openstack-manuals/doc/security-guide/ch043_database-transport-security.xml
Andreas Jaeger aceec15371 Edits on Security Guide
Better follow conventions, especially:
* remove Latinism like via and i.e.
* use variable lists
* Add missing <filename>
* wrap long lines

Change-Id: I2a537df78ddf4fbeb127b058bf05caaf42441d5f
2014-05-12 23:22:48 -04:00

104 lines
5.2 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://docbook.org/ns/docbook"
version="5.0"
xml:id="ch043_database-transport-security">
<?dbhtml stop-chunking?>
<title>Database transport security</title>
<para>
This chapter covers issues related to network communications to
and from the database server. This includes IP address bindings
and encrypting network traffic with SSL.</para>
<section xml:id="ch043_database-transport-security-idp38176">
<title>Database server IP address binding</title>
<para>
To isolate sensitive database communications between the
services and the database, we strongly recommend that the
database server(s) be configured to only allow communications
to and from the database over an isolated management
network. This is achieved by restricting the interface or IP
address on which the database server binds a network socket
for incoming client connections.</para>
<section xml:id="ch043_database-transport-security-idp39696">
<title>Restricting bind address for MySQL</title>
<para>In <filename>my.cnf</filename>:</para>
<programlisting>[mysqld]
...
bind-address &lt;ip address or hostname of management network interface&gt;</programlisting>
</section>
<section xml:id="ch043_database-transport-security-idp41568">
<title>Restricting listen address for PostgreSQL</title>
<para>In <filename>postgresql.conf</filename>:</para>
<programlisting>listen_addresses = &lt;ip address or hostname of management network interface&gt;</programlisting>
</section>
</section>
<section xml:id="ch043_database-transport-security-idp43520">
<title>Database transport</title>
<para>
In addition to restricting database communications to the
management network, we also strongly recommend that the cloud
administrator configure their database backend to require
SSL. Using SSL for the database client connections protects
the communications from tampering and eavesdropping. As will
be discussed in the next section, using SSL also provides the
framework for doing database user authentication through X.509
certificates (commonly referred to as PKI). Below is guidance
on how SSL is typically configured for the two popular
database backends MySQL and PostgreSQL.</para>
<note>
<para>
When installing the certificate and key files, ensure that
the file permissions are restricted, for example
<command>chmod 0600</command>, and the ownership is
restricted to the database daemon user to prevent
unauthorized access by other processes and users on the
database server.</para>
</note>
</section>
<section xml:id="ch043_database-transport-security-idp47184">
<title>MySQL SSL configuration</title>
<para>The following lines should be added in the system-wide
MySQL configuration file:</para>
<para>In <filename>my.cnf</filename>:</para>
<programlisting>[[mysqld]]
...
ssl-ca=/path/to/ssl/cacert.pem
ssl-cert=/path/to/ssl/server-cert.pem
ssl-key=/path/to/ssl/server-key.pem</programlisting>
<para>Optionally, if you wish to restrict the set of SSL ciphers
used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
<programlisting>ssl-cipher='cipher:list'</programlisting>
</section>
<section xml:id="ch043_database-transport-security-idp50288">
<title>PostgreSQL SSL configuration</title>
<para>
The following lines should be added in the system-wide
PostgreSQL configuration file,
<filename>postgresql.conf</filename>.</para>
<programlisting>ssl = true</programlisting>
<para>Optionally, if you wish to restrict the set of SSL ciphers used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
<programlisting>ssl-ciphers = 'cipher:list'</programlisting>
<para>The server certificate, key, and certificate authority
(CA) files should be placed in the $PGDATA directory in the
following files:</para>
<itemizedlist><listitem>
<para><filename>$PGDATA/server.crt</filename> - Server
certificate</para>
</listitem>
<listitem>
<para><filename>$PGDATA/server.key</filename> - Private key
corresponding to <filename>server.crt</filename></para>
</listitem>
<listitem>
<para><filename>$PGDATA/root.crt</filename> - Trusted
certificate authorities</para>
</listitem>
<listitem>
<para><filename>$PGDATA/root.crl</filename> - Certificate
revocation list</para>
</listitem>
</itemizedlist>
</section>
</chapter>