Configure the database
After installing the database, you are ready to configure it for Deep Security Manager.
First, configure a database instance, a database user, and several other vendor-specific settings. See one of the following sections:
Basic configuration
- Connect to the PostgreSQL database server using a client program, such as psql or pgAdmin.
- Create an empty database instance and a database user with the appropriate permissions by executing the following commands:
CREATE DATABASE "<database-name>";
CREATE ROLE "<dsm-username>" WITH PASSWORD '<password>' LOGIN;
GRANT ALL ON DATABASE "<database-name>" TO "<dsm-username>";
GRANT CONNECT ON DATABASE "<database-name>" TO "<dsm-username>";
ALTER DATABASE "<database-name>" OWNER TO "<dsm-username>";
This user will be used by Deep Security Manager to connect to the database instance.
Multi-tenancy configuration
If Deep Security Manager will have multiple tenants:
- Keep the main database name short. It will be easier to read your tenants' database names. (For example, if the main database is "dsm", the first tenant's database name will be "dsm_1", the second tenant's database name will be "dsm_2", and so on.)
- Also grant the right to create new databases and roles for tenants:
ALTER ROLE <dsm-username> CREATEDB CREATEROLE;
Optional PostgreSQL tuning
See Maintain PostgreSQL.
Basic configuration
- Connect to Microsoft SQL Server by opening Microsoft SQL Server Management Studio (SSMS).
- Create an empty database instance. This database instance will be used by Deep Security Manager.
- Create a database account with db_owner rights. This account will be used by Deep Security Manager to connect to the database.
- Enable the TCP/IP protocol for the database instance (see https://docs.microsoft.com/en-us/previous-versions/bb909712(v=vs.120)?redirectedfrom=MSDN).
- Disable the named pipes protocol. It is not supported by the Deep Security AMI from AWS Marketplace .
- Configure connection timeouts. Go SQL management studio > SQL Server properties > Connections > Remote query timeout and select 0 (No Timeout). This setting prevents database connection timeouts that can occur when you upgrade if each database schema migration operation takes a long time to complete.
Multi-tenancy configuration
If Deep Security Manager will have multiple tenants:
- Keep the main database name short. It will be easier to read your tenants' database names. (For example, if the main database is "dsm", the first tenant's database name will be "dsm_1", the second tenant's database name will be "dsm_2", and so on.)
- Also grant dbcreator rights to the database account used by the Deep Security Manager.
Basic configuration
- Connect to Oracle Database using a client program such as SQL*Plus or SQL Developer.
- Start the "Oracle Listener" service. Verify that it accepts TCP connections.
- Create an empty database instance. This database instance will be used by Deep Security Manager.
- Create a database account that will be used by Deep Security Manager to connect to the database. When creating the account, follow these guidelines:
- Assign the CONNECT and RESOURCE roles and UNLIMITED TABLESPACE, CREATE SEQUENCE, CREATE TABLE and CREATE TRIGGER permissions.
- Don't use special characters in Deep Security Manager's database user name. Although Oracle allows special characters when configuring the database user object if they are surrounded by quotes, Deep Security does not support special characters for the database user.
Oracle RAC configuration
If you're using Oracle RAC, disable the Firewall module or customize the Firewall settings according to the instructions in Firewall settings with Oracle RAC.
Multi-tenancy configuration
If Deep Security Manager will have multiple tenants:
- Keep the main database name short. It will be easier to read your tenants' database names. (For example, if the main database is "MAINDB", the first tenant's database name will be "MAINDB_1", the second tenant's database name will be "MAINDB_2", and so on.)
- Also grant CREATE USER, DROP USER, ALTER USER, GRANT ANY PRIVILEGE and GRANT ANY ROLE to the Deep Security Manager's database user.
- Don't use the Oracle container database (CDB) configuration. It is not supported with Deep Security Manager multi-tenancy.
Next, perform the following configurations:
- Synchronize both time and time zone. Use the same time source on both the database and Deep Security Manager servers.
By default, the Deep Security AMI uses Coordinated Universal Time (UTC). You should also use UTC for your database. If you change this setting, be sure your manager and database match.
- Allow network connections between Deep Security Manager and the database server. See Port numbers, URLs, and IP addresses.
- Optionally, configure encryption. See Encrypt communication between the Deep Security Manager and the database.
The Deep Security Manager installation supports both SQL and Windows Authentication. When using Windows Authentication, the Advance option is not available with the AWS Marketplace version of Deep Security Manager.