RaaS Database Security and Connectivity common questions
search cancel

RaaS Database Security and Connectivity common questions

book

Article ID: 407508

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

This article addresses common questions regarding RaaS database credential security, required permissions, and connectivity.

Environment

Aria Config - all versions

Tanzu Salt - all versions

Automation Config - all versions

Resolution

How are RaaS database credentials secured?

RaaS stores database credentials in an encrypted file. For detailed information on this process, refer to the RaaS installation and configuration documentation: RaaS installation and configuration documentation

What database permissions are required for the RaaS application to operate correctly?

The RaaS daemon requires the following capabilities for the assigned user role:
Create and drop tables
Create and drop sequences
Create and drop extensions
Create and drop functions
Create and drop triggers
Create and drop stored procedures
Create and drop indexes
Create and drop database
Note: Creating databases may require additional special access to template0 or template1 in PostgreSQL, depending on your specific setup.

Does anyone have direct access to the database instances to log in?

There is a database user created with a password, intended solely for application use. These credentials are securely stored within the application configuration. While the credentials are required to be entered during installation and setup, there is usually a clean-up process to remove any credential data from the installation process.

What technical control prevents direct access to the database (if applicable)?

The primary technical control preventing direct access to the database, apart from the RaaS application, is the lack of credentials for the application user.

Does the database have open network ports outside the host? Which ones?

Yes, Port 5432 is open and allows remote connections from specific IP addresses.

What are the connections to the database? Are there any outside the host?

The RaaS daemon connects to the database over TCP/IP to port 5432. The credentials used for this connection are provided during installation and setup and are stored in an encrypted file that can only be decrypted by the RaaS daemon itself.

How does the application access the database? Over a network port?

Yes, the application connects to PostgreSQL via a network connection on port 5432. Access to the database is restricted to specific IP addresses through the pg_hba.conf file configuration in PostgreSQL.

 

Powered by Wolken Software