Show/Hide Toolbars

MongoDB Notes

Navigation: MongoDB Authentication

Authentication with X.509 Certificates

Scroll Prev Top Next More

Mongo Authentication - Replica Set


Client Authentication

X.509

Internal Authentication

X.509

Operating System

Linux

 

In this procedure, you will configure a MongoDB replica set  with three members to use X.509 certificates for both client and internal authentication.  X.509 authentication is the most secure method available to the Community Edition of MongoDB.

 

Prerequisites

 

A .PEM file for each client containing the private key and certificate for the client.

A .PEM file containing the private key and certificate for each server.  (One shared file for all servers can be used, but is not the best approach.)

The certificate for the certificate authority.

The subject of the client certificate.  In this example, the subject is:

 

DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam

 

The replica set has been configured and a user with root role has been added.

 

Procedure

 

1.Place the three certificate file on there relevant servers in directories named certs below the directory where you will be executing MongoDB commands.

2.Create three configuration files with the appropriate settings for X.509 authentication.   (See example below.)

3.Start each new member of the replica set with this command where conf1.yaml is the relevant configuration file:

 

mongod --auth -f conf1.yaml

mongod --auth -f conf2.yaml

mongod --auth -f conf2.yaml

 

4.Log into the first replica set with this command on the same server as the first replica set.:

 

mongo --port 31210 --host mongodb.waysysweb.us.com  --ssl --sslPEMKeyFile certs/client.pem --sslCAFile certs/ca.pem 

 

5.Authenticate with this commands:

 

use admin

db.auth('userAdmin', 'badges')

 

6.Create a user administrator:

 

db.getSiblingDB('$external').runCommand(

  {

    createUser: "DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam",

    roles: [{role: 'userAdminAnyDatabase', db:'admin'}],

  })

 

7.Authenticate with this command using the subject in the client certificate:

 

var user = {user: 'DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam', 

  mechanism: 'MONGODB-X509'}

db.getSiblingDB('$external').auth(user) 

 

Example Configuration File

 

systemLog:

  destination: file

  path:  /home/vagrant/data/r0/mongodb.log

storage:

  dbPath: /home/vagrant/data/r0 

processManagement:

  fork: true

security:

  clusterAuthMode: x509

net:

  bindIp: mongodb.waysysweb.us.com

  port: 31210

  ssl:

    mode: requireSSL

    CAFile: /home/vagrant/shared/certs/ca.pem

    PEMKeyFile: /home/vagrant/shared/certs/server.pem

replication:

   replSetName: repl

 

Issue

 

When setting the CAFile and PEMKeyFile values, be sure to use full paths, not relative paths.

 

Related Information

 

Creating Certificates for MongoDB

Determining the Subject of a Certificate

MongoDB considers X.509 certificates to be an external source.  Therefore, users authenticate against the $external database, not the admin database.

Setting Up a Replica Set and User