Обсуждение: streaming rep setup in PCI compliance environment
Hello Everyone:
I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment?
Please let me know.
Please let me know.
Thanks
Dinesh
I spoke with my PCI compliance officer here, and provided you've documented what you're doing here and why, you should be compliant. We had a fairly long discussion about this and I had to explain to him that I was referring to the slave as being a hot standby, ready to take over in the event of an issue with the primary. If you're doing this for some other reason, so long as it's explained, you could still be OK.
--
Jay
On Fri, Oct 9, 2015 at 11:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:
Hello Everyone:I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment?
Please let me know.ThanksDinesh
Thank you, John.
I am also trying to find from our PCI representative as well. In our case slave will be used for reporting purpose not for failover.
I guess the biggest dilemma from PCI perspective is tier 2 initiating connection to tier1, but it is just a db user with replication role, which is a pretty controlled role.
Dinesh
On Fri, Oct 9, 2015 at 10:50 AM, John Scalia <jayknowsunix@gmail.com> wrote:
I spoke with my PCI compliance officer here, and provided you've documented what you're doing here and why, you should be compliant. We had a fairly long discussion about this and I had to explain to him that I was referring to the slave as being a hot standby, ready to take over in the event of an issue with the primary. If you're doing this for some other reason, so long as it's explained, you could still be OK.--JayOn Fri, Oct 9, 2015 at 11:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:Hello Everyone:I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment?
Please let me know.ThanksDinesh
On Oct 9, 2015, at 10:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote: > > I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, Iam told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2).However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experiencesetting up master-salve in PCI compliance environment? I have a simliar situation in which I do not want anything in my replica's zone to be able to initiate connections into thedata center where the primary is. I have the master set up an SSH reverse tunnel to the slave, and then the slave connectsto that tunnel end locally. -- Scott Ribe scott_ribe@elevated-dev.com http://www.elevated-dev.com/ https://www.linkedin.com/in/scottribe/ (303) 722-0567 voice
On 10/09/2015 05:49 PM, Scott Ribe wrote: > On Oct 9, 2015, at 10:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote: >> >> I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However,I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCItier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyonehas experience setting up master-salve in PCI compliance environment? > > > I have a simliar situation in which I do not want anything in my replica's zone to be able to initiate connections intothe data center where the primary is. I have the master set up an SSH reverse tunnel to the slave, and then the slaveconnects to that tunnel end locally. > You could also just use archiving, hot_standby still works when you do that. JD -- Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564 PostgreSQL Centered full stack support, consulting and development. New rule for social situations: "If you think to yourself not even JD would say this..." Stop and shut your mouth. It's going to be bad.