Chapter 4. Database Security
4.1. Restricting Hosts Access to the Database
Strengthening the host-based authentication (HBA) settings on a database appliance helps with preventing unauthorized access from external hosts. The HBA settings restrict access to an IP address range so that only hosts within that range have access.
Restricting access to the database requires modifications to the
/var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conf file. This file contains a text-based table with some initial settings:
# TYPE DATABASE USER ADDRESS METHOD local all all peer map=usermap host all all all md5 #hostssl all all all md5
This format for this table uses the following header columns:
This defines the access type, either local access from the database host (
local), remote access from an external host regardless of encryption (
host), external access with encryption (
hostssl), or external access without encryption (
The name of the database the host can access. Use
allfor all databases.
The name of the user the host can use to access the database. Use
allfor all users.
The IP address of the host or address range of hosts with access to the database. This can either be:
A single address:
host all all 192.168.1.10 md5
An address range using a CIDR mask:
host all all 192.168.1.0/24 md5
An address range using a separate subnet mask value
host all all 192.168.1.0 255.255.255.0 md5Note
ADDRESSis not required for
The authentication method, which includes:
trust- Allow the connection unconditionally. This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.
reject- Reject the connection unconditionally. This is useful for "filtering out" certain hosts from a group, for example a
rejectline could block a specific host from connecting, while a later line allows the remaining hosts in a specific network to connect.
md5- Require the client to supply an MD5-encrypted password for authentication.
password- Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks.
ident- Obtain the operating system user name of the client by contacting the ident server on the client and check if it matches the requested database user name. Ident authentication can only be used on TCP/IP connections. When specified for local connections, peer authentication will be used instead.
peer- Obtain the client’s operating system user name from the operating system and check if it matches the requested database user name. This is only available for local connections.
Using a combination of these options, you create a series of rules that govern which hosts can access your database and which hosts are denied. For example, you might change the default HBA rules to only allow remote access to the Red Hat CloudForms database (
vmdb_production) from hosts in a certain subnet. The modified HBA table would looks like this:
# TYPE DATABASE USER ADDRESS METHOD local all all peer map=usermap host vmdb_production all 192.168.1.0/24 md5 #hostssl all all all md5
These restrictions help when structuring your Red Hat CloudForms appliances in relationships. For example, use these database restrictions to grant access only between a master database appliance in one region and appliances connecting from a separate region.
4.2. Configuring the Database to use SSL
Red Hat CloudForms initially connects to the database through an unencrypted communication. If using multiple appliances connecting to a single database appliance, you can set up the database connection to use SSL. An SSL connection encrypts the communication between the CloudForms and the database.
The procedures in this section use the SSL certificate and key files listed below. These files can be found on your main CloudForms database appliance.
The appliance image ships with a default SSL certificate and it is recommended to change this certificate. You can use a certificate signed by a trusted CA or, alternatively, generate a self-signed certificate.
See Section 3.2, “Generating SSL Certificates for Your Appliance and Database” for more information on generating an SSL certificate.
/var/www/miq/vmdb/certs/server.cer- Signed or self-signed certificate for the database appliance.
/var/www/miq/vmdb/certs/server.cer.key- Private key for server certificate.
/var/www/miq/vmdb/certs/root.crt- The root CA certificate used to sign the CA certificate for the CloudForms database. You can either use a self-signed certificate or a certificate signed by a trusted CA to generate your root certificate.
It is also recommended to stop all CloudForms services before configuring the database to use SSL.
To configure SSL on the database appliance:
Log in as
rootto the appliance where the database resides.
[root@appliance2 ~]# systemctl stop evmserverd [root@appliance2 ~]# systemctl stop rh-postgresql95-postgresql
Install the server key file in the correct location and set the ownership and permissions for it:
[root@appliance2 ~]# install -m 600 -o postgres -g postgres \ /var/www/miq/vmdb/certs/server.cer.key /var/www/miq/vmdb/certs/postgres.key
Install the server certificate file in the correct location and set the ownership and permissions for it:
[root@appliance2 ~]# install -m 644 -o postgres -g postgres \ /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/postgres.crt
Install the database appliance certificate file as the root certificate in the correct location and set the ownership and permissions for it.
If you are using a self-signed certificate, run:
[root@appliance2 ~]# install -m 644 -o postgres -g postgres /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/root.crt
If you are using a third-party certificate, edit this command to install your root certificate.
Make sure that the security context is set correctly for the files in
[root@cloudforms2 ~]# restorecon -R -v /var/www/miq/vmdb/certs
/var/opt/rh/rh-postgresql94/lib/pgsql/data/postgresql.conffile and uncomment and edit the
In the same file, locate the options
ssl_ca_filethat specify the location of SSL certificates and edit them so that they are uncommented and point to the correct certificate files:
ssl_cert_file = '/var/www/miq/vmdb/certs/postgres.crt' # (change requires restart) ssl_key_file = '/var/www/miq/vmdb/certs/postgres.key' # (change requires restart) ssl_ca_file = '/var/www/miq/vmdb/certs/root.crt' # (change requires restart)
/var/opt/rh/rh-postgresql94/lib/pgsql/data/pg_hba.conffile and locate the two lines that contain the following:
host all all all md5 #hostssl all all all md5
Modify the two lines to comment the
hostentry and uncomment the
#host all all all md5 hostssl all all all md5
This changes the incoming communication protocol to use SSL and refuse any unencrypted PostgreSQL connections.
evmserverdservices so that the changes take effect:
[root@cloudforms1 ~]# systemctl start rh-postgresql94-postgresql [root@cloudforms1 ~]# systemctl start evmserverd
The database appliance now only accepts connections from connecting appliances using SSL. The following procedure sets up connecting appliances to communicate to the database using SSL. Use this procedure for each connecting appliance:
Log in as
rootto the connecting appliance.
.postgresqldirectory in your
rootuser home directory.
[root@cloudforms2 ~]# mkdir /root/.postgresql
The PostgreSQL client library, which Red Hat CloudForms also uses, looks to this directory for custom configuration files.
Copy the root certificate file from the database appliance to the
/root/.postgresqldirectory on the connecting appliance:
[root@cloudforms2 ~]# scp root@[database_appliance_fqdn]:/var/www/miq/vmdb/certs/root.crt /root/.postgresql/root.crt
[database_appliance_fqdn]is the fully qualified domain name of the database appliance.
Test the connection between the connecting appliance and the database appliance using the
[root@localhost ~]# psql -h [database_appliance_fqdn] -d vmdb_production Password: ******** psql (9.2.8) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help. vmdb_production=#
psqldisplays information about the SSL connection, which indicates that the configuration succeeded. Enter
Complete this procedure for each external appliance. This enhances the security of all database transactions in your Red Hat CloudForms infrastructure.
4.2.1. Hardening TLS Protocol Version
After configuring the database to use SSL, protocol TLS version 1.2 is used as default. The older versions of this protocol (TLS 1.0 and 1.1) are still available for clients to choose. You can disable older versions by inserting the following lines into
ssl_ciphers = 'TLSv1.2:!aNULL' ssl_prefer_server_ciphers=true