Encrypt communication between the Deep Security Manager and the database

Communication between the Deep Security Manager and the database is not encrypted by default. This is for performance reasons and because the channel between the manager and the database may already be secure (either they are running on the same computer or they are connected by crossover cable, a private network segment, or tunneling via IPSec).

However, if the communication channel between the Deep Security Manager and the database is not secure, you should encrypt the communications between them. In the current design, Deep Security Manager attempts to build an encrypted connection with the database server. If it fails, Deep Security Manager uses an unencrypted connection with the database server instead.

The related mechanisms are built into the database library that Deep Security Manager is based on, therefore the server certificate does not need to be imported nor the configuration file updated.

The instructions vary depending on the database you are using:

If you are running the Deep Security Manager in multi-node mode, these changes must be made on each node.

This section also provides information on Running an agent on the database serverhow to Disable encryption between the manager and database, and how to Upgrade from an old Deep Security Manager version.

Encrypt communication between the manager and database

Microsoft SQL Server database

If you have not already installed Deep Security Manager 20:

  1. Follow the instructions in Enable encrypted connections to the Database Engine on the Microsoft MSDN site and enable encrypted connection options on Microsoft SQL Server.

By default, the communication between Deep Security Manager 20 and Microsoft SQL Server is encrypted.

If you have already installed Deep Security Manager 20 and you haven't enabled encryption options on your Microsoft SQL Server:

  1. Stop Deep Security Manager 20.
  2. Follow the instructions in Enable encrypted connections to the Database Engine on the Microsoft MSDN site and enable encrypted connection options on Microsoft SQL Server.
  3. Restart the Deep Security Manager.

By default, the communication between Deep Security Manager 20 and Microsoft SQL Server is encrypted.

You can use SQL Server Manager Studio to connect your Microsoft SQL Server. Use the command select client_net_address,connect_time,net_transport,protocol_type,encrypt_option from sys.dm_exec_connections to see if your Deep Security Manager encrypted connection is working or not.

Oracle database

If you have not already installed Deep Security Manager 20:

  1. Follow the instructions How To Configure Data Encryption and Integrity on the Oracle Help Center, and enable encrypted connection options on Oracle Database Server side.

By default, the communication between Deep Security Manager 20 and Oracle Database Server is encrypted.

If you have already installed Deep Security Manager 20 and you haven't enabled encryption options on your Oracle Database Server:

  1. Stop Deep Security Manager 20.
  2. Follow the instructions How To Configure Data Encryption and Integrity  on the Oracle Help Center, and enable encrypted connection options on Oracle Database Server side.
  3. Restart the Deep Security Manager.

By default, the communication between Deep Security Manager 20 and Oracle Database Server is encrypted.

Follow the Oracle blog article Verifying the use of Native Encryption and Integrity to see if the encrypted connection is working or not.

PostgreSQL

If you have not already installed Deep Security Manager 20:

  1. Turn on SSL in PostgreSQL. For on-premises PostgreSQL database, see Secure TCP/IP Connections with SSL for more information. For an Amazon RDS for PostgreSQL, see Using SSL with a PostgreSQL DB Instance for more information.

By default, the communication between Deep Security Manager 20 and PostgreSQL Database Server is encrypted.

If you have already installed Deep Security Manager 20 and you haven't enabled encryption options on your PostgreSQL Database Server:

  1. Stop Deep Security Manager 20.
  2. Turn on SSL in PostgreSQL. For on-premises PostgreSQL database, see Secure TCP/IP Connections with SSL for more information. For an Amazon RDS for PostgreSQL, see Using SSL with a PostgreSQL DB Instance for more information.
  3. Restart the Deep Security Manager.

By default, the communication between Deep Security Manager 20 and PostgreSQL Database Server is encrypted.

To check that the manager is connected using TLS, use the following query and check the SSL column: select a.client_addr, a.application_name, a.usename, s.* from pg_stat_ssl s join pg_stat_activity a using (pid) where a.datname='<Deep Security database name>';

Running an agent on the database server

Encryption should be enabled if you are using an agent to protect the database. When you perform a security update, the Deep Security Manager stores new Intrusion Prevention rules in the database. The rule names themselves will almost certainly generate false positives as they get parsed by the agent if the data is not encrypted.

Disable encryption between the manager and database

In rare cases, you may need to disable encryption between Deep Security Manager and the database. For example, if you're using an older version of SQL Server, you may need to disable encryption to avoid connection errors. For details, see Error: The installer could not establish a secure connection to the database server.

Follow the instructions for your database type to disable encryption.

Microsoft SQL Server

  1. Stop the Deep Security Manager service.
  2. In the SQL Server, disable the "Force Encryption" option that was enabled in Enable encrypted connections to the Database Engine.
  3. (Optional) If your Deep Security Manager 20 was upgraded from Deep Security Manager 12.5 or older, remove all encryption related configurations in dsm.properties:
  4. database.SqlServer.encrypt=true

    database.SqlServer.trustServerCertificate=true

    If you upgraded from Deep Security 10.1 or a previous version, and your connection to the database uses named pipes as the transport, remove the following line instead: database.SqlServer.ssl=require

  5. Restart Microsoft SQL Server if necessary.
  6. Start Deep Security Manager.

Oracle Database

  1. Stop the Deep Security Manager service.
  2. Follow How To Configure Data Encryption and Integrity to disable the connection encryption in the Oracle server.
  3. (Optional) If your Deep Security Manager 20 was upgraded from Deep Security Manager 12.5 or older, remove all encryption related configurations in dsm.properties:
  4. database.Oracle.oracle.net.encryption_types_client=(AES256)

    database.Oracle.oracle.net.encryption_client=REQUIRED

    database.Oracle.oracle.net.crypto_checksum_types_client=(SHA1)

    database.Oracle.oracle.net.crypto_checksum_client=REQUIRED

  5. Restart the Oracle listener.
  6. Start the Deep Security Manager service.

PostgreSQL

  1. Stop the Deep Security Manager service.
  2. Follow Secure TCP/IP Connections with SSL to remove ssl=on in postgresql.conf and disable the connection encryption in the PostgrSQL database.
  3. (Optional) If your Deep Security Manager 20 was upgraded from Deep Security Manager 12.5 or older, remove all encryption related configurations in dsm.properties:
  4. database.PostgreSQL.connectionParameters=ssl=true

  5. Restart the PostgreSQL service.
  6. Start the Deep Security Manager service.

Upgrade from an old Deep Security Manager version

If you're currently using Deep Security Manager 12.5 or older and meet the following criteria:

  • Encrypted connection is enabled.
  • Uses PostgreSQL database server.

Please follow the instructions below before upgrading.

If either of the above criteria is not satisfied, you can ignore the following section and upgrade straight to Deep Security Manager 20.0.

Upgrade Deep Security Manager

Since PostgreSQL JDBC driver has different behaviors in different versions, you need to complete the following steps before upgrading.

  1. Export the certificate from your PostgreSQL database server. (This should already be completed because the old Deep Security Manager requires the certificate to enable connection encryption).
  2. Rename the certificate file as root.crt .
  3. Put it in the predefined Deep Security Manager 20 path:
  4. In Linux, put root.crt in  ~/.postgresql/

    In Windows, put root.crt in c:\Users\{USERNAME}\AppData\Roaming\postgresql\.

  5. Run the upgrade flow. Deep Security Manager 20 will continue to use an encrypted connection with PostgreSQL server after upgrade.