64b6c9261e
Current folder name New folder name Book title ---------------------------------------------------------- basic-install DELETE cli-guide DELETE common common NEW admin-guide-cloud Cloud Administrators Guide docbkx-example DELETE openstack-block-storage-admin DELETE openstack-compute-admin DELETE openstack-config config-reference OpenStack Configuration Reference openstack-ha high-availability-guide OpenStack High Availabilty Guide openstack-image image-guide OpenStack Virtual Machine Image Guide openstack-install install-guide OpenStack Installation Guide openstack-network-connectivity-admin admin-guide-network OpenStack Networking Administration Guide openstack-object-storage-admin DELETE openstack-security security-guide OpenStack Security Guide openstack-training training-guide OpenStack Training Guide openstack-user user-guide OpenStack End User Guide openstack-user-admin user-guide-admin OpenStack Admin User Guide glossary NEW OpenStack Glossary bug: #1220407 Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7 author: diane fleming
69 lines
4.6 KiB
XML
69 lines
4.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch043_database-transport-security"><?dbhtml stop-chunking?>
|
||
<title>Database Transport Security</title>
|
||
<para>This chapter covers issues related to network communications to and from the database server. This includes IP address bindings and encrypting network traffic with SSL.</para>
|
||
<section xml:id="ch043_database-transport-security-idp38176">
|
||
<title>Database Server IP Address Binding</title>
|
||
<para>To isolate sensitive database communications between the services and the database, we strongly recommend that the database server(s) be configured to only allow communications to and from the database over an isolated management network. This is achieved by restricting the interface or IP address on which the database server binds a network socket for incoming client connections.</para>
|
||
<section xml:id="ch043_database-transport-security-idp39696">
|
||
<title>Restricting Bind Address for MySQL</title>
|
||
<para>In my.cnf:</para>
|
||
<screen>
|
||
[mysqld]
|
||
...
|
||
bind-address <ip address or hostname of management network interface></screen>
|
||
</section>
|
||
<section xml:id="ch043_database-transport-security-idp41568">
|
||
<title>Restricting Listen Address for PostgreSQL</title>
|
||
<para>In postgresql.conf:</para>
|
||
<screen>
|
||
listen_addresses = <ip address or hostname of management network interface></screen>
|
||
</section>
|
||
</section>
|
||
<section xml:id="ch043_database-transport-security-idp43520">
|
||
<title>Database Transport</title>
|
||
<para>In addition to restricting database communications to the management network, we also strongly recommend that the cloud administrator configure their database backend to require SSL. Using SSL for the database client connections protects the communications from tampering and eavesdropping. As will be discussed in the next section, using SSL also provides the framework for doing database user authentication via X.509 certificates (commonly referred to as PKI). Below is guidance on how SSL is typically configured for the two popular database backends MySQL and PostgreSQL.</para>
|
||
<note>
|
||
<para>NOTE: When installing the certificate and key files, ensure that the file permissions are restricted, for example <literal>chmod 0600</literal>, and the ownership is restricted to the database daemon user to prevent unauthorized access by other processes and users on the database server.</para>
|
||
</note>
|
||
</section>
|
||
<section xml:id="ch043_database-transport-security-idp47184">
|
||
<title>MySQL SSL Configuration</title>
|
||
<para>The following lines should be added in the system-wide MySQL configuration file:</para>
|
||
<para>In my.cnf:</para>
|
||
<screen>
|
||
[[mysqld]]
|
||
...
|
||
ssl-ca=/path/to/ssl/cacert.pem
|
||
ssl-cert=/path/to/ssl/server-cert.pem
|
||
ssl-key=/path/to/ssl/server-key.pem</screen>
|
||
<para>Optionally, if you wish to restrict the set of SSL ciphers
|
||
used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
||
<screen>
|
||
ssl-cipher='cipher:list'</screen>
|
||
</section>
|
||
<section xml:id="ch043_database-transport-security-idp50288">
|
||
<title>PostgreSQL SSL Configuration</title>
|
||
<para>The following lines should be added in the system-wide PostgreSQL configuration file, <literal>postgresql.conf</literal>.</para>
|
||
<screen>
|
||
ssl = true</screen>
|
||
<para>Optionally, if you wish to restrict the set of SSL ciphers used for the encrypted connection. See <link xlink:href="http://www.openssl.org/docs/apps/ciphers.html">http://www.openssl.org/docs/apps/ciphers.html</link> for a list of ciphers and the syntax for specifying the cipher string:</para>
|
||
<screen>
|
||
ssl-ciphers = 'cipher:list'</screen>
|
||
<para>The server certificate, key, and certificate authority (CA) files should be placed in the $PGDATA directory in the following files:</para>
|
||
<itemizedlist><listitem>
|
||
<para>$PGDATA/server.crt - Server certificate</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>$PGDATA/server.key - Private key corresponding to server.crt</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>$PGDATA/root.crt - Trusted certificate authorities</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>$PGDATA/root.crl - Certificate revocation list</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</chapter>
|