gaussdb database user and security management [Secure TCP/IP connection using SSL] [04]

Others 2021-01-25 05:18:56 views: null

1. Use SSL for secure TCP/IP connection

GaussDB supports the communication between the client and the server, and between the host and the standby machine through SSL encryption, which provides a security guarantee for the transmission of sensitive data on the Internet.

Background information
GaussDB supports the SSL 3.0 protocol standard. The SSL 3.0 protocol is a more secure protocol standard. It adds digital signatures and digital certificates to achieve two-way authentication between the client and the server, ensuring more secure data for both parties. transmission.

  • If it is just for testing, you can use Openssl to generate a certificate.
  • SSL-related parameters not only control the SSL communication between the client and the host, but also control the SSL communication between the host and the standby machine.

Turn on the SSL authentication mode.

gs_guc set -c ssl=on

Configure client access authentication parameters (for dual machines, only need to be configured on the host).

cd /opt/gaussdb/data
vi pg_hba.conf

For example, adding information similar to the following indicates that clients on the 10.0.0.2/24 network segment are allowed to connect to the GaussDB service through SSL authentication:

hostssl  all   all 10.0.0.2/24      sha256

For detailed configuration methods and parameter descriptions, see Configuring Client Access Authentication.
https://blog.csdn.net/qq_42226855/article/details/109563367

Configure the digital certificate parameters related to SSL authentication. For specific requirements, see Table 1.

It is configured as a server-side parameter. For specific parameter descriptions, see Table 2.

gaussdba@gauss21:/opt/gaussdb/data> gs_guc set -c "ssl_cert_file='server.crt'"
gs_guc set: ssl_cert_file='server.crt'
gaussdba@gauss21:/opt/gaussdb/data> gs_guc set -c "ssl_key_file='server.key'"
gs_guc set: ssl_key_file='server.key'
gaussdba@gauss21:/opt/gaussdb/data> gs_guc set -c "ssl_ca_file='cacert.pem'"
gs_guc set: ssl_ca_file='cacert.pem'
gaussdba@gauss21:/opt/gaussdb/data> gs_guc set -c "ssl_crl_file=' '"
gs_guc set: ssl_crl_file=' '

Configure client parameters.

export PGSSLCERT="/opt/gaussdb/data/client.crt"
export PGSSLKEY="/opt/gaussdb/data/client.key"
export PGSSLMODE="prefer"
export PGSSLROOTCERT=" "
export PGSSLCRL=" "

Table 1 Authentication methods

verification method meaning Configure server-side parameters (for dual machines, it needs to be configured on the host and standby) Configure client environment variables
Two-way authentication (recommended) The client verifies the validity of the server certificate,
and the server also verifies
the validity of the client certificate . Only when the authentication is successful
can the connection be established.		 Copy the server certificate, server private key, obsolete certificate, and root certificate to $GAUSSDATA, and set the following parameters:

ssl_cert_file
ssl_key_file
ssl_ca_file
ssl_crl_file
ssl_ciphers For
the values ​​of the ssl_ciphers parameters, see Table 2 and Table 4.		 Set the following environment variables:

PGSSLCERT
PGSSLKEY
PGSSLROOTCERT
PGSSLCRL
PGSSLMODE
environment variable values, see Table 3.
Server authentication The client only verifies the validity of the server certificate,
and the server does not verify the
validity of the client certificate . The server loads the certificate information and sends it
to the client. The client uses the root certificate to verify
the validity of the server-side certificate.		 Copy the server-side certificate and private key file to $GAUSSDATA, and set the following parameters:

ssl_cert_file
ssl_key_file
ssl_ciphers
parameter values, see Table 2 and Table 4.		 Set the following environment variables:

PGSSLROOTCERT
PGSSLCRL
PGSSLMODE
environment variable values, see Table 3.
Client authentication The server only verifies the validity of the client certificate, and the client does not verify the validity of the server certificate. In the handshake phase, the client will load the certificate information and send it to the server. The server uses the root certificate to verify the validity of the client certificate.
 Copy the root certificate and certificate revocation list of the server to $GAUSSDATA, and set the following parameters:

ssl_ca_file
ssl_crl_file
ssl_ciphers
parameter values, please refer to Table 2 and Table 4.		 Set the following environment variables:

PGSSLROOTCERT
PGSSLCRL
PGSSLMODE
environment variable values, see Table 3.

Permission to modify the server key. Assume that the name is server.key and it is in the /opt/gaussdb/data directory.

The permission must be 600, the owner is gaussdba, and the group is dbgrp. If the permissions do not meet the requirements, GaussDB cannot be started. Use the following command to modify permissions:

cd /opt/gaussdb/data
chown gaussdba:dbgrp server.key
chmod og-rwx server.key

On the standby machine and the cascaded standby machine, the following configuration is also required to enable normal communication between the active and standby machines, between the standby machine and the cascaded standby machine (at this time, the standby machine is equivalent to the client of the host, and the cascaded standby machine It is equivalent to the client of the standby machine).

  • Set the environment variables PGSSLCERT, PGSSLKEY, PGSSLROOTCERT, and PGSSLCRL. For the values ​​of environment variables, see Table 3.
  • Configure the ssl_ciphers parameter (it is recommended to keep the default value ALL). For the encryption algorithms supported by GaussDB, see Table 4.

Restart GaussDB for the configuration to take effect.

gs_ctl restart

Table 2 Server parameters

parameter description Ranges
ssl Indicates whether to enable the SSL function on: Turn on the SSL function.
off: Turn off the SSL function.
Default value: off
ssl_cert_file Specify the server certificate file, which contains the public key of the server. The server certificate is used to show the legitimacy of the server's identity, and the public key will be sent to the peer to encrypt the data. Please refer to the actual certificate name. A relative path must be used, which is relative to the data directory.

Default value: server.crt
ssl_key_file Specify the server private key file for digital signature and decryption of public key encrypted data. Please refer to the actual server private key name. A relative path must be used, which is relative to the data directory.

Default value: server.key
ssl_ca_file The root certificate of the CA server. This parameter can be optionally configured, and it is only necessary to verify the validity of the client certificate. Please refer to the actual CA server root certificate name.

Default value: empty, which means that the identity of the client is not verified.
ssl_crl_file Certificate revocation list. If the client certificate is in this list, the current client certificate is regarded as an invalid certificate. Please refer to the actual certificate revocation list name.

Default value: empty, which means there is no revocation list.
ssl_ciphers The encryption algorithm used for SSL communication. For the encryption algorithms supported by GaussDB, see Table 4.

Default value: ALL, which means that the peer is allowed to use all the encryption algorithms supported by GaussDB.

Table 3 Client parameters

Environment variable description Ranges
PGSSLCERT Specify the client certificate file, which contains the client's public key. The client certificate is used to show the legitimacy of the client's identity, and the public key will be sent to the peer to encrypt data. The absolute path of the file must be included, such as:
export PGSSLCERT="/home/gaussdb/data/client.crt" Default value: empty
PGSSLKEY Specify the client private key file for digital signature and decryption of public key encrypted data. The absolute path of the file must be included, such as:
export PGSSLKEY="/home/gaussdb/data/client.key" Default value: empty
PGSSLMODE Set whether to negotiate an SSL connection with the server, and specify the priority of the SSL connection. Value and meaning:

disable
only tries non-SSL connection.

Allow
to try a non-SSL connection first, if the connection fails, try an SSL connection again.

prefer
to try an SSL connection first, if the connection fails, a non-SSL connection will be tried.

require
only try an SSL connection. If there is a CA file, verify it by setting it to verify-ca.

verify_ca
only attempts an SSL connection and verifies whether the server certificate is issued by a trusted certificate authority.

verify_full
only attempts an SSL connection, and verifies whether the server certificate is issued by a trusted certificate authority, and verifies whether the server host name is consistent with the certificate.

Default value: prefer
PGSSLROOTCERT Specify the root certificate file for issuing a certificate for the client. The root certificate is used to verify the validity of the server certificate. The absolute path of the file must be included, such as:
export PGSSLROOTCERT="/home/gaussdb/data/root.crt" Default value: empty
PGSSLCRL Specify a certificate revocation list file to verify whether the server certificate is in the list of obsolete certificates. If it is, the server certificate will be regarded as an invalid certificate. The absolute path of the file must be included, such as:
export PGSSLCRL="/home/gaussdb/data/root.crl" Default value: empty

Specify the encryption algorithm used by the database server by modifying ssl_ciphers in postgresql.conf. Currently, the encryption algorithms supported by GaussDB SSL are shown in Table 4.

Table 4 Encryption algorithm

Encryption strength Encryption speed Encryption algorithm description
stronger faster AES256-SHA
stronger faster DES-CBC3-SHA
stronger faster AES128-SHA
stronger faster RC4-SHA
stronger faster RC4-MD5
stronger slower AND-RSA-AES256-SHA
stronger slower AND-DSS-AES256-SHA
stronger slower EDH-RSA-DES-CBC3-SHA
stronger slower EDH-DSS-DES-CBC3-SHA
stronger slower AND-RSA-AES128-SHA
stronger slower DHE-DSS-AES128-SHA
middle faster DES-CBC-SHA
middle slower EDH-RSA-DES-CBC-SHA
middle slower EDH-DSS-DES-CBC-SHA

2. Use SSH tunnel for secure TCP/IP connection

In order to ensure the secure communication between the GaussDB server and the client, a secure SSH tunnel can be constructed between the server and the client. SSH is currently a more reliable protocol designed to provide security for remote login sessions and other network services.

Background information
From the perspective of the SSH client, SSH provides two levels of security verification:

  • Password-based security authentication: use account and password to log in to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the server you need to connect to. There may be other servers pretending to be the real server, which is attacked by a "man in the middle" method.
  • Key-based security verification: Users must create a pair of keys for themselves, and put the public key on the server that needs to be accessed. The second level not only encrypts all transmitted data, but also avoids "man in the middle" attacks. However, the entire login process may take 10 seconds.
  • The SSH service and GaussDB run on the same server.

Establish an SSH tunnel from the local host to the GaussDB server.

ssh -L 63333:localhost:5432 username@hostIP

Description:

  • The first number (63333) of the -L parameter is the port number of the local channel, which can be freely selected.
  • The second number (5432) is the remote port of the channel, which is the port number used by the server.
  • localhost is the local IP address, username is the username on the GaussDB server to be connected, and hostIP is the IP address of the GaussDB host to be connected.

Related references

gaussdb database parameter description [postgresql.conf, pg_hba.conf, pg_ident.conf] [01]
https://blog.csdn.net/qq_42226855/article/details/108646659

gaussdb database parameter description [connection, connection pool, security and authentication] [02]
https://blog.csdn.net/qq_42226855/article/details/108748031

gaussdb database user and security management [Process of generating SSL certificate with openssl] [05]
https://blog.csdn.net/qq_42226855/article/details/109578424

Guess you like

Origin blog.csdn.net/qq_42226855/article/details/109565179
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com