52 lines
1.4 KiB
Plaintext
52 lines
1.4 KiB
Plaintext
Configure X.509 certificate as internal authentication for MongoDB server
|
|
|
|
1. Create Private Key
|
|
openssl genrsa -out ~/ssl/rootCA.key 2048
|
|
Paraphase:Agnav2022 (dev only)
|
|
|
|
2. Create CA certificate
|
|
openssl req -x509 -new -key ~/ssl/rootCA.key -days 7300 -config ./ssl-config.cnf -out ~/ssl/rootCA.crt
|
|
|
|
3. Create host certificates
|
|
run: ./makeCert.sh <host> for each server/node
|
|
|
|
4. Move cert file and CA cert file to each node w/ permissions
|
|
#create ssl directory in mongodb folder
|
|
sudo mkdir -p /etc/mongodb/ssl
|
|
|
|
#move host1.pem and copy mongoCA.crt into it
|
|
sudo mv ~/ssl/localhost.pem /etc/mongodb/ssl/
|
|
sudo cp ~/ssl/rootCA.crt /etc/mongodb/ssl/
|
|
|
|
#chmod to 700 and change permissions of the folder to mongo.
|
|
sudo chmod 700 /etc/mongodb/ssl
|
|
sudo chown -R mongodb:mongodb /etc/mongodb
|
|
|
|
|
|
5. Configure Mongo config file with the certificate for each node
|
|
|
|
net:
|
|
port: 27017
|
|
bindIp: 0.0.0.0
|
|
tls:
|
|
mode: preferTLS
|
|
certificateKeyFile: /etc/mongodb/ssl/localhost.pem
|
|
CAFile: /etc/mongodb/ssl/rootCA.crt
|
|
clusterFile: /etc/mongodb/ssl/localhost.pem
|
|
|
|
security:
|
|
clusterAuthMode: x509
|
|
|
|
6. Restart Mongo instance in each node. If using replicas, perform on each node then step down the primary first before configurating and restarting.
|
|
|
|
Done
|
|
|
|
Test with mongo command line:
|
|
sudo mongo -u admin -p 'Minad!2019' --authenticationDatabase 'admin' --tls --tlsCAFile '/etc/mongodb/ssl/rootCA.crt' --tlsCertificateKeyFile '/etc/mongodb/ssl/localhost.pem' --host localhost
|
|
|
|
|
|
|
|
|
|
|
|
|