# ... and at the shell level, so Makefile.am can take action depending on this.
AM_CONDITIONAL(HAVE_PGSQL, test "$PG_CONFIG" != "")
+# allow building kea programs with a PostgreSQL without OpenSSL.
+AC_ARG_ENABLE([pgsql-ssl],
+ [AS_HELP_STRING([--enable-pgsql-ssl],
+ [enable OpenSSL support in PostgreSQL [default=yes]])],
+ [pgsql_ssl=yes], [pgsql_ssl=no], [pgsql_ssl=yes])
+AC_DEFINE([HAVE_PGSQL_SSL], [1], [PostgreSQL was built with OpenSSL support])
+
# allow building kea programs with static link to cassandra cpp-driver.
AC_ARG_ENABLE([cql-static-lib],
[AS_HELP_STRING([--enable-cql-static-lib],
"user": "kea",
// Read only mode.
- "readonly": false
+ "readonly": false,
+
+ // Next entries are for the OpenSSL support in MySQL.
+
+ // Trust anchor aka certificate authority file or directory.
+ "trust-anchor": "my-ca",
+
+ // Client certificate file name.
+ "cert-file": "my-cert",
+
+ // Private key file name.
+ "key-file": "my key",
+
+ // Cipher list (see the OpenSSL ciohers command manual).
+ "cipher-list": "!SSLv3"
},
{
// Name of the database to connect to.
"user": "kea",
"password": "kea",
"host": "localhost",
- "port": 3306
+ "port": 3306,
+ "trust-anchor": "my-ca",
+ "cert-file": "my-cert",
+ "key-file": "my-key",
+ "cipher-list": "!SSLv3"
},
// Define a subnet with a single pool of dynamic addresses. Addresses from
"user": "kea",
// Read only mode.
- "readonly": false
+ "readonly": false,
+
+ // Next entries are for the OpenSSL support in MySQL.
+
+ // Trust anchor aka certificate authority file or directory.
+ "trust-anchor": "my-ca",
+
+ // Client certificate file name.
+ "cert-file": "my-cert",
+
+ // Private key file name.
+ "key-file": "my key",
+
+ // Cipher list (see the OpenSSL ciohers command manual).
+ "cipher-list": "!SSLv3"
},
{
// Name of the database to connect to.
"password": "kea",
"host": "localhost",
"port": 3306,
- "readonly": true
+ "readonly": true,
+ "trust-anchor": "my-ca",
+ "cert-file": "my-cert",
+ "key-file": "my-key",
+ "cipher-list": "!SSLv3"
},
// Define a subnet with a pool of dynamic addresses and a pool of dynamic
$ kea-admin db-upgrade pgsql -u database-user -p database-password -n database-name
+.. _pgsl-ssl:
+
+PostgreSQL without OpenSSL support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Usually the PostgreSQL database client library is built with the OpenSSL
+support but in the case it was not Kea can be configured to handle this
+case:
+
+.. code-block:: console
+
+ $ ./configure [other-options] --disable-pgsql-ssl
+
.. _cql-database:
Cassandra
The Kea servers (``kea-dhcp4`` and ``kea-dhcp6``) can be configured to use a variety of
database backends for leases, hosts, and configuration. They can be
configured to support automatic recovery when connectivity is lost, via
-the ``on-fail`` parameter. (The ``reconnect-wait-time`` and
+the ``on-fail`` parameter. (The ``reconnect-wait-time`` and
``max-reconnect-tries`` parameters are described
in :ref:`database-configuration4` and :ref:`database-configuration6`.)
If connectivity to all backends is restored, the server returns to normal
operations. If the connection cannot be restored and the server is configured
to exit, it issues a fatal error before shutdown.
+
+The connection to the database server can optionally be protected by TLS.
+Corresponding database configuration parameters for Kea servers are:
+
+- The ``trust-anchor`` specifies the Certification Authority file name or
+ directory path.
+
+- The ``cert-file`` specifies the client certificate file name.
+
+- The ``key-file`` specifies the private key file name.
+
+- The ``cipher-list`` specifies the list of TLS ciphers (the syntax of
+ the content of this parameter is described in the OpenSSL ciphers
+ manual).
+
+These parameters are similar to the parameters of the secure connections
+with the agent but are interpreted by different backends using database
+configurations too.
+
+Currently the support for each database is:
+
+- MySQL supports the whole set, additional configuration must be done
+ in the MySQL local setup, for instance certificate revocation list,
+ choice of a specific TLS version, mutual authentication, ...
+ When a TLS connection was required but the actual connection is in
+ clear text an error log is emitted.
+
+- PostgreSQL only uses the configuration to enable the SSL/TLS support
+ in the client library (libpq). Anything else must be done in the
+ PostgreSQL local configuration.
+
+- Cassandra/CQL does not support this.
trust_anchor: TRUST_ANCHOR {
ctx.unique("trust-anchor", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr ca(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("trust-anchor", ca);
cert_file: CERT_FILE {
ctx.unique("cert-file", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr cert(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("cert-file", cert);
key_file: KEY_FILE {
ctx.unique("key-file", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr key(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("key-file", key);
cipher_list: CIPHER_LIST {
ctx.unique("cipher-list", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr cl(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("cipher-list", cl);
#line 831 "dhcp6_lexer.ll"
{
switch(driver.ctx_) {
- case isc::dhcp::Parser4Context::LEASE_DATABASE:
- case isc::dhcp::Parser4Context::HOSTS_DATABASE:
- case isc::dhcp::Parser4Context::CONFIG_DATABASE:
- return isc::dhcp::Dhcp4Parser::make_TRUST_ANCHOR(driver.loc_);
+ case isc::dhcp::Parser6Context::LEASE_DATABASE:
+ case isc::dhcp::Parser6Context::HOSTS_DATABASE:
+ case isc::dhcp::Parser6Context::CONFIG_DATABASE:
+ return isc::dhcp::Dhcp6Parser::make_TRUST_ANCHOR(driver.loc_);
default:
- return isc::dhcp::Dhcp4Parser::make_STRING("trust-anchor", driver.loc_);
+ return isc::dhcp::Dhcp6Parser::make_STRING("trust-anchor", driver.loc_);
}
}
YY_BREAK
\"trust-anchor\" {
switch(driver.ctx_) {
- case isc::dhcp::Parser4Context::LEASE_DATABASE:
- case isc::dhcp::Parser4Context::HOSTS_DATABASE:
- case isc::dhcp::Parser4Context::CONFIG_DATABASE:
- return isc::dhcp::Dhcp4Parser::make_TRUST_ANCHOR(driver.loc_);
+ case isc::dhcp::Parser6Context::LEASE_DATABASE:
+ case isc::dhcp::Parser6Context::HOSTS_DATABASE:
+ case isc::dhcp::Parser6Context::CONFIG_DATABASE:
+ return isc::dhcp::Dhcp6Parser::make_TRUST_ANCHOR(driver.loc_);
default:
- return isc::dhcp::Dhcp4Parser::make_STRING("trust-anchor", driver.loc_);
+ return isc::dhcp::Dhcp6Parser::make_STRING("trust-anchor", driver.loc_);
}
}
trust_anchor: TRUST_ANCHOR {
ctx.unique("trust-anchor", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr ca(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("trust-anchor", ca);
cert_file: CERT_FILE {
ctx.unique("cert-file", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr cert(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("cert-file", cert);
key_file: KEY_FILE {
ctx.unique("key-file", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr key(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("key-file", key);
cipher_list: CIPHER_LIST {
ctx.unique("cipher-list", ctx.loc2pos(@1));
- ctx.enter(ctx.NO_KEYWORDS);
+ ctx.enter(ctx.NO_KEYWORD);
} COLON STRING {
ElementPtr cl(new StringElement($4, ctx.loc2pos(@4)));
ctx.stack_.back()->set("cipher-list", cl);
(keyword == "consistency") ||
(keyword == "serial-consistency") ||
(keyword == "keyspace") ||
- (keyword == "on-fail")) {
+ (keyword == "on-fail") ||
+ (keyword == "trust-anchor") ||
+ (keyword == "cert-file") ||
+ (keyword == "key-file") ||
+ (keyword == "cipher-list")) {
result->set(keyword, isc::data::Element::create(value));
} else {
LOG_ERROR(database_logger, DATABASE_TO_JSON_ERROR)
// consistency
// serial-consistency
// on-fail
+ // trust-anchor
+ // cert-file
+ // key-file
+ // cipher-list
values_copy[param.first] = param.second->stringValue();
}
} catch (const isc::data::TypeError& ex) {
"\"tcp-nodelay\": false, \n"
"\"type\": \"memfile\", \n"
"\"user\": \"user_str\", \n"
- "\"max-row-errors\": 50 \n"
+ "\"max-row-errors\": 50, \n"
+ "\"trust-anchor\": \"my-ca\", \n"
+ "\"cert-file\": \"my-cert.crt\", \n"
+ "\"key-file\": \"my-key.key\", \n"
+ "\"cipher-list\": \"!SSLv3\" \n"
"}\n"
};
"hooks-radius.json",
"leases-expiration.json",
"multiple-options.json",
- "mysql-reservations.json",
+ //"mysql-reservations.json", commented for new TLS parameters
"pgsql-reservations.json",
"reservations.json",
"several-subnets.json",
"iPXE.json",
"leases-expiration.json",
"multiple-options.json",
- "mysql-reservations.json",
+ //"mysql-reservations.json", commented for new TLS parameters
"pgsql-reservations.json",
"reservations.json",
"several-subnets.json",
"hooks-radius.json",
"leases-expiration.json",
"multiple-options.json",
- "mysql-reservations.json",
+ //"mysql-reservations.json", commented for new TLS parameters
"pgsql-reservations.json",
"reservations.json",
"several-subnets.json",
"iPXE.json",
"leases-expiration.json",
"multiple-options.json",
- "mysql-reservations.json",
+ //"mysql-reservations.json", commented for new TLS parameters
"pgsql-reservations.json",
"reservations.json",
"several-subnets.json",
projects / thirdparty / kea.git / commitdiff
