Prepare a database for Deep Security Manager on AWS
Applies to Deep Security AMI from AWS Marketplace only
Before installing Deep Security Manager, you must install a database. You can install your own database or you can use the Amazon RDS Management Console to create a database instance. You can use a Microsoft SQL RDS or an Oracle RDS. Refer to the Amazon RDS Documentation for instructions, but keep the following considerations in mind for integration with Deep Security.
See System requirements for a list of supported databases.
You must configure your database security group so that the Deep Security instance is authorized to access it. The EC2 Security Group created by the AMI is "Deep Security-Deep Security 9-6-AutogenByAWSMP- Security Group".
Install before Deep Security
You must install the database software, create a database instance for Deep Security (if you are not using the default instance), and create a user account for Deep Security before you install Deep Security Manager.
The database should be installed on hardware that is equal to or better than the specifications of the best Deep Security Manager node. For the best performance, the database should have 8-16 GB of RAM and fast access to the local or network attached storage. Whenever possible, a database administrator should be consulted on the best configuration of the database server and a maintenance plan should be put in effect.
The recommended transport protocol is TCP.
Connection settings used during Deep Security Manager installation
During the Deep Security Manager installation, you will be asked for Database connection details. Enter the Database hostname under "Hostname" and the pre-created database for Deep Security under "Database Name".
The installation supports both SQL and Windows Authentication.
The Deep Security database is compatible with database failover protection so long as no alterations are made to the database schema. For example, some database replication technologies add columns to the database tables during replication which can result in critical failures.
For this reason, database mirroring is recommended over database replication.
Microsoft SQL Server
- Enable "Remote TCP Connections". (See http://msdn.microsoft.com/en-us/library/bb909712(v=vs.90).aspx)
- The database account used by the Deep Security Manager must have db_owner rights.
- If using Multi-Tenancy, the database account used by the Deep Security Manager must have dbcreator rights. For information on multi-tenancy, see Set up a multi-tenant environment.
- Select the "simple" recovery model property for your database. (See http://technet.microsoft.com/en-us/library/ms189272.aspx)
- Start the "Oracle Listener" service and make sure it accepts TCP connections.
- The database account used by the Deep Security Manager must be granted the CONNECT and RESOURCE roles and UNLIMITED TABLESPACE, CREATE SEQUENCE, CREATE TABLE and CREATE TRIGGER system privileges.
- If using multi-tenancy, the database account used by the Deep Security Manager must be granted the CREATE USER, DROP USER, ALTER USER, GRANT ANY PRIVILEGE and GRANT ANY ROLE system privileges.
- Avoid special characters for the database user name. Although Oracle allows special characters when configuring the database user object, if they are surrounded by quotes. Deep Security does not support special characters for the database user.
Oracle RAC (Real Application Clusters) support
Deep Security supports:
- SUSE Linux Enterprise Server 11 SP3 with Oracle RAC 12c Release 1 (v220.127.116.11.0)
- Red Hat Linux Enterprise Server 6.6 with Oracle RAC 12c Release 1 (v18.104.22.168.0)
The default Linux Server Deep Security policy is compatible with the Oracle RAC environment, with the exception of Firewall settings. You can disable Firewall or customize the Firewall settings according to the instructions in Firewall settings with Oracle RAC.