Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

0

PCI Compliance Help

By
Aiden Andrews-McDermott
on 3/2/15, 7:19 PM 815 views

Hey all,

In order to be PCI Compliant my database server need's to be seperate from my instance of Odoo.

Now i am running 3 Server's;

1x Nginx server proxying to Odoo,

1x Odoo Server with plenty of excess resources

1x Postgresql Server

My problem is due to the level of security i cant ssh tunnel so i need to connect odoo to postgres over SSL i have a wildcard certificate signed by StartSSL which is valid.

What setting would i need in my Odoo configuration to force it to use SSL whilst communicating with the database as the first step to making odoo PCI Compliant.

Secondly, I am running 2 seperate databases on one master code base install, When i use xmlrpcs it doesn't load in. Can any body post a sample working config as i also need to have the connection from the Nginx server and Odoo server to speak securly to finalise Odoo being able to be signed off on for PCI Compliant.

 

Any help would be apreciated :)

0
Jordan Vrtanoski
On 3/3/15, 1:25 AM

Odoo server doesn't support SSL communication with the database. To acheive this you will need to modify the way database connections are handeld by the server.

As a workaround, you can setup a TLS/SSL tunel between the database server and odoo server whcih will be transparent for the applications. Simplest way is to use ssl port forwarding, where you map the local port to a remot port over SSL, the generic form of the command is

ssh -L <local port>:<remote host name/ip>:<remote port> <host>

0

Hey Jordan, I decided to see if the configuration option db_ssl = True was valid and the server booted i used tcp dump on postgresql server with nothing connecting but Odoo. I ran this test multiple times each time with ssl being toggled on and off.reading the dump file with WiresharK V1.10.6 it shows that database connection encryption does workon remote server.

For those interested in replicating or implementing

In your odoo config file add db_ssl = True

In postgresql server ensure ssl is set to true in your postgresql.conf (Encrypted and Non Encrypted seem to run on same port)

In Postgresql server edit pg_hba.conf from host to hostssl on the correct line to force ssl or leave as host to default to unencrypted if there is an issue.

I have decided to stick a copy of nginx on the odoo server that way i don't have to worry about XMLRPCS as from what i am reading it is now deprected. This also allow's me to have fail2ban prevent DDos a little bit better.

There is db_ssl configuration switch recognised in the odoo. The only db_ switches that are recognised are 'db_host', 'db_port', 'db_user', 'db_password'. You can check this in the config.py and sql_dp.py. You should use a packet inspection (like pcap, tcpdump, etc) to verify that your traffic is indeed encrypted.

Jordan Vrtanoski
on 3/3/15, 5:35 AM

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 3/2/15, 7:19 PM
Seen: 815 times
Last updated: 3/16/15, 8:10 AM