EventStoreDB 23.10.0 builds on the security changes introduced in 23.6.0. The security highlights in this version are:
- Allow using a Wildcard for CertificateReservedCommonName
- Default Admin and Ops passwords
- Disable Anonymous Access by default
- FIPS commercial plugin
Allow Using a Wildcard for CertificateReservedCommonName
We’ve added support for using a wildcard in the
CertificateReservedCommonName option for the cluster.
Previously, you had to use the same common name for all nodes in the cluster or generate a wildcard certificate.
Now you can have non-wildcard certificates for each node in the cluster (e.g,
node3.mydomain.com) and use a wildcard for the
CertificateReservedCommonName to match all of them (e.g.
CertificateReservedCommonName now defaults to the common name of the node certificate. So, you now don’t need to specify this option unless you are using the wildcard mentioned above.
Default Admin and Ops passwords
We want to eventually remove the default password
changeit because having a known default password can leave EventStore vulnerable if the admin and ops passwords aren’t updated.
As such, we have added new options to set the default admin and ops passwords on the first run of EventStore. You can do this by setting the
EVENTSTORE_DEFAULT_OPS_PASSWORD environment variables.
These settings won’t affect a database that has already been created.
In a future version, we will be removing the
changeit default password and require a default password to be configured at startup.
These new options can only be set by environment variables so that the passwords aren’t saved in plaintext in config files.
Disable Anonymous Access by Default
Historically, anonymous users with network access have been allowed to read/write streams that do not have access control lists. Anonymous access has also been available to the /stats, /info, and other HTTP endpoints.
Anonymous access is now disabled by default, except for the
Gossip is also still anonymous by default while we update our supported clients to use authenticated gossip.
If you need to re-enable anonymous access, you can do this with the new
Check the Anonymous Access to Endpoints documentation for more options.
EventStoreDB Commercial version is now FIPS compliant
There is now a commercial plugin to allow EventStoreDB to run on a FIPS-compliant system. You can find instructions on how to download and use this plugin on the commercial downloads site.
We have also updated our certificate generation tools to create certificates that work on FIPS systems to make testing easier.
The Commercial version of EventStoreDB and the commercial downloads site are available to Event Store Support customers. If you would like to find out more, please get in touch.