Databases & Secure connections
The goal is to provide protection of our customer’s personal data transmitted by the Internet and imported to Bloomreach Engagement application by creating an SSL/TLS connection or SSH tunnel or both types at once.
Keeping customer data secure is our priority
You must either create and use SSH tunnel or setup encrypted communication with SSL/TLS.
Enable SSH tunnel or SSL/TLS connection
Open the port
Open port 443 on the firewall for SSL/TLS connection or port 22 on his firewall for SSH connection. For SSH tunnel you can use also other ports than 22.
Select a database and a secure connection
Bloomreach Engagement supports some of the secure connections for all databases. See the list of databases and supported configurations in the table below.
Database Name | SSL/TLS | SSH tunnel | Static IPs |
---|---|---|---|
Azure SQL, MS SQL | not supported | supported | not supported |
MySQL | supported | supported | supported |
PostgreSQL | supported | supported | supported |
Amazon RedShift | supported | supported | supported |
Create database integration
Every database integration has the same configuration form. For each database, you need to fill in these attributes:
- Hostname (Public IP or hostname of your database, e.g. 28.783.11.22 or db.exponea.com)
- Port (e.g. 1433 - TCP destination port for this database)
- Username (Name of a user who has allowed access to your local database, e.g. "exponea". MS Azure SQL username must be in the format "username@hostname",
e.g. "[email protected]") - Password (Password of a user who has allowed access to your local database)
- Database name (Name of a database you want to access data from)
Configure secure connections
Bloomreach Engagement offers two options for protecting communication between the customer’s server and the Bloomreach Engagement application. You can pick one of the preferred options or have active both at once.
SSL/TLS encryption
Click on 'Enable' SSL/TLS connection
- Import SSL/TLS certification authority certificate (load SSL/TLS CA file)
- Import customer´s SSL/TLS certificate (load SSL/TLS Cert file)
- Import the private key of your customer´s server (load SSL/TLS Key file)
An example of how to enable SSL/TLS with MySQL:
https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-16-04
SSH tunnel
SSH tunnels have their own configuration window. The configuration window is available in Project settings -> SSH tunnels. Only users with Dev. tools permissions have access to SSH tunnel configuration. Take a look at roles and permissions in an Access management
- Hostname - hostname of SSH server with its port separated by the colon
- Username - identification of user
- Host key - (it is the fingerprint of the customer´s server public key - used for identification/verification of the customer´s host). You can find the fingerprint in the known_hosts file on any device that was successfully connected through SSH to your server. You can read more about host keys here.
Importance of Host keys
Host keys serve an important role in securing your communication with the remote server, by checking it really is the server you think it is. Without them, you would be possibly open to various attacks, such as DNS spoofing.
Steps to find the Host key:
If this is your first time connecting to your SSH server, you need to log in to your server. You can skip this step if you have already created a successful connection in the past:
- Connect to SSH server:
ssh user_name@server_ip_address
where user_name is the name of the user that you want to log in as and server_ip_address is the IP address of your server. Now you have made a successful connection and you can terminate it by typing:exit
.
Alternatively, since the SSH connection might not work due to unsupported key encryption formats:
- Connect to the SFTP server using some FTP client (e.g. FileZilla or CyberDuck); Try both or others in order to find the host_key
- Navigate to the
.ssh
directory on your local machinecd ~/.ssh
Display the content of the known_hosts file. This file contains information about all SSH servers you have been successfully connected to. Each line of the file contains details about the server in the following format:server_ip_address server_host_key
. Copy the host key that belongs to your server IP address and paste it into the “Host key” field.
Alternatively, if known_hosts file doesn't have the Host Key:
- Navigate to the '.putty' directory on your local machine 'cd ~/.putty'
Display the content of the 'sshhostkeys' file and find the host key in the following formatserver_ip_address server_host_key
. Copy the host key that belongs to your server IP address and paste it into the “Host Key” field.If the host key doesn't work, contact the hosting admin/support for the key. Please note that OpenSSH is the protocol that manages SSH connections, thus the OpenSSH version on your local machine has to be supporting the encryption protocol on the server; otherwise the OpenSSH KeyGen will not show you the Host Key in the proper format.
- Authentication
- SSH key (A new key pair can be generated. Then import a Public key to the SSH server)
- Password (Enter the password to the SSH server)
Assign SSH to your database integration
All supported integrations have the option to enable SSH integration. When you Enable SSH integration, you need to choose an active SSH tunnel.
Updated about 1 year ago