www.datasunrise.com
DataSunrise
Database
Security
Suite 3.5
Administration Guide
Contents
General Information....................................................................................................................................................... 3
1.1 Product Description.....................................................................................................................................................................................3
1.2 Supported databases..................................................................................................................................................................................3
1.3 DataSunrise Operation Modes............................................................................................................................................................... 3
1.3.1 Sniffer Mode...........................................................................................................................................................................................4
1.3.2 Proxy Mode............................................................................................................................................................................................ 5
1.4 DataSunrise Rules.........................................................................................................................................................................................5
1.4.1 DataSunrise Rules execution order...............................................................................................................................................6
1.5 Useful resources............................................................................................................................................................................................7
Deployment topologies..................................................................................................................................................8
2.1 Installing DataSunrise on a database server.................................................................................................................................... 8
2.2 Installing DataSunrise on a separate server..................................................................................................................................... 9
DataSunrise installation and removal........................................................................................................................11
3.1 Required components..............................................................................................................................................................................11
3.2 Program installation..................................................................................................................................................................................11
3.3 Program removal....................................................................................................................................................................................... 12
3.4 DataSunrise installation folder............................................................................................................................................................. 12
3.5 Updating DataSunrise.............................................................................................................................................................................. 13
3.6 Migrating DataSunrise to other server.............................................................................................................................................14
Starting DataSunrise for the first time......................................................................................................................15
4.1 Starting DataSunrise................................................................................................................................................................................. 15
4.2 Connecting to DataSunrise web interface.......................................................................................................................................15
4.2.1 Restoring access to GUI if the password is lost........................................................................................................................15
4.3 Product registration.................................................................................................................................................................................. 16
4.4 Preparing your database........................................................................................................................................................................ 16
4.4.1 Creating an Oracle database user.............................................................................................................................................. 16
4.4.2 Creating PostgreSQL database user.......................................................................................................................................... 17
4.4.3 Creating Netezza database user................................................................................................................................................. 17
4.4.4 Creating Greenplum user............................................................................................................................................................... 18
4.4.5 Granting necessary privileges to DB2 user.............................................................................................................................18
4.4.6 Configuring MS SQL Server connection.................................................................................................................................. 18
4.5 Additional proxy configuration............................................................................................................................................................ 19
4.5.1 Changing PostgreSQL port number.......................................................................................................................................... 19
4.5.2 Configuring authorization of local users in PostgreSQL................................................................................................... 19
4.6 Processing encrypted traffic..................................................................................................................................................................19
4.6.1 Configuring SSL encryption for DB2......................................................................................................................................... 19
4.6.2 Configuring SSL for Microsoft SQL Server..............................................................................................................................20
Known issues and troubleshooting............................................................................................................................22
General Information | 3
General Information
1.1 Product Description
DataSunrise Database Security is an application firewall purpose-built to protect relational databases against hacker
attacks and insider-driven threats. DataSunrise is compatible with Windows and Linux operating systems, runs fast
and independently of any applications and does't inflict any unnecessary load on database server.
DataSunrise can complete the following tasks:
•
•
•
Data Auditing. DataSunrise performs real-time tracking and logging of all user actions and changes made to
target database content. Data auditing results can be exported to an external system, such as SIEM.
Data Protection. DataSunrise Data Protection intercepts all user queries to target database, detects and blocks
unauthorized queries and SQL injections on-the-fly.
Data Masking. DataSunrise prevents sensitive data exposure due to its dynamic masking capability. DataSunrise
Data Masking is capable to hide an entire database or just selected tables or columns from an unwanted user by
obfuscating sensitive data in the database output.
1.2 Supported databases
DataSunrise is compatible with the following DBMSs:
•
•
•
•
•
•
•
•
•
•
•
•
Oracle Database 9.2-12.1 working on Windows, Linux, Solaris (sparc) or IBM AIX servers
PostgreSQL 7.4-9.6
Netezza 6.0-7.2.1
Greenplum 4.2-4.3
IBM DB2 9.7-11.1
MS SQL Server 2005-2016
Amazon Aurora
Amazon Redshift
MariaDB 5.1-10.2
MySQL 5.0-5.7
Teradata 13-15
Hive 1.0-2.1
1.3 DataSunrise Operation Modes
DataSunrise can be deployed in one of the following configurations: Sniffer mode or Proxy mode.
General Information | 4
1.3.1 Sniffer Mode
When deployed in Sniffer mode, DataSunrise acts as a traffic analyzer capable to capture copy of the database
traffic from network switch "mirrored" port.
Figure 1: Sniffer mode operation scheme.
In this configuration, DataSunrise can’t interfere database traffic, so it is able to perform data auditing only. But
running DataSunrise in sniffer mode does not require any additional database or client application tweaking.
General Information | 5
1.3.2 Proxy Mode
When deployed in this configuration, DataSunrise works as a proxy server that detects and blocks unauthorized and
SQL-injected queries.
Figure 2: Proxy mode operation scheme.
DataSunrise receives SQL queries that are sent to protected database by database users, check if they are
unauthorized or contain SQL injections, and blocks them if necessary. If the intercepted queries are safe, DataSunrise
redirects them to protected database.
DataSunrise also intercepts and analyzes all database responses before performing output to prevent possible data
leakage.
1.4 DataSunrise Rules
DataSunrise functionality is based on a system of Rules used to control data auditing, data protection and data
masking capabilities: DataAudit Rules, DataSecurity Rules and DataMasking Rules respectively. DataSunrise selflearning system (Learning Mode) is controlled with its own set of Rules — Learning Rules.
In fact, a Rule is a set of settings that define when Rule-related module should be activated and how it should act.
Depending on certain Rule settings, DataSunrise can activate its functionality when the following events occur:
•
•
•
•
•
•
Intercepting user query to any target DB or to target DB of certain type;
User query addresses certain target DB elements (schemas, tables, columns);
Query came from certain IP address, network interface or socket;
Queries issued by certain target DB users or client applications;
Query matches a certain SQL pattern;
Query contains signs of SQL injection.
General Information | 6
Each Rule settings entail a certain action the Firewall should execute when the Rule is activated ("matched"). In
particular:
Data Audit. When creating a Data Audit Rule, you can select one of the following actions:
•
•
Skip. DataSunrise skips auditing and proceeds to execution of Data Security Rules.
Audit. DataSunrise performs data auditing according to Rule settings, and when it is completed — proceeds to
execution of Data Security Rules.
DataSecurity. When creating a Security Rule, you can select one of the following actions:
•
•
Allow. DataSunrise ignores Security Rule and proceeds to execution of Data Masking Rules.
Block. DataSunrise blocks malicious queries according to Rule settings, and when done — proceeds to execution
of Data Masking Rules.
DataMasking.
•
Data Masking Rules settings don't entail any alternate choices but masking. To skip masking you should disable
the Masking Rule itself.
Activation and deactivation of Rules is performed via their settings (refer to subs. 6.1.1, 6.2.1, 6.3.1, 6.1.2.1) or via
context menu. Right-click Rule name in the Rules list and select Disable to deactivate Rule, or Enable to activate.
Figure 3: Disabling a Rule through context menu.
You can configure Rules to be activated automatically in certain time and weekday (refer to subs. 5.7). You can also
notify concerned parties (subscribers) about activation of some Rule via Email or SNMP (refer to subs. 5.8).
1.4.1 DataSunrise Rules execution order.
Important: DataSunrise executes its Rules in the following order: Data Audit Rules —> Data Security Rules —>
Data Masking Rules.
Every SQL query intercepted by DataSunrise undergoes the following processing stages:
1. Query is examined for matching conditions defined by existing Data Audit Rules. If a query matches a certain
Audit Rule conditions, it undergoes data auditing.
2. Then the query is examined for matching conditions defined by existing Data Security Rules. If certain Rule is
matched, the firewall blocks or ingores the query depended on Rule's settings.
3. If the query was not blocked on the previous stage, it is examined for matching conditions defined by existing
Masking Rules. If Masking Rule is matched, DataSunrise modifies query's code according to the Rule's settings
and redirectes modified query to target DB. Having received modified query, target DB edits its response and
outputs obfuscated ("masked") values instead of actual DB content.
General Information | 7
Figure 4: Changing Rule priority.
If multiple Rules of the same type exist (Audit Rules for example) DataSunrise executes them according to priority
level of each Rule. Visually, you can estimate certain Rule priority in the Rules list by how close it is to the top of the
list (the closer to the top of the list, the higher Rule's priority). To adjust Rule location in the list, right-click on it and
change it's priority (Priority ↑ to raise Rule's priority; Priority ↓ to lower priority).
1.5 Useful resources
•
•
•
•
•
•
•
•
•
DataSunrise official web site: https://www.datasunrise.com/
DataSunrise latest verison download page: https://www.datasunrise.com/download
DataSunrise Facebook page: https://www.facebook.com/datasunrise/
DataSunrise administration guide for Linux (DataSunrise Database Security Suite Admin Guide Lin.pdf file located
in doc subfolder within the program installation folder). Describes installation and post-installation procedures,
deployment schemes, includes troubleshooting subsection.
DataSunrise administration guide for Windows (DataSunrise Database Security Suite Admin Guide Win.pdf file
located in doc subfolder. Describes installation and post-installation procedures, deployment schemes, includes
troubleshooting subsection.
DataSunrise end user guide (DataSunrise Database Security Suite User Guide.pdf file located in doc subfolder).
Describes GUI structure, program managing etc.
Command Line Interface (CLI) guide (CLI_guide.pdf file located in doc subfolder). Contains CLI commands
description, usage examples etc.
Release notes (Release_notes.pdf file in doc subfolder). Describes changes and enhancements made in the latest
DataSunrise version, known bugs and version history.
EULA (DataSunrise_EULA.pdf file in doc subfolder). Contains End User License Agreement.
Deployment topologies | 8
Deployment topologies
DataSunrise can be installed either on the database server or on a separate server. In both cases, the firewall can be
used in the sniffer mode and in the proxy mode.
2.1 Installing DataSunrise on a database server
Figure 5: Deployment on a database server
2.1.1 Proxy Mode
To deploy DataSunrise in proxy mode, use one of the following methods:
a) Database settings tweaking
•
•
•
Reconfigure the database to use some free port on local interface (localhost). This eliminates the possibility to
connect to the database directly by bypassing DataSunrise
Configure DataSunrise proxy to use the port formerly used by the database to connect with the client
applications. Thus, any clients trying to connect to the database will connect DataSunrise instead
Configure DataSunrise connection with the database considering changes made in the previous steps.
Important: many operating systems reserve port numbers less than 1024 for privileged system processes. So it's
preferable to use port numbers higher than 1024.
b) Reconfiguring of client applications
•
•
Configure DataSunrise proxe to use any free port
Configure all the client applications to connect to DataSunrise instead of the database
Deployment topologies | 9
Tip: you can use this installation option during firewall testing, since some DB clients still retain direct access to the
database. Use another firewall to block direct access to the database.
2.1.2 Sniffer Mode
Configure DataSunrise sniffer. It is not required to tweak any client applications or database settings.
2.2 Installing DataSunrise on a separate server
2.2.1 Proxy mode
Figure 6: Proxy mode deployment scheme
To deploy DataSunrise in proxy mode, perform the following:
•
•
Configure DataSunrise connection with the database.
Configure all the client applications to connect to DataSunrise proxy instead of the database.
Important: many operating systems reserve port numbers less than 1024 for privileged system processes, so it’s
preferable to use port numbers higher than 1024.
2.2.2 Sniffer mode
Figure 7: Sniffer mode deployment scheme
To deploy DataSunrise in sniffer mode, configure your network switch for transferring mirrored traffic to DataSunrise
(refer to your network switch user guide for port mirroring procedure description).
DataSunrise installation and removal | 11
DataSunrise installation and removal
Note: Before you begin DataSunrise installation process, please select an appropriate firewall deployment
option (subsections 2.1 and 2.2) and perform all required preparations. Also make sure that a PC you want install
DataSunrise on, meets system requirements listed in the 1.4 subsection.
3.1 Required components
Depending on RDBMS used it is necessary to install some additional components.
1. Install WinPcap library:
http://www.winpcap.org/install/default.htm
2. To run DataSunrise with MySQL and PostgreSQL databases, install ODBC driver. You can download it here:
http://www.postgresql.org/ftp/odbc/versions/
3. To run DataSunrise with Oracle databases, install OCI driver. You can download it here:
http://www.oracle.com/technetwork/database/features/instant-client/index.html
4. To run DataSunrise with Netezza database, install dedicated ODBC driver. Download it from IBM Fix Central:
http://www-933.ibm.com/support/fixcentral/
Note: your IBM ID should be associated with your IBM customer ID with active support and maintenance
contract for Netezza appliance
Refer to the following page for more details: https://www-304.ibm.com/support/knowledgecenter/SSULQD_7.0.3/
com.ibm.nz.adm.doc/c_sysadm_client_software_packages.html
5. To run DataSunrise with DB2 databases, install ODBC driver. You can download it here:
https://www-304.ibm.com/support/docview.wss?uid=swg21418043
6. To run DataSunrise with SQL Server, you might need to install ODBC driver. You can download it here:
ODBC driver: https://msdn.microsoft.com/en-us/library/mt654048(v=sql.1).aspx
7. To run DataSunrise with Hive, install Hortonworks ODBC driver. You can download it here:
ODBC driver: https://hortonworks.com/downloads/
3.2 Program installation
To install DataSunrise on your PC, perform the following:
1. Double-click DataSunrise installer file (DataSunrise Database Security Suite XXX.msi)
2. Follow the steps of the setup wizard
Note: Set password for DataSunrise administrator at the Set administrator password tab
3. Optionally, generate new SSL certificate and replace the appfirewall.pem certificate located in DataSunrise
installation directory
DataSunrise installation and removal | 12
3.3 Program removal
To uninstall DataSunrise perform the standard program removal procedure (using Control panel) or use the method
described below:
1. Double-click DataSunrise instalation file
2. Click Remove button to initiate program removal
Note: click Repair button to fix corrupted DataSunrise installation.
3. Follow the steps of the setup wizard.
3.4 DataSunrise installation folder
This subsection describes DataSunrise files and installation folder structure.
Figure 8: DataSunrise files and folders
1. DataSunrise folders:
Folder name
Description
cmdline
Contains DataSunrise Command Line Interface (CLI) files
doc
Contains DataSunrise docs (User guide, CLI guide, Release notes, EULA)
gwt
Contains GUI files
logs
Log files (back end, core, GUI logs)
2. DataSunrise files (except DLL files):
File name
Description
audit.db
Database file to store audit data (Audit Storage)
DataSunrise installation and removal | 13
File name
Description
dictionary.db
Contains program settings, firewall objects (such as database entries, user
entries etc), rules, etc.
event.db
System events logs
standart_application_queries.db
Contains queries used by Oracle SQL Developer (refer to Query Groups
subsection for more information)
install_firewall_service.bat
This script installs DATA_SUNRISE_SECURITY_SUITE service (it is run by
setup wizard during program installation)
remove_firewall_service.bat
This script removes DATA_SUNRISE_SECURITY_SUITE service (it is run by
setup wizard during program installation)
start_firewall_service.bat
This script starts DATA_SUNRISE_SECURITY_SUITE service
stop_firewall_service.bat
This script stops DATA_SUNRISE_SECURITY_SUITE service
AppBackendService.exe
System process required for GUI operation and AppFirewallCore.exe
control
AppFirewallCore.exe
Core process. Performs all fundamental DataSunrise functions
appfirewall.pem
SSL certificate for GUI
cacert.pem
SSL certificate required for online update
proxy.pem
OpenSSL keys and certificated used for proxy on default
appfirewall.reg
Contains DataSunrise license key
3.5 Updating DataSunrise
To update DataSunrise, perform the following:
1. Go to the System Settings -> About subsection
2. Click Update button
3. Wait for update to complete and reload the GUI page.
Note: You can also update the program in another way. Download the newest version of DataSunrise from the
official web site and run the installation file. Follow the steps of the setup wizard to update the program.
3.6 Migrating DataSunrise to other server
To export DataSunrise settings to other instance installed on other server, perform the following:
1.
2.
3.
4.
5.
6.
Stop DataSunrise system service (DATA_SUNRISE_SECURITY_SUITE) using Windows Task Manager
Copy dictionary.db, event.db and audit.db files from the source DataSunrise installation folder
Install new DataSunrise instance on another server. Stop DataSunrise system service
Paste dictionary.db, event.db and audit.db files to new DataSunrise instance installation folder
Start new DataSunrise system service
Check imported settings.
Starting DataSunrise for the first time | 15
Starting DataSunrise for the first time
4.1 Starting DataSunrise
1. The firewall needs DATA_SUNRISE_SECURITY_SUITE service running to operate. This service starts DataSunrise
back end and core on Windows startup.
•
If you've stopped DataSunrise process or it's stopped because of a problem of some kind, you can start the
process manually by double-clicking the AppBackendService.exe file located in program installation folder.
2. Enter DataSunrise web interface (refer to subs. 4.2).
4.2 Connecting to DataSunrise web interface
DataSunrise is provided with comprehensive web-based interface used to control all the firewall actions.
1. To enter the web interface, perform the following:
•
To connect to GUI using HTTPS protocol (on default), open the following address via your web browser:
https://DataSunrise_ip_address:11000
Note: DataSunrise_ip_address is DataSunrise's IP address or host name, 11000 is the firewall's port number.
•
If you want to connect to DataSunrise using HTTP protocol, you should activate HTTP in system settings
(System Settings → General → Ports). Then open the following address via your web browser:
http://DataSunrise_ip_address:11000
Note: DataSunrise_ip_address is DataSunrise's IP address or host name, 11000 is the firewall's port number.
2. You browser will display "Unsecure connection" prompt because of untrusted SSL certificate. That's normal.
Follow your browser's prompts to confirm security exception for DataSunrise GUI.
3. Enter your credentials (you've set the password while installing the program) and click Login button to enter the
web interface
Important: on first startup, use admin username.
4.2.1 Restoring access to GUI if the password is lost
You can't restore DataSunrise administrator password if you've lost it, but you can set a new one. To change admin
user's password, perform the following:
1. Start Windows Command Prompt as an administrator.
2. Use cd command to go to the DataSunrise installation folder (C:\Program Files\DataSunrise Database Security
Suite on default)
3. Run AppBackendService.exe file with set_admin_password parameter. Specify a new password as the parameter's
value:
Starting DataSunrise for the first time | 16
AppbackEndService.exe set_admin_password=new_password
4. Restart DataSunrise service for changes to take effect.
4.3 Product registration
The first time you start DataSunrise, you will be prompted to register it.
1. Paste the license key you got from the firewall developers into the dedicated text field
Note: You can also paste the license key into appfirewall.reg within the program installation folder.
2. Click Save button
4.4 Preparing your database
DataSunrise interacts with target DB and receives all information required for operation via target DB user account.
On default, the firewall uses DB's administrator account but it is possible to use any other account with sufficient
privileges.
This sections describes actions required to establish connection between DataSunrise and various databases
4.4.1 Creating an Oracle database user
1. Connect to the Oracle target database using SYS user account.
2. To create a new user, perform the following:
•
•
For Oracle 11 g Release 2 or earlier. Run the following command:
CREATE USER DataSunrise_user IDENTIFIED BY DataSunrise_password;
For Oracle 12 c. Create a global user (for all Oracle containers). Connect to CDB$ROOT and run the following
command:
CREATE USER c##DataSunrise_user IDENTIFIED BY DataSunrise_password;
You can also create a local user (for one container). To do this run the following commands:
ALTER SESSION SET CONTAINE = pdborcl;
CREATE USER DataSunrise_user IDENTIFIED BY DataSunrise_password;
Warning: in most cases it is preferable to use global user for establishing connection with target databases,
because if you use local user (created for one container) DataSunrise would not be able to work with other
containers.
3. Grant all required privileges to new user if necessary. To do this, run the following commands:
•
For Oracle 11g Release 2 or earlier:
GRANT
GRANT
GRANT
GRANT
GRANT
CONNECT TO DataSunrise_user;
SELECT on "SYS"."DBA_OBJECTS" TO DataSunrise_user;
SELECT on "SYS"."DBA_TAB_COLUMNS" TO DataSunrise_user;
SELECT on "SYS"."DBA_SYNONYMS" TO DataSunrise_user;
SELECT on "SYS"."DBA_NESTED_TABLES" TO DataSunrise_user;
Starting DataSunrise for the first time | 17
•
GRANT
GRANT
GRANT
GRANT
SELECT
SELECT
SELECT
SELECT
on
on
on
on
"SYS"."V_$SERVICES" TO DataSunrise_user;
"SYS"."V_$INSTANCE" TO DataSunrise_user;
"SYS"."DBA_USERS" TO DataSunrise_user;
"SYS"."DBA_PROCEDURES" TO DataSunrise_user;
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
CREATE
on "SYS"."V_$SERVICES" to DataSunrise_user;
on "SYS"."CDB_USERS" to DataSunrise_user;
on "SYS"."CDB_OBJECTS" to DataSunrise_user;
on "SYS"."CDB_TAB_COLUMNS" to DataSunrise_user;
on "SYS"."CDB_SYNONYMS" to DataSunrise_user;
on "SYS"."CDB_NESTED_TABLES" to DataSunrise_user;
on "SYS"."V_$INSTANCE" to DataSunrise_user;
on "SYS"."CDB_PROCEDURES" to DataSunrise_user;
TABLE to DataSunrise_user;
For Oracle 12c. For a local user:
Tip: you can create a required table manually instead of giving CREATE TABLE privilege to new user:
create global temporary table DAF_OBJECTS ON COMMIT DELETE ROWS
from CDB_OBJECTS where 1 != 1;
as select *
To grant required privileges to a global user, run the following commands:
GRANT CONNECT to c##DataSunrise_user CONTAINER=ALL;
GRANT SYSDBA to c##DataSunrise_user;
4.4.2 Creating PostgreSQL database user
To create a PostgreSQL user, run the following command:
CREATE USER DataSunrise_user WITH PASSWORD 'DataSunrise_password';
Note: you don't need to grant any additional privileges to new user.
4.4.3 Creating Netezza database user
To create new Netezza user, run the following command:
CREATE USER DataSunrise_user WITH PASSWORD 'DataSunrise_password';
Note: grant all required privileges to the new user. Connect to the SYSTEM database and send it an appropriate
SQL query:
•
•
For Netezza 6.X:
GRANT LIST ON AGGREGATE, DATABASE, EXTERNAL TABLE, FUNCTION, GROUP, MANAGEMENT
TABLE, MANAGEMENT VIEW, PROCEDURE, SEQUENCE, SYNONYM, SYSTEM TABLE, SYSTEM
VIEW, TABLE, USER, VIEW to DataSunrise_user;
For Netezza 7.X:
GRANT LIST ON AGGREGATE, DATABASE, EXTERNAL TABLE, FUNCTION, GROUP, MANAGEMENT
TABLE, MANAGEMENT VIEW, PROCEDURE, SCHEMA, SEQUENCE, SYNONYM, SYSTEM TABLE,
SYSTEM VIEW, TABLE, USER, VIEW to DataSunrise_user;
Starting DataSunrise for the first time | 18
4.4.4 Creating Greenplum user
To create Greenplum user, run the following command:
CREATE USER DataSunrise_user WITH PASSWORD 'DataSunrise_password';
4.4.5 Granting necessary privileges to DB2 user
To make DataSunrise work correctly with DB2 database it's necessary to grant database user rights to select data
from the following system views:
•
•
•
•
•
•
•
syscat.schemata
syscat.procedures
syscat.functions
syscat.tables
syscat.columns
syscat.sequences
syscat.packages
To grant necessary user privileges, run the following script:
GRANT SELECT
GRANT SELECT
GRANT SELECT
GRANT SELECT
GRANT SELECT
GRANT SELECT
GRANT SELECT
COMMIT;
ON
ON
ON
ON
ON
ON
ON
SYSCAT.COLUMNS TO USER DataSunrise_user;
SYSCAT.FUNCTIONS TO USER DataSunrise_user;
SYSCAT.PACKAGES TO USER DataSunrise_user;
SYSCAT.PROCEDURES TO USER DataSunrise_user;
SYSCAT.SCHEMATA TO USER DataSunrise_user;
SYSCAT.SEQUENCES TO USER DataSunrise_user;
SYSCAT.TABLES TO USER DataSunrise_user;
4.4.6 Configuring MS SQL Server connection
To establish connection between DataSunrise and SQL Server database, perform the following:
1. Run SQL Server configuration manager utility (it is included in SQL Server pack). Open SQL Server Network
Configuration -> Protocols for (DB instance name)
2. Right-click on TCP/IP protocol name and select Properties in the context menu
3. In the TCP/IP Properties window, in the Protocol tab, set Yes value for Enabled parameter. Then open IP-addresses
tab, IPA11 subsection and set TCP-port parameter value to 1433. Click OK to close the window
4. Open SQL Server Services subsection, right-click on SQL Server (DB instance name) parameter to open its context
menu, and click Restart
5. If you're using some firewall application (including Windows Firewall), you should allow the following inbound
connections: TCP/IP, port 1433 and UDP, port 1434
6. When configuring is done, it is recommended to restart your PC.
7. Connect to the database server with SQL Server Management Studio (SSMS)
Important: SSMS’s Encrypt connection option forces encryption and server certificate check on client’s side.
Thus when this option is enabled, the client would not be able to connect to DataSunrise proxy if the certificate
included into proxy.pem or dictionary.db does not include proxy’s host name. In the case when encryption is
forced (for example, when connecting to Azure SQL database), it’s necessary to disable Encrypt connection as
well.
Starting DataSunrise for the first time | 19
4.5 Additional proxy configuration
4.5.1 Changing PostgreSQL port number
When configuring DataSunrise proxy it would be necessary to change database port number. It is necessary if
DataSunrise proxy is configured to use the port number assigned to original database. To di this, perform the
following:
1. Open the postgresql.conf file which is located in the data subfolder of PostgreSQL installation folder.
2. In the CONNECTIONS AND AUTHENTICATION sections, change port parameter value (5432 on default) to the
new port number.
3. Restart PostgreSQL for changes to take effect.
4.5.2 Configuring authorization of local users in PostgreSQL
If DataSunrise proxy is deployed on the same host as the database is, remote users which connect to the database
through proxy, would be treated by the database as the local users, thus they can have some preferences like
password-free or simplified authorization. Thus it is necessary ti disable password-free authorization for local users
in the database settings, if it is enabled. To do this, perform the following:
1. Open the pg.hba file which is located in the data subfolder of PostgreSQL installation folder.
2. Edit pg.hba file in the following way:
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all all md5
# IPv6 local connections:
host all all ::1/128 md5
3. As a result, MD5 or Password authentication method should be assigned for all database connections.
4.6 Processing encrypted traffic
This subsection describes how to configure encrypted traffic processing.
4.6.1 Configuring SSL encryption for DB2
To configure DataSunrise to process SSL-encrypted traffic, perform the following:
1. Prepare DB2 server for working with SSL. You need to get certificate server delivers to client during SSL
connection (hereafter db2_server.crt). Refer to the following page for example: http://www.ibm.com/support/
knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html
2. Install GSKit package on DataSunrise server. Create trusted certificate storage and withdrawn certificates storage.
Place server certificate into trusted certificate storage (db2_server.crt). Refer to the following page for example:
http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0053518.html
3. Specify full path to certificate storages in Db2KeyStoragePath and Db2KeyStashPath parameters (refer to subs.
6.1.3)
4. Configure client workstation for processing DB2 traffic via DataSunrise. It is required to install trusted DB2
server certificate on client's side. Refer to the following page for example: http://www.ibm.com/support/
knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0053518.html
Starting DataSunrise for the first time | 20
4.6.2 Configuring SSL for Microsoft SQL Server
4.6.2.1 Enabling SSL encryption for MS SQL Server
To configure DataSunrise to process SSL-encrypted traffic, perform the following:
1. Install MakeCert utility (it is included in Windows SDK). You can download Windows SDK from this page: https://
www.microsoft.com/en-us/download/details.aspx?id=8279
2. Run the following command to create new certificate:
makecert -r -pe -n "CN= SERVER_HOST" -b 01/01/2016
-e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my
-sr localMachine -sky exchange
-sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
3.
4.
5.
6.
7.
Replace SERVER_HOST with actual SQL Server host name and set required certificate lifetime.
Run SQL Server Configuration Manager utility and select SQL Server Network Configuration —> Protocols for (DB
instance_name)
Right-click on Protocols for... and select Properties
In Certificate tab select certificate generated in step 2 of this instruction.
In Flags tab you may set Force Encryption parameter to Yes to encrypt all TDS traffic. Or set it to No to encrypt
client autorization packet only.
Restart SQL Server. To do this, select SQL Server Services —> SQL Server (DB instance name) and click Restart
Service.
Important: Refer to this page for more information: https://thesqldude.com/tag/makecert/
4.6.2.2 Generating SSL certificate with OpenSSL
To create an SSL certificate for SQL Server using OpenSSL, perform the following:
1. Create configuration file:
[req]
distinguished_name
prompt
= req_distinguished_name
= no
[req_distinguished_name]
countryName
=
stateOrProvinceName
=
localityName
=
organizationName
=
organizationalUnitName =
commonName
=
emailAddress
=
[ext]
extendedKeyUsage
USA
Washington
Seattle
DataSunrise
IT
SERVER_HOST
support@myemail.local
= 1.3.6.1.5.5.7.3.1
Note: replace SERVER_HOST with actual SQL Server host name.
2. Run the following script:
openssl genrsa -des3 -out key.pem 2048
openssl rsa -in mssql-rsa.pem -out mssql-rsa.pem
openssl req -config cfg -new -key key.pem -out req
openssl req -x509 -config cfg -extensions ext -days 365 -key key.pem -in req -out
certificate.cer
Starting DataSunrise for the first time | 21
openssl pkcs12 -export -in certificate.cer -inkey key.pem -out certificate.pfx
Note: when executing the first command you would need to enter some password twice. The second command
resets the password, but you would need to enter it once more. The third command creates certificate request
within req file. The fourth command generates self-signed certificate within certificate.cer file. The last command
packs the key and the certificate into certificate.pfx file, protecting it with password (enter password twice). Then
you should import certificate.pfx via MMC console to Personal container.
3. Install certificate for proxy (refer to subs. 4.5.2.3, Step 4)
4.6.2.3 Installing SSL certificate for MS SQL Server proxy
To install SSL certificate for SQL Server proxy, perform the following:
1.
2.
3.
4.
Run certmgr.msc (or add it via Microsoft Management Console)
Locate SSL certificate (Refer to subs. 4.10.2.1, step 2) (Personal / Certificates folder).
Export certificate with closed key to *.pfx file
Retrieve private key from *.pfx by executing the following command:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Note: replace SERVER_HOST with actual SQL Server host name.
5. Pass key.pm file path to MsSqlPrivateKeyPath proxy parameter.
Known issues and troubleshooting
This section describes the most common issues DataSunrise users face.
1. I installed database server, client database and the firewall on one host. I’m trying to run DataSunrise in Sniffer
mode, but it is not listening for the traffic.
•
In this case DataSunrise can’t capture traffic sent from host machine to that same host machine. You should
use DataSunrise Proxy mode only or install database server and database client on separate hosts.
2. I’m trying to add a new Oracle database via Configuration menu, but connection is failing because of a “Couldn’t
load oci.dll” error.
•
Probably you installed 32-bit version of Oracle Database Instant Client or did not set system variables
correctly. You need to install 64-bit version of Oracle Database Instant Client and add its home directory path
to %ORACLE_HOME% system variable. Then you need to add the same directory path to %PATH% system
variable.
3. DataSunrise running on a host can’t capture data packets between database client running on the same host and
database server running on an Oracle VirtualBox virtual machine.
•
If you’re using VirtualBox 5.0.2, for instance, DataSunrise will likely fail to capture data packets between
database client running on the host and database server running on the guest OS. This problem can occur
under various network connection settings such as NAT, bridged and host-only. However, if you run the DB
client on the guest OS and DB server — on the host, DataSunrise will be able to capture network packets.
This issue is caused by VirtualBox 5.0.X virtual network adapter (VirtualBox NDIS Bridged Network Driver). Try
to install an older version of VirtualBox and check if DataSunrise captures data packets between the host and
guest OS.
4. I'm trying to enter the web interface after program update, but it displays "Internal System Error" message.
•
Most likely, you kept web interface tab opened in your browser while updating the firewall. Log out the web
interface if necesaary and press Ctrl + F5 to reload the page.
5. When I’m trying to run DataSunrise in sniffer mode, it displays a message: “Can’t to parsing SSL connection in
sniffer mode”.
•
In order to run the firewall in sniffer mode, you should disable SSL support in your client application settings
(SSL Mode -> Disable). You can also switch application’s SSL Mode to “Allow” or “Prefer” ,but disable SSL
support in database server settings first.
6. When connecting to Aurora DB, MySQL ODBC driver stops responding.
•
Most probably, you're using ODBC driver version 5.3.6, which is known to cause freezes from time to time.
Install MySQL ODBC driver version 5.3.4.
7. I forgot the password to the GUI.
•
You can set new administrator password. Use Windows CLI to run DataSunrise's appbackendService.exe
file with set_admin_password parameter. For example: >appbackendService.exe
set_admin_password=new_password. To apply new password, restart DATA_SUNRISE_SECURITY_SUITE system
service.