Chapter 4. Database Security

4.1. Restricting Hosts Access to the Database

Strengthening the host-based authentication (HBA) settings on a database appliance helps with preventing unauthorized access from external hosts. The HBA settings restrict access to an IP address range so that only hosts within that range have access.

Restricting access to the database requires modifications to the /var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conf file. This file contains a text-based table with some initial settings:

# TYPE    DATABASE USER  ADDRESS       METHOD
local     all      all                 peer map=usermap
host      all      all   all           md5
#hostssl  all      all   all           md5

This format for this table uses the following header columns:

TYPE
This defines the access type, either local access from the database host (local), remote access from an external host regardless of encryption (host), external access with encryption (hostssl), or external access without encryption (nohostssl).
DATABASE
The name of the database the host can access. Use all for all databases.
USER
The name of the user the host can use to access the database. Use all for all users.
ADDRESS

The IP address of the host or address range of hosts with access to the database. This can either be:

  • A single address:

    host    all      all   192.168.1.10           md5
  • An address range using a CIDR mask:

    host    all      all   192.168.1.0/24           md5
  • An address range using a separate subnet mask value

    host    all      all   192.168.1.0  255.255.255.0            md5
    Note

    ADDRESS is not required for local connections.

METHOD

The authentication method, which includes:

  • trust - Allow the connection unconditionally. This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.
  • reject - Reject the connection unconditionally. This is useful for "filtering out" certain hosts from a group, for example a reject line could block a specific host from connecting, while a later line allows the remaining hosts in a specific network to connect.
  • md5 - Require the client to supply an MD5-encrypted password for authentication.
  • password - Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks.
  • ident - Obtain the operating system user name of the client by contacting the ident server on the client and check if it matches the requested database user name. Ident authentication can only be used on TCP/IP connections. When specified for local connections, peer authentication will be used instead.
  • peer - Obtain the client’s operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections.

Using a combination of these options, you create a series of rules that govern which hosts can access your database and which hosts are denied. For example, you might change the default HBA rules to only allow remote access to the Red Hat CloudForms database (vmdb_production) from hosts in a certain subnet. The modified HBA table would looks like this:

# TYPE  DATABASE          USER  ADDRESS         METHOD
local   all               all                   peer map=usermap
host    vmdb_production   all   192.168.1.0/24  md5
#hostssl all              all   all             md5

These restrictions help when structuring your Red Hat CloudForms appliances in relationships. For example, use these database restrictions to grant access only between a master database appliance in one region and appliances connecting from a separate region.

4.2. Configuring the Database to use SSL

Red Hat CloudForms initially connects to the database through an unencrypted communication. If using multiple appliances connecting to a single database appliance, you can set up the database connection to use SSL. An SSL connection encrypts the communication between the CloudForms and the database.

The procedures in this section use the SSL certificate and key files listed below. These files can be found on your main CloudForms database appliance.

Note

The appliance image ships with a default SSL certificate and it is recommended to change this certificate. You can use a certificate signed by a trusted CA or, alternatively, generate a self-signed certificate.

See Section 3.2, “Generating SSL Certificates for Your Appliance and Database” for more information on generating an SSL certificate.

  • /var/www/miq/vmdb/certs/server.cer - Signed or self-signed certificate for the database appliance.
  • /var/www/miq/vmdb/certs/server.cer.key - Private key for server certificate.
  • /var/www/miq/vmdb/certs/root.crt - The root CA certificate used to sign the CA certificate for the CloudForms database. You can either use a self-signed certificate or a certificate signed by a trusted CA to generate your root certificate.

It is also recommended to stop all CloudForms services before configuring the database to use SSL.

To configure SSL on the database appliance:

  1. Log in as root to the appliance where the database resides.
  2. Stop the evmserverd and rh-postgresql94-postgresql services:

    [root@appliance2 ~]# systemctl stop evmserverd
    [root@appliance2 ~]# systemctl stop rh-postgresql95-postgresql
  3. Install the server key file in the correct location and set the ownership and permissions for it:

    [root@appliance2 ~]# install -m 600 -o postgres -g postgres \
    /var/www/miq/vmdb/certs/server.cer.key /var/www/miq/vmdb/certs/postgres.key
  4. Install the server certificate file in the correct location and set the ownership and permissions for it:

    [root@appliance2 ~]# install -m 644 -o postgres -g postgres \
    /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/postgres.crt
  5. Install the database appliance certificate file as the root certificate in the correct location and set the ownership and permissions for it.

    If you are using a self-signed certificate, run:

    [root@appliance2 ~]# install -m 644 -o postgres -g postgres /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/root.crt

    If you are using a third-party certificate, edit this command to install your root certificate.

  6. Make sure that the security context is set correctly for the files in /var/www/miq/certs:

    [root@cloudforms2 ~]# restorecon -R -v /var/www/miq/vmdb/certs
  7. Open the /var/opt/rh/rh-postgresql94/lib/pgsql/data/postgresql.conf file and uncomment and edit the ssl option:

    ssl=on

    In the same file, locate the options ssl_cert_file, ssl_key_file, and ssl_ca_file that specify the location of SSL certificates and edit them so that they are uncommented and point to the correct certificate files:

    ssl_cert_file = '/var/www/miq/vmdb/certs/postgres.crt'  # (change requires restart)
    ssl_key_file  = '/var/www/miq/vmdb/certs/postgres.key'  # (change requires restart)
    ssl_ca_file   = '/var/www/miq/vmdb/certs/root.crt'      # (change requires restart)
  8. Open the /var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conf file and locate the two lines that contain the following:

    host      all      all   all           md5
    #hostssl  all      all   all           md5

    Modify the two lines to comment the host entry and uncomment the hostssl entry:

    #host     all      all   all           md5
    hostssl   all      all   all           md5

    This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections.

  9. Start the rh-postgresql94-postgresql and evmserverd services so that the changes take effect:

    [root@cloudforms1 ~]# systemctl start rh-postgresql94-postgresql
    [root@cloudforms1 ~]# systemctl start evmserverd

The database appliance now only accepts connections from connecting appliances using SSL. The following procedure sets up connecting appliances to communicate to the database using SSL. Use this procedure for each connecting appliance:

  1. Log in as root to the connecting appliance.
  2. Create the .postgresql directory in your root user home directory.

    [root@cloudforms2 ~]# mkdir /root/.postgresql

    The PostgreSQL client library, which Red Hat CloudForms also uses, looks to this directory for custom configuration files.

  3. Copy the root certificate file from the database appliance to the /root/.postgresql directory on the connecting appliance:

    [root@cloudforms2 ~]# scp root@[database_appliance_fqdn]:/var/www/miq/vmdb/certs/root.crt /root/.postgresql/root.crt

    Where [database_appliance_fqdn] is the fully qualified domain name of the database appliance.

  4. Test the connection between the connecting appliance and the database appliance using the psql:

    [root@localhost ~]# psql -h [database_appliance_fqdn] -d vmdb_production
    Password: ********
    psql (9.2.8)
    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
    Type "help" for help.
    
    vmdb_production=#

    The psql displays information about the SSL connection, which indicates that the configuration succeeded. Enter \q to leave psql.

Complete this procedure for each external appliance. This enhances the security of all database transactions in your Red Hat CloudForms infrastructure.

4.2.1. Hardening TLS Protocol Version

After configuring the database to use SSL, protocol TLS version 1.2 is used as default. The older versions of this protocol (TLS 1.0 and 1.1) are still available for clients to choose. You can disable older versions by inserting the following lines into /var/opt/rh/rh-postgresql94/lib/pgsql/data/postgresql.conf:

ssl_ciphers = 'TLSv1.2:!aNULL'
ssl_prefer_server_ciphers=true