiB
XML
104 lines
5.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
version="5.0"
|
|
xml:id="ch043_database-transport-security">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Database transport security</title>
|
|
<para>
|
|
This chapter covers issues related to network communications to
|
|
and from the database server. This includes IP address bindings
|
|
and encrypting network traffic with SSL.</para>
|
|
<section xml:id="ch043_database-transport-security-idp38176">
|
|
<title>Database server IP address binding</title>
|
|
<para>
|
|
To isolate sensitive database communications between the
|
|
services and the database, we strongly recommend that the
|
|
database server(s) be configured to only allow communications
|
|
to and from the database over an isolated management
|
|
network. This is achieved by restricting the interface or IP
|
|
address on which the database server binds a network socket
|
|
for incoming client connections.</para>
|
|
<section xml:id="ch043_database-transport-security-idp39696">
|
|
<title>Restricting bind address for MySQL</title>
|
|
<para>In <filename>my.cnf</filename>:</para>
|
|
<programlisting>[mysqld]
|
|
...
|
|
bind-address <ip address or hostname of management network interface></programlisting>
|
|
</section>
|
|
<section xml:id="ch043_database-transport-security-idp41568">
|
|
<title>Restricting listen address for PostgreSQL</title>
|
|
<para>In <filename>postgresql.conf</filename>:</para>
|
|
<programlisting>listen_addresses = <ip address or hostname of management network interface></programlisting>
|
|
</section>
|
|
</section>
|
|
<section xml:id="ch043_database-transport-security-idp43520">
|
|
<title>Database transport</title>
|
|
<para>
|
|
In addition to restricting database communications to the
|
|
management network, we also strongly recommend that the cloud
|
|
administrator configure their database backend to require
|
|
SSL. Using SSL for the database client connections protects
|
|
the communications from tampering and eavesdropping. As will
|
|
be discussed in the next section, using SSL also provides the
|
|
framework for doing database user authentication through X.509
|
|
certificates (commonly referred to as PKI). Below is guidance
|
|
on how SSL is typically configured for the two popular
|
|
database backends MySQL and PostgreSQL.</para>
|
|
<note>
|
|
<para>
|
|
When installing the certificate and key files, ensure that
|
|
the file permissions are restricted, for example
|
|
<command>chmod 0600</command>, and the ownership is
|
|
restricted to the database daemon user to prevent
|
|
unauthorized access by other processes and users on the
|
|
database server.</para>
|
|
</note>
|
|
</section>
|
|
<section xml:id="ch043_database-transport-security-idp47184">
|
|
<title>MySQL SSL configuration</title>
|
|
<para>The following lines should be added in the system-wide
|
|
MySQL configuration file:</para>
|
|
<para>In <filename>my.cnf</filename>:</para>
|
|
<programlisting>[[mysqld]]
|
|
...
|
|
ssl-ca=/path/to/ssl/cacert.pem
|
|
ssl-cert=/path/to/ssl/server-cert.pem
|
|
ssl-key=/path/to/ssl/server-key.pem</programlisting>
|
|
<para>Optionally, if you wish to restrict the set of SSL ciphers
|
|
used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
|
<programlisting>ssl-cipher='cipher:list'</programlisting>
|
|
</section>
|
|
<section xml:id="ch043_database-transport-security-idp50288">
|
|
<title>PostgreSQL SSL configuration</title>
|
|
<para>
|
|
The following lines should be added in the system-wide
|
|
PostgreSQL configuration file,
|
|
<filename>postgresql.conf</filename>.</para>
|
|
<programlisting>ssl = true</programlisting>
|
|
<para>Optionally, if you wish to restrict the set of SSL ciphers used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
|
<programlisting>ssl-ciphers = 'cipher:list'</programlisting>
|
|
<para>The server certificate, key, and certificate authority
|
|
(CA) files should be placed in the $PGDATA directory in the
|
|
following files:</para>
|
|
<itemizedlist><listitem>
|
|
<para><filename>$PGDATA/server.crt</filename> - Server
|
|
certificate</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><filename>$PGDATA/server.key</filename> - Private key
|
|
corresponding to <filename>server.crt</filename></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><filename>$PGDATA/root.crt</filename> - Trusted
|
|
certificate authorities</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><filename>$PGDATA/root.crl</filename> - Certificate
|
|
revocation list</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</chapter>
|