Index | Prev | Next

Security best practices

Network security is a number one priority for all IT departments.

On the database side:

  • Create a database user that has the least amount of access needed to accomplish database tasks.
  • Work with your IT department to secure (harden) the computer on which the relational database is installed.
  • Change your database configuration to permit connections that use the latest TLS version protocols.
     IMPORTANT:  
    For security reasons, each database connection must support the latest TLS connection protocol. TLS 1.0 and TLS 1.1 connection protocols no longer meet our security standards. Coordinate with your database administrator to make sure that your database supports the latest TLS version.

    The following table gives an overview of TLS versions supported by different databases and provide information about the client side setup:

    DB type Supported TLS versions Connection property (if any) Client-side configuration information
    MySQL TLSv1,TLSv1.1,TLSv1.2 enabledTLSProtocols

    For Connector/J 8.0.26 and later: The TLSv1 and TLSv1.1 protocols have been deprecated. While you can still connect to the server using those TLS versions, for any such connection, Connector/J writes to its logger the message “This connection is using TLSv1[.1], which is now deprecated and will be removed in a future release of Connector/J”.

    For more information, see MySQL Connector/J 8.0 Developer Guide > Connector/J Reference > Connecting Securely Using SSL.

    Oracle undetermined | 1.0 |1.1 | 1.2

    oracle.net.ssl_version or SSL_VERSION in sqlnet.ora/listener.ora

    For information about how to configure the version of SSL to be used, see Oracle Database Security Guide at https://docs.oracle.com and choose C Kerberos, SSL, and RADIUS Authentication Parameters > Secure Sockets Layer Version Parameters.
    MS SQL Server 1.0 | 1.1 | 1.2  

    For more information about how to enable TLS 1.2 support for SQL Server 2017 on Windows, SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014, see Microsoft Support at https://support.microsoft.com and choose Knowledge Base Article KB3135244 TLS 1.2 support for Microsoft SQL Server.

    HSQLDB TLSv1, TLSv1.1, TLSv1.2, or TLSv1.3  

    HSQLDB is used internally only as a file system DB. For external (future use case), use the following Hsqldb TLS URL prefixes:

    • jdbc:hsqldb:hsqls://
    • jdbc:hsqldb:https://

On the Niagara side:

  • Use encrypted and authenticated connections (Refer to the Niagara Station Security Guide).
  • Do not enable the Sql Scheme Enabled property. This property is on the MySQLDatabase Property Sheet (to find, expand Config > Drivers > RdbmsNetwork, and double-click the MySQLDatabase node.
  • If you are a Niagara Enterprise Security user, define a strong Passkey to protect your network PIN. To configure the Passkey, expand Config > Drivers > RdbmsNetwork, expand your MySql database and double-click Rdb Security Settings.

Related Links

  • Installation and configuration (Parent Topic)

    • Index | Prev | Next