Deployment Task

This article explains how to add AWS certificates to the Aqua server deployment.


Note: Whilst this article refers  to AWS/RDS, this configuration is known to work with Microsoft Azure Postgres DBaaS.

If you are using Azure DBaaS Postgres, please refer to their article which can be found here in relation to obtaining the Azure  certificate bundle.


Deployment Steps

In order to add AWS certificates to the Aqua server deployment, as described here, create a new image for the Aqua server as follows:

1. Download rds-combined-ca-bundle.pem  


2. Convert the certificate to CRT format -  


openssl x509 -outform der -in certificate.pem -out certificate.crt


3. Create a Dockerfile with the CRT certificate added:


# Dockerfile
FROM aquasec/server:version
ADD rds-combined-ca-bundle.crt /usr/local/share/ca-certificates/rds-combined-ca-bundle.crt
RUN update-ca-certificates


4. Build the  - docker build -t aquasec_server image .


Now you can deploy the server using the usual deployment method. Make sure you add the appropriate PostgreSQL SSL mode using the SCALOCK_AUDIT_DBSSL and SCALOCK_DBSSL environment variables. 


SSL Mode Descriptions:


sslmodeEavesdropping protectionMITM protectionStatement
disableNoNoI don't care about security and I don't want to pay for the encryption overhead.
allowMaybeNoI don't care about security, but I will pay the encryption overhead if the server insists on it.
preferMaybeNoI don't care about encryption, but I want to pay the encryption overhead if the server supports it.
requireYesNoI want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want.
verify-caYesDepends on the CA-policyI want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust.
verify-fullYesYesI want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it is the one that I specify.


For example :


docker run -d -p 8080:8080 -p 443:8443    --name aqua-web --user=root -e SCALOCK_AUDIT_DBSSL=verify-ca -e  SCALOCK_DBSSL=verify-ca -e SCALOCK_DBUSER=postgres    -e SCALOCK_DBPASSWORD=password    -e SCALOCK_DBNAME=scalock    -e SCALOCK_DBHOST=<rds host>    -e SCALOCK_AUDIT_DBUSER=postgres    -e SCALOCK_AUDIT_DBPASSWORD=password    -e SCALOCK_AUDIT_DBNAME=slk_audit    -e SCALOCK_AUDIT_DBHOST=<rds host>    -v /var/run/docker.sock:/var/run/docker.sock  aquasec_server


Connection logging between Aqua components and Postgres DB


When your Aqua console/gateway component connects to the Postgress DB you will get two sets of connection logging


1. Azure's Posgres DB

2. Aqua's connection log 


Microsoft Azure's DBaas Postgres DB logs do not specifically log the TLS connection mode used when AquaSec console/gateway connect to it, only the TLS/SSL Protocol, Encryption and Cypher used 


It just shows this:


2020-06-09 11:00:26 UTC-5edf6bca.3b0-LOG:  connection received: host=xx.105.240.174 port=3714 pid=944
2020-06-09 11:00:26 UTC-5edf6bca.3bc-LOG:  connection received: host=xx.105.240.174 port=24833 pid=956
2020-06-09 11:00:26 UTC-5edf6bca.3b4-LOG:  connection received: host=xx.105.240.174 port=14722 pid=948
2020-06-09 11:00:26 UTC-5edf6bca.3b0-LOG:  connection authorized: user=postgresdatabase=scalock SSL enabled (protocol=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, compression=off)
2020-06-09 11:00:26 UTC-5edf6bca.3bc-LOG:  connection authorized: user=postgresdatabase=scalock SSL enabled (protocol=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, compression=off)
2020-06-09 11:00:26 UTC-5edf6bca.3b4-LOG:  connection authorized: user=postgresdatabase=scalock SSL enabled (protocol=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, compression=off)
2020-06-09 11:00:26 UTC-5edf6bca.3b4-LOG:  could not receive data from client: An existing connection was forcibly closed by the remote host.

    
2020-06-09 11:00:36 UTC-5edf6bd4.3c0-LOG:  connection received: host=127.0.0.1 port=47250 pid=960
2020-06-09 11:00:37 UTC-5edf6bd4.3c0-LOG:  connection authorized: user=azure_superuserdatabase=azure_sys SSL enabled (protocol=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, compression=off)


Aqua's console shows the connection logging (In 4.6 Update 10 /May 5th release)


When the console connects, it shows the  SSL connection security method used in the log file for each database


2020-06-09 10:55:19.282    INFO    logger/logger.go:135    Host [azuredb-we-95-1.postgres.database.azure.com] database [scalock] connection established successfully with SSL mode [verify-ca]

 and


Host [azuredb-we-95-1.postgres.database.azure.com] database [slk_audit] connection established successfully with SSL mode [require]

We also see this with the database logging within the console logs

2020-06-09 11:10:34.727    INFO    logger/logger.go:135    Host [azuredb-we-95-1.postgres.database.azure.com] database [scalock] connection established successfully with SSL mode [verify-full]
2020-06-09 11:10:34.727    INFO    logger/logger.go:135    Checking if database scalock exists
2020-06-09 11:10:35.063    INFO    logger/logger.go:135    Connecting to DB instance "scalock"
2020-06-09 11:10:35.746    INFO    logger/logger.go:135    Database "scalock" maximum connections: 21
2020-06-09 11:10:35.746    INFO    logger/logger.go:135    Database "scalock" maximum connection lifetime: 900 min
2020-06-09 11:10:35.746    INFO    logger/logger.go:135    Database "scalock" current schema: public
2020-06-09 11:10:36.140    INFO    logger/logger.go:135    Trying to connect to Postgres DB Host [azuredb-we-95-1.postgres.database.azure.com]
2020-06-09 11:10:36.726    INFO    logger/logger.go:135    Host [azuredb-we-95-1.postgres.database.azure.com] database [slk_audit] connection established successfully with SSL mode [verify-full]
2020-06-09 11:10:36.726    INFO    logger/logger.go:135    Checking if database slk_audit exists