Setting up MongoDB with Member x509 auth and SSL + easy-rsa

MongoDB Member with x509 authHi everyone! This is one of the most requested subjects to our support team and I’d like to share the steps as a tutorial blog post. Today, we will set up internal authentication using x.509 certificates as well as enabling TSL/SSL.

If using authentication in MongoDB, there are two ways to configure intra-cluster authentication:

  • Using a Key File
  • Using x509 certs

Key files are very straight forward; just create a random text file and share it with all the members in the replicaset/sharding. However, this is not the most secure way and for this reason, it is very common to use certificates instead.

It is perfectly possible to have self-signed certificates, but in this blog, we will use easy-rsa to make real certificates signed by one certificate authority. By the documentation, easy-rsa is a CLI utility to build and manage a PKI CA. In laymen’s terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL). This project is hosted on GitHub on https://github.com/OpenVPN/easy-rsa and we are going to use release 2.x for this tutorial.

We will use Percona Server for MongoDB v3.6 – which is currently one of the most used versions – but this works for any MongoDB version starting at 3.2. The steps as to how to create a user will be omitted in this blog. We are considering the primary is configured with authentication and the first user was already created.

Steps:

  1. Download and configure easy-rsa:
  2. Edit the source files with information about your company:
  3. Load the variables with the source command:
  4.  Edit the openssl-1.0.0.cnf file commenting the keys right after [ usr_cert ]

    More info here on Extended Key Usage
  5. Now everything is prepared to create our CA file. Let’s create the CA and the members’ certificates:
  6. We suggest keeping the default values for the CA and informing the FQN or the hostname in the certificates. (It will be validated by MongoDB.)This is the expected output:
  7. After creating all the certificates, we need to combine the keys and its certificate in order to create the .pem file.

    Repeat this process to all the server keys.
  8. Now that we have the server .pem files prepared we need to edit the mongod.conf, considering the keys were moved to /var/lib/mongodb/ 
  9. Once the changes are made, the services must be started and the members should start normally.
  10. It is now time to configure the clients, as otherwise, no one will be able to log in to this environment. Again we need to edit the openssl-1.0.0.cnf removing the comments. Clients need to have those keys in the certificate.
  11. After editing the file, create the client file, it is as simple as creating a new key:

    There is a caveat here, the Organization Unit must be different than MongoDB. I recommend calling as a MongoDBClient, and once the files are created repeat the process of linking the client_name.crt and the client_name.key file in a single file and using it to log in to the environment.
  12. Connecting to the database is simple; we need to specify the ca file along with the certificate the client is connecting.
    Please be aware you’ll need to connect to the server local IP instead of localhost, and you may need to edit the /etc/hosts in order to force the databases and clients to resolve the hostnames.

With these described steps you should be able to enable SSL + member authentication in your environment. Please feel free to give us feedback here or tweet to @AdamoTonete or @Percona on Twitter!

Share this post

Comment (1)

  • Trangtriquangcao Reply

    Thank you so much for this detailed article. I have installed mongodb + ssl without error

    June 27, 2020 at 2:34 am

Leave a Reply