Mongo Authentication - Replica Set |
|
Client Authentication |
X.509 |
Internal Authentication |
X.509 |
Operating System |
Linux |
In this procedure, you will configure a MongoDB replica set with three members to use X.509 certificates for both client and internal authentication. X.509 authentication is the most secure method available to the Community Edition of MongoDB.
•A .PEM file for each client containing the private key and certificate for the client.
•A .PEM file containing the private key and certificate for each server. (One shared file for all servers can be used, but is not the best approach.)
•The certificate for the certificate authority.
•The subject of the client certificate. In this example, the subject is:
DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam
•The replica set has been configured and a user with root role has been added.
1.Place the three certificate file on there relevant servers in directories named certs below the directory where you will be executing MongoDB commands.
2.Create three configuration files with the appropriate settings for X.509 authentication. (See example below.)
3.Start each new member of the replica set with this command where conf1.yaml is the relevant configuration file:
mongod --auth -f conf1.yaml
mongod --auth -f conf2.yaml
mongod --auth -f conf2.yaml
4.Log into the first replica set with this command on the same server as the first replica set.:
mongo --port 31210 --host mongodb.waysysweb.us.com --ssl --sslPEMKeyFile certs/client.pem --sslCAFile certs/ca.pem
5.Authenticate with this commands:
use admin
db.auth('userAdmin', 'badges')
6.Create a user administrator:
db.getSiblingDB('$external').runCommand(
{
createUser: "DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam",
roles: [{role: 'userAdminAnyDatabase', db:'admin'}],
})
7.Authenticate with this command using the subject in the client certificate:
var user = {user: 'DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam',
mechanism: 'MONGODB-X509'}
db.getSiblingDB('$external').auth(user)
systemLog:
destination: file
path: /home/vagrant/data/r0/mongodb.log
storage:
dbPath: /home/vagrant/data/r0
processManagement:
fork: true
security:
clusterAuthMode: x509
net:
bindIp: mongodb.waysysweb.us.com
port: 31210
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: repl
•When setting the CAFile and PEMKeyFile values, be sure to use full paths, not relative paths.
•Creating Certificates for MongoDB
•Determining the Subject of a Certificate
•MongoDB considers X.509 certificates to be an external source. Therefore, users authenticate against the $external database, not the admin database.