Continuent Blog: Configuring the Tungsten Connector for PCI Compliance

Blog

Our team of MySQL database experts regularly blogs on topics that range from MySQL availability, MySQL replication, multi-master MySQL, and MySQL-aware proxies, all the way through to ‘how to’ content for our solutions: Tungsten Clustering, Tungsten Replicator and Tungsten Proxy.

Summary

It is always a good idea to be mindful of open ports on your hosts, since they can be used by bad actors to gain access to your systems.

For this reason, it is often desirable to prevent outside connections to the port whenever possible to prevent intrusions.

For security purposes (and possibly PCI compliance), the Tungsten Connector proxy has the ability to bind to localhost/127.0.0.1 instead of listening on all available IP addresses via 0.0.0.0.

The Question

Recently, a customer asked us:

We were wondering if the Connectors would be able to bind to localhost/127.0.0.1 instead of 0.0.0.0:3306? Since the Connector is installed on the application servers, all of the connections are coming from localhost. We would like to limit this exposure so that the 3306 port is not exposed externally. We ask because we are failing PCI checks that are able to access the database port externally.

The Answer

YES!

Bonus

Use the IP address instead of the hostname in your configuration to prevent DNS or /etc/hosts lookups - this improves overall performance, especially when using DNS.

You may set the IP address for the Connector to listen on by using the tpm configuration property:

property=server.listen.address={IP_ADDRESS}

To force the Connector to listen only on the localhost IP address 127.0.0.1, use the following examples.

INI-based Deployment

shell> vi /etc/tungsten/tungsten.ini
[alpha]
...
property=server.listen.address=127.0.0.1
shell> tpm query staging
tungsten@db1:/opt/continuent/software/tungsten-clustering-7.1.2-81
shell> echo The staging DIRECTORY is `tpm query staging| cut -d: -f2`
The staging DIRECTORY is /opt/continuent/software/tungsten-clustering-7.1.2-81
shell> cd {STAGING_DIRECTORY}
shell> tools/tpm update --replace-release

Staging-based Deployment

shell> tpm query staging
tungsten@db1:/opt/continuent/software/tungsten-clustering-7.1.2-81
shell> cd {STAGING_DIRECTORY}
shell> tools/tpm configure alpha --property=server.listen.address=127.0.0.1
shell> tools/tpm update --replace-release

Summary

The Wrap-Up

The Library

Connector IP address configuration
Documentation

In this blog post we discussed one way to configure the Tungsten Connector for security and PCI Compliance.

Tungsten Clustering is the most flexible, performant global database layer available today - use it underlying your SaaS offering as a strong base upon which to grow your worldwide business!

For more information, please visit https://www.continuent.com/products.

Want to learn more or run a POC? Contact us.

Published In

Categories:

Intelligent Proxy

Series:

Tungsten University

Tags:

Architecture, Compliance, Connector, HA, High Availability, IP Address, MySQL, PCI, Tungsten, Tungsten Connector

Author

Eric M. Stone

COO and VP of Product Management

Eric is a veteran of fast-paced, large-scale enterprise environments with 40 years of Information Technology experience. With a focus on HA/DR, from building data centers and trading floors to world-wide deployments, Eric has architected, coded, deployed and administered systems for a wide variety of disparate customers, from Fortune 500 financial institutions to SMB’s.

View All Eric M.’s Posts

Configuring the Tungsten Connector for PCI Compliance

Summary

The Question

The Answer

YES!

INI-based Deployment

Staging-based Deployment

Summary

The Wrap-Up

Published In

Author

Comments

Add new comment

Filtered HTML