Chapter 4. Database Security

4.1. Restricting Hosts Access to the Database

Strengthening the host-based authentication (HBA) settings on a database appliance helps with preventing unauthorized access from external hosts. The HBA settings restrict access to an IP address range so that only hosts within that range have access.

Restricting access to the database requires modifications to the /var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conf file. This file contains a text-based table with some initial settings:

# TYPE    DATABASE USER  ADDRESS       METHOD
local     all      all                 peer map=usermap
host      all      all   all           md5
#hostssl  all      all   all           md5

This format for this table uses the following header columns:

TYPE

This defines the access type, either local access from the database host (local), remote access from an external host regardless of encryption (host), external access with encryption (hostssl), or external access without encryption (nohostssl).

DATABASE

The name of the database the host can access. Use all for all databases.

USER

The name of the user the host can use to access the database. Use all for all users.

ADDRESS

The IP address of the host or address range of hosts with access to the database. This can either be:

A single address:

host    all      all   192.168.1.10           md5

An address range using a CIDR mask:

host    all      all   192.168.1.0/24           md5

An address range using a separate subnet mask value
```
host    all      all   192.168.1.0  255.255.255.0            md5
```
Note
ADDRESS is not required for local connections.

METHOD

The authentication method, which includes:

trust - Allow the connection unconditionally. This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.
reject - Reject the connection unconditionally. This is useful for "filtering out" certain hosts from a group, for example a reject line could block a specific host from connecting, while a later line allows the remaining hosts in a specific network to connect.
md5 - Require the client to supply an MD5-encrypted password for authentication.
password - Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks.
ident - Obtain the operating system user name of the client by contacting the ident server on the client and check if it matches the requested database user name. Ident authentication can only be used on TCP/IP connections. When specified for local connections, peer authentication will be used instead.
peer - Obtain the client’s operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections.

Using a combination of these options, you create a series of rules that govern which hosts can access your database and which hosts are denied. For example, you might change the default HBA rules to only allow remote access to the Red Hat CloudForms database (vmdb_production) from hosts in a certain subnet. The modified HBA table would looks like this:

# TYPE  DATABASE          USER  ADDRESS         METHOD
local   all               all                   peer map=usermap
host    vmdb_production   all   192.168.1.0/24  md5
#hostssl all              all   all             md5

These restrictions help when structuring your Red Hat CloudForms appliances in relationships. For example, use these database restrictions to grant access only between a master database appliance in one region and appliances connecting from a separate region.

4.2. Configuring the Database to use SSL

Red Hat CloudForms initially connects to the database through an unencrypted communication. If using multiple appliances connecting to a single database appliance, you can set up the database connection to use SSL. An SSL connection encrypts the communication between the Red Hat CloudForms and the database.

The procedures in this section use the SSL certificate and key files listed below. These files can be found on your main Red Hat CloudForms database appliance.

Note

The appliance image ships with a default SSL certificate and it is recommended to change this certificate. You can use a certificate signed by a trusted CA or, alternatively, generate a self-signed certificate.

See Section 3.2, “Generating SSL Certificates for Your Appliance and Database” for more information on generating an SSL certificate.

/var/www/miq/vmdb/certs/server.cer - Signed or self-signed certificate for the database appliance.
/var/www/miq/vmdb/certs/server.cer.key - Private key for server certificate.
/var/www/miq/vmdb/certs/root.crt - The root certificate for Red Hat CloudForms database server appliance. You can either use a self-signed certificate or a certificate signed by a trusted CA to generate your root certificate.

It is also recommended to stop all Red Hat CloudForms services before configuring the database to use SSL.

To configure SSL on the database appliance:

Stop the evmserverd and rh-postgresql94-postgresql services:

[root@{productname_short_l}2 ~]# systemctl stop evmserverd
[root@{productname_short_l}2 ~]# systemctl stop rh-postgresql94-postgresql

Install the server key file in the correct location and set the ownership and permissions for it:

[root@{productname_short_l}2 ~]# install -m 600 -o postgres -g postgres \
/var/www/miq/vmdb/certs/server.cer.key /var/www/miq/vmdb/certs/postgres.key

Install the server certificate file in the correct location and set the ownership and permissions for it:

[root@{productname_short_l}2 ~]# install -m 644 -o postgres -g postgres \
/var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/postgres.crt

Install the database appliance certificate file as the root certificate in the correct location and set the ownership and permissions for it:
```
[root@{productname_short_l}2 ~]# install -m 644 -o postgres -g postgres /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/root.crt
```
Make sure that the security context is set correctly for the files in /var/www/miq/certs:
```
[root@{productname_short_l}2 ~]# restorecon -R -v /var/www/miq/vmdb/certs
```
Open the /var/opt/rh/rh-postgresql94/lib/pgsql/data/postgresql.conf file and uncomment and edit the ssl option:
```
ssl=on
```
In the same file, locate the options ssl_cert_file, ssl_key_file, and ssl_ca_file that specify the location of SSL certificates and edit them so that they are uncommented and point to the correct certificate files:
```
ssl_cert_file = '/var/www/miq/vmdb/certs/postgres.crt'  # (change requires restart)
ssl_key_file  = '/var/www/miq/vmdb/certs/postgres.key'  # (change requires restart)
ssl_ca_file   = '/var/www/miq/vmdb/certs/root.crt'      # (change requires restart)
```
Open the /var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conf file and locate the two lines that contain the following:
```
host      all      all   all           md5
#hostssl  all      all   all           md5
```
Modify the two lines to comment the host entry and uncomment the hostssl entry:
```
#host     all      all   all           md5
hostssl   all      all   all           md5
```
This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections.

Start the rh-postgresql94-postgresql and evmserverd services so that the changes take effect:

[root@{productname_short_l}1 ~]# systemctl start rh-postgresql94-postgresql
[root@{productname_short_l}1 ~]# systemctl start evmserverd

The database appliance now only accepts connections from connecting appliances using SSL. The following procedure sets up connecting appliances to communicate to the database using SSL. Use this procedure for each connecting appliance:

Log in as root to the connecting appliance.
Create the .postgresql directory in your root user home directory.
```
[root@{productname_short_l}2 ~]# mkdir /root/.postgresql
```
The PostgreSQL client library, which Red Hat CloudForms also uses, looks to this directory for custom configuration files.
Copy the root certificate file from the database appliance to the /root/.postgresql directory on the connecting appliance:
```
[root@{productname_short_l}2 ~]# scp root@[database_appliance_fqdn]:/var/www/miq/vmdb/certs/root.crt /root/.postgresql/root.crt
```
Where [database_appliance_fqdn] is the fully qualified domain name of the database appliance.
Test the connection between the connecting appliance and the database appliance using the psql:
```
[root@localhost ~]# psql -h [database_appliance_fqdn] -d vmdb_production
Password: ********
psql (9.2.8)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

vmdb_production=#
```
The psql displays information about the SSL connection, which indicates that the configuration succeeded. Enter \q to leave psql.

Complete this procedure for each external appliance. This enhances the security of all database transactions in your Red Hat CloudForms infrastructure.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Chapter 4. Database Security

4.1. Restricting Hosts Access to the Database

4.2. Configuring the Database to use SSL

Where did the comment section go?