Hi everyone! This is one of the most requested subjects to our support team and I’d like to share the steps as a tutorial blog post. Today, we will set up internal authentication using x.509 certificates as well as enabling TSL/SSL.
If using authentication in MongoDB, there are two ways to configure intra-cluster authentication:
Key files are very straight forward; just create a random text file and share it with all the members in the replicaset/sharding. However, this is not the most secure way and for this reason, it is very common to use certificates instead.
It is perfectly possible to have self-signed certificates, but in this blog, we will use easy-rsa to make real certificates signed by one certificate authority. By the documentation, easy-rsa is a CLI utility to build and manage a PKI CA. In laymen’s terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL). This project is hosted on GitHub on https://github.com/OpenVPN/easy-rsa and we are going to use release 2.x for this tutorial.
We will use Percona Server for MongoDB v3.6 – which is currently one of the most used versions – but this works for any MongoDB version starting at 3.2. The steps as to how to create a user will be omitted in this blog. We are considering the primary is configured with authentication and the first user was already created.
|
1 |
yum install git -y<br>mkdir /usr/share/easy-rsa<br>git clone -b release/2.x https://github.com/OpenVPN/easy-rsa.git<br>cp easy-rsa/easy-rsa/2.0/* /usr/share/easy-rsa<br>cd /usr/share/easy-rsa |
|
1 |
cd /usr/share/easy-rsa<br>nano vars<br><br># These are the default values for fields<br># which will be placed in the certificate.<br># Don't leave any of these fields blank.<br><br>export KEY_COUNTRY="US" <your data><br>export KEY_PROVINCE="NC" <your data><br>export KEY_CITY="DURHAM" <your data><br>export KEY_ORG="Percona" <your data><br>export KEY_EMAIL="[email protected]" <your data><br>export KEY_OU="MongoDB" <your data><br><br>#You may need to add the following variable:<br>#Bug: https://bugs.launchpad.net/serverguide/+bug/1504676<br>export KEY_ALTNAMES="" |
|
1 |
source ./vars |
|
1 |
#extendedKeyUsage=clientAuth<br>#keyUsage = digitalSignature<br> |
|
1 |
cd /usr/share/easy-rsa<br># this command will clean all the data in the ./keys folder<br>./clean-all <br># It will generate a key for the CA as well as a certificate<br>./built-ca <br># It will generate a key for the server as well as a certificate<br>./built-key <server_name><br> |
|
1 |
Generating a 2048 bit RSA private key<br>......................................................................................+++<br>............................+++<br>writing new private key to 'server_name.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [US]:<br>State or Province Name (full name) [NC]:<br>Locality Name (eg, city) [Durham]:<br>Organization Name (eg, company) [Percona]:<br>Organizational Unit Name (eg, section) [MongoDB]:<br>Common Name (eg, your name or your server's hostname) [server_name]:<br>Name [EasyRSA]:<br>Email Address [[email protected]]:<br><br>Please enter the following 'extra' attributes<br>to be sent with your certificate request<br>A challenge password []:<br>An optional company name []:<br>Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf<br>Check that the request matches the signature<br>Signature ok<br>...<br>Certificate is to be certified until Mar 9 11:29:40 2028 GMT (3650 days)<br>Sign the certificate? [y/n]:y<br><br>1 out of 1 certificate requests certified, commit? [y/n]y<br>Write out database with 1 new entries<br>Data Base Updated<br> |
|
1 |
cd keys<br>-rw-r--r-- 1 root root 1,7K Mar 9 09:35 ca.crt<br>-rw------- 1 root root 1,7K Mar 9 09:35 ca.key<br>-rw-r--r-- 1 root root 4,1K Mar 12 08:29 server_name.crt<br>-rw-r--r-- 1 root root 1,1K Mar 12 08:29 server_name.csr<br>-rw------- 1 root root 1,7K Mar 12 08:29 server_name.key<br><br># combining .key and .crt into a single file.<br><br>cat server_name.key server_name.crt > server_name.pem<br> |
|
1 |
security.clusterAuthMode : x509<br>security.authorization : enabled <br>net:<br> port: 27017<br> bindIp: <ip_number><br> ssl:<br> mode: requireSSL<br> PEMKeyFile: /var/lib/mongodb/server_name.pem<br> CAFile: /var/lib/mongodb/ca.crt |
|
1 |
cd /usr/share/easy-rsa <br>extendedKeyUsage=clientAuth<br>keyUsage = digitalSignature |
|
1 |
cd /usr/share/easy-rsa <br>./build-key <client_name> |
|
1 |
./build-key client_name<br>…. <br>Country Name (2 letter code) [US]:<br>State or Province Name (full name) [NC]:<br>Locality Name (eg, city) [DURHAM]:<br>Organization Name (eg, company) [Percona]:<br>Organizational Unit Name (eg, section) [MongoDB]:MongoDBClient<br>Common Name (eg, your name or your server's hostname) [client_name]:<br><br>cd keys<br>cat client_name.key client_name.crt > client_name.pem<br> |
|
1 |
mongo --ssl --host server_name --sslCAFile /usr/share/easy-rsa/keys/ca.crt <br> --sslPEMKeyFile /usr/share/easy-rsa/keys/client_name.pem --port 27017 <br> -u <user> -p --authenticationDatabase admin |
With these described steps you should be able to enable SSL + member authentication in your environment. Please feel free to give us feedback here or tweet to @AdamoTonete or @Percona on Twitter!
Resources
RELATED POSTS
