I am trying to set up a mongodb 2.6.8 replicaset using ssl. I compiled mongo manually with ssl support and enabled ssl in my configuration as follows:
sslMode=requireSSL
sslPEMKeyFile=/etc/ssl/mongodb.pem
sslCAFile=/etc/ssl/client.pem
sslWeakCertificateValidation=true
replSet=rs0
I created the mongodb.pem and client.pem files bu running openssl as follows on each server:
# openssl req -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key -subj '/C=US/ST=MA/L=Waltham/CN=<fully qualified domain name>'
# cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
# openssl req -new -x509 -days 365 -nodes -out client-cert.crt -keyout client-cert.key -subj '/C=US/ST=MA/L=Waltham/CN=<fully qualified domain name>'
# cat client-cert.key client-cert.crt > client.pem
On each server I can confirm that the certificates and ssl is working because on each of my servers I can do the following:
mongo --ssl --sslPEMKeyFile=/etc/ssl/client.pem --sslCAFile=/etc/ssl/mongodb.pem <fully qualified domain name>
drops me into the mongo shell.
On the primary node, I can do rs.initiate() and rs.status() and it looks fine:
> rs.initiate()
{
"info2" : "no configuration explicitly specified -- making one",
"me" : "<fqdn node 1>:27017",
"info" : "Config now saved locally. Should come online in about a minute.",
"ok" : 1
}
> rs.status()
{
"set" : "rs0",
"date" : ISODate("2015-04-02T20:25:27Z"),
"myState" : 1,
"members" : [
{
"_id" : 0,
"name" : "<fqdn node 1>:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 23,
"optime" : Timestamp(1428006318, 1),
"optimeDate" : ISODate("2015-04-02T20:25:18Z"),
"electionTime" : Timestamp(1428006318, 2),
"electionDate" : ISODate("2015-04-02T20:25:18Z"),
"self" : true
}
],
"ok" : 1
}
However, when I attempt to add the second member, I get the dreaded 13144 error:
rs0:PRIMARY> rs.add("<fqdn node 2>:27017")
{
"errmsg" : "exception: need most members up to reconfigure, not ok : <fqdn node 2>:27017",
"code" : 13144,
"ok" : 0
}
I should also note that connecting between the two hosts works fine, i.e., while on node 1:
mongo --ssl --host <fqdn node 2>
or while on node 2:
mongo --ssl --host <fqdn node 1>
both work.
How do I pass in the ssl option and/or the certificates to the rs.add() command?
I don't actually care about passing the certificates (which is why I specified sslWeakCertificateValidation=true); I'm more concerned about making sure the communication between the nodes is in ssl.
It's difficult to be certain what was wrong, but I've got a few observations:
You may have got that error if the other mongod process was started without the replSet=rs0 item in its configuration
You may have got that error because the servers cannot communicate on port 27017, e.g. if a firewall is blocking them. It's worth verifying the connectivity by, on each server, connecting the mongo client to the other server.
There is a problem with your mongod.pem file. You have created it by concatenating the server's private key and certificate; but it should not contain the key. It should be just an ascending chain of certificates, starting with the server and ending with the root. If the server is self-certified, then there is no need to concatenate anything else.
Related
Trying to set up a 3 node mongodb server replica on Ubuntu 18.04, mongo version 4.0.18
gl1 192.168.1.30
gl2 192.168.1.31
gl3 192.168.1.33
Using an internal CA on the same network to create certs, I have created 2 certs, one for the server mongo is installed on (GL1, GL2, GL3) for PEMKeyFile and one for the clusterFile (mongo1, mongo2, mongo3). Each CAFile is set listing the respective RSA key, PEMKeyFile and RootCA for each server. I have mongo services running (according to systemctl) fine using the individual certs (PEMKey and clusterFILE).
net:
port: 27017
bindIp: 0.0.0.0
net:
ssl:
mode: requireSSL
PEMKeyFile: /opt/ssl/MongoDB.pem
CAFile: /opt/ssl/ca.pem
clusterFile: /opt/ssl/mongo.pem
allowConnectionsWithoutCertificates: true
#replication
replication:
replSetName: rs0
Getting the following error when I try to rs.add("192.168.1.31:27017") I get the following error
"errmsg" : "Quorum check failed because not enough voting nodes responded; required 2 but only the following 1 voting nodes responded: 192.168.1.30:27017; the following nodes did not respond affirmatively: gl2.domain.com:27017 failed with stream truncated",
"code" : 74,
"codeName" : "NodeNotFound",
In the mongod.log on node 192.168.1.31 the following is logged:
2020-05-22T18:20:48.161+0000 E NETWORK [conn4] SSL peer certificate validation failed: unsupported certificate purpose
2020-05-22T18:20:48.161+0000 I NETWORK [conn4] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 192.168.1.30:55002 (connection id: 4)
I have read on an old Google groups post: https://groups.google.com/forum/#!msg/mongodb-user/EmESxx5KK9Q/xH6Ul7fTBQAJ that the clusterFile and PEMKeyFile had to be different. However, I did that and it still is throwing errors. I have done a lot of searching on this and I'm seeing much to support that this how it's done, but it is the only place I've found that has a similar error message and it seems logical that it should work. However, I'm not sure how I can verify that my clusterFile is actually being used. It is indeed a separate certificate with a FQDN for each node. All three nodes have host files updated to find each other (gl1, mongo1, etc). I can ping all nodes between themselves, so networking is up. I've also verified the firewall (ufw and iptables) is not blocking 27017 or anything at this point. Previously I tried the self-signed CA and certs but kept running into errors since those were self signed certs, so that is why I went the internal CA route.
The "purpose" is also known as "extended key usage".
Openssl x509v3 Extended Key Usage gives some example code for setting the purposes.
As pointed out by Joe, the documentation states that the certificates must either have no extended key usage at all, or the one in the PEMKeyFile must have server auth, and the one in the cluster file must have client auth.
I was configuring KNOX SSO to secure NiFi follow this document and got an error when requesting certificate Token does not meet minimum size of 16 bytes.
root#hadoop:/home/knox# /home/hadoop/nifi/config/nifi-toolkit/bin/tls-toolkit.sh client --subjectAlternativeNames "CN=hostname.org, OU=KNOX" -F -f /home/knox/nifi-ca-config.json
2019/09/25 14:14:17 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from cityhub.bigdatacenter.org:10443
Service client error: java.security.GeneralSecurityException: Token does not meet minimum size of 16 bytes.
Usage: tls-toolkit service [-h] [args]
Services:
standalone: Creates certificates and config files for nifi cluster.
server: Acts as a Certificate Authority that can be used by clients to get Certificates
client: Generates a private key and gets it signed by the certificate authority.
status: Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.
This is the content of /home/knox/nifi-ca-config.json
{
"dn" : "CN=hostname.org, OU=KNOX",
"domainAlternativeNames" : null,
"keyStore" : "/home/knox/knox-nifi-keystore.jks",
"keyStoreType" : "jks",
"keyStorePassword" : "admin",
"keyPassword" : "admin",
"token" : "token",
"caHostname" : "hostname.org",
"port" : 10443,
"dnPrefix" : "CN=",
"dnSuffix" : ", OU=NIFI",
"reorderDn" : true,
"trustStore" : "/home/knox/knox-nifi-truststore.jks",
"trustStorePassword" : "admin",
"trustStoreType" : "jks"
}
The error message says "Token does not meet minimum size of 16 bytes." so you probably need to change the token field in your config json to be 16 characters, right now you have just "token".
I am using DelphiMongoDB from Grijjy (DelphiMongoDB) which is working pretty cool so far. But I can't find any functions to authenticate against a MongoDB. Did anybody getting this work or figured out how to do it?
Thanks and best regards
Update: The most up to date version of the Grijjy driver now supports TLS, X.509 client certificate authentication, SCRAM SHA-1 and SHA-256 authentication. We have also tested it against MongoDB Atlas instance at Azure.
Here is a simple example of how to use the authentication.
var
Settings: TgoMongoClientSettings;
Client: IgoMongoClient;
Database: IgoMongoDatabase;
Collection: IgoMongoCollection;
Doc: TgoBsonDocument;
begin
Settings := TgoMongoClientSettings.Create;
Settings.Secure := True;
Settings.AuthMechanism := TgoMongoAuthMechanism.SCRAM_SHA_1;
Settings.AuthDatabase := 'admin';
Settings.Username := 'username';
Settings.Password := 'password';
//Settings.QueryFlags := [TgoMongoQueryFlag.SlaveOk];
Client := TgoMongoClient.Create('my.mongodb.server.com', 27017, Settings);
Database := Client.GetDatabase('mydatabase');
Collection := Database.GetCollection('mycollection');
for Doc in Collection.Find() do
Writeln(Doc.ToJson(TgoJsonWriterSettings.Pretty));
end;
Legacy: Yes, the published Grijjy driver does not support authentication, but we have tested it internally and may add this ability in the near future to Github. You are also welcome to make a pull request if you want to adapt the following changes:
MongoDB currently supports 2 types of authentication, SCRAM and x.509 Certificate Authentication. Internally we have tested the x.509 Certificate Authentication, but the current driver on Github does not reflect this ability. We have not experimented with SCRAM yet.
To make it work with the MongoDB driver we published on Github, you may have to make a couple of changes.
You need to create a self-signed CA and certificate for your MongoDB server.
You need to configure your MongoDB server to use certs.
You need to create a self-signed certificate for your MongoDB client or clients. You can use the same cert for all clients.
You need to enable SSL/TLS connections and use your client certificate with the MongoDB driver.
1 To create all the certificates, you need an existing CA or create a self-signed CA. You can use the openssl.exe binary to do most of this:
Create root certificate authority (ca.pem and privkey.pem):
openssl req -out ca.pem -new -x509 -days 3650 -subj "/C=US/ST=California/O=Company/CN=root/emailAddress=root#domain.com"
To create a self-signed certificate for your MongoDB server (server.pem):
openssl genrsa -out server.key 2048
openssl req -key server.key -new -out server.req -subj "/C=US/ST=California/O=Company/CN=db.myserver.com/emailAddress=user#domain.com"
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650
type server.key server.crt > server.pem
openssl verify -CAfile ca.pem server.pem
2 To configure MongoDB to use certs on the Windows version (similar on other versions), edit the c:\data\mongod.cfg:
systemLog:
destination: file
path: c:\data\log\mongod.log
storage:
dbPath: c:\data\db
net:
port: 27017
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: c:\data\server.pem
CAFile: c:\data\ca.pem
{allowConnectionsWithoutCertificates: true }
{allowInvalidHostnames: true }
You may need allowInvalidHostnames to True if you are using a self signed certificate.
3 To create a self-signed certificate for your MongoDB client (client1.pem):
openssl genrsa -out client1.key 2048
openssl req -key client1.key -new -out client1.req -subj "/C=US/ST=California/O=Company/CN=client1/emailAddress=user#domain.com"
openssl x509 -req -in client1.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl -out client1.crt -days 3650
type client1.key client1.crt > client1.pem
openssl verify -CAfile ca.pem client1.pem
Note: You will also need to use the client certificate in whatever tool you are using to admin the MongoDB server.
4 To enable SSL/TLS connections for MongoDB driver you may have to change the source files. Our unit Grijjy.Http shows how to enable the driver for ‘https’. Essentially you need to do 2 things to the Connection inside the Grijjy.MongoDB.Protocol unit probably within the method TgoMongoProtocol.Connect :
Set Connection.SSL := True;
Set the Connection.Certificate to the client1.pem you created.
You will have to do some testing, but I hope it points you in the correct direction to make it work. Would love your contribution to the open source project if you can.
As far as I can understand the sources, https://github.com/grijjy/DelphiMongoDB/ doesn't support authentication.
Also from the source, https://github.com/stijnsanders/TMongoWire doesn't either.
FireDAC Mongo uses the C Mongo client library, which supports authentication.
Our Open Source SynMongoDB.pas supports authentication, FPC and almost all Delphi versions (even pre-Unicode). Using variant late-binding to access the BSON/JSON content, it is pretty easy to work with it. Just check the corresponding documentation pages. You can write for instance:
var doc: variant;
...
doc := Coll.FindOne(5);
writeln('Name: ',doc.Name);
writeln('Number: ',doc.Number);
or
var docs: TVariantDynArray;
...
Coll.FindDocs(docs);
for i := 0 to high(docs) do
writeln('Name: ',docs[i].Name,' Number: ',docs[i].Number);
The TMongoClient.OpenAuth method supports both old/deprecated MONGODB-CR method, and the new SCRAM-SHA-1 method:
Client := TMongoClient.Create('localhost',27017);
try
DB := Client.OpenAuth('mydb','mongouser','mongopwd');
...
Note that even if it is part of the mORMot framework, this unit is stand-alone: you don't need to use the ORM, SOA, or MVC parts of the framework - even if it works very well with the ORM, and is able to convert SQL-like statements into MongoDB pipelines, which is a unique very powerful feature. Another unique feature is proper Decimal128 support.
Over a network, also ensure that you use a TLS connection to the server. SynMongoDB.pas can do that under Windows, with no external OpenSSL library needed (it uses the raw Windows SO API).
In our keycloak we have written admin-cli command to make things smooth after keycloak bought up .We will create some basic Realm/user/group and other details from the help of admin-cli .
Now we want to add the SMTP server details through admin-cli . How can be achieve this ?
Ok at last too many hit and try i found the solution . Here is the details how to add the SMTP server details via admin-cli
First Step Enable HTTPS(As in our case keycloak running on HTTPS)
/opt/keycloak/bin/kcadm.sh config truststore --trustpass keycloak /opt/keycloak/security/ssl/keycloak.jks
Second Step Login with client admin-cli
/opt/keycloak/bin/kcadm.sh config credentials --server https://{{keycloak_server_IP}}:{{keycloak_port}}/auth --realm master --user admin --password admin --client admin-cli
If realm not created create it via this
/opt/keycloak/bin/kcadm.sh create realms -s realm=SURE -s enabled=true
and then run below command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -x -s 'smtpServer.host=Your Host Name' -s 'smtpServer.from=email#somemail.com' -s 'smtpServer.fromDisplayName=Mail Support' -s 'smtpServer.auth=false' -s 'smtpServer.ssl=false'
You can also use this command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -f - << EOF
{"smtpServer" : {
"replyToDisplayName" : "...",
"starttls" : "",
"auth" : "true",
"envelopeFrom" : "...",
"ssl" : "true",
"password" : "...",
"port" : "...",
"host" : "...",
"replyTo" : "...",
"from" : "...",
"fromDisplayName" : "...",
"user" : "..."
}
}
EOF
I have MongoDB Server and I am trying to migrate my data from one server to the other server, My host server port 27017 is opened but when I am trying to use below command I getting below response.
> db.auth("example", "***********")
1
> db.copyDatabase('exampledb', 'exampledb', "15.128.223.33:27017", "username", "password");
{
"ok" : 0,
"errmsg" : "Authentication failed.",
"code" : 18,
"codeName" : "AuthenticationFailed"
}
Also when I am opening this url 15.128.223.33:27017 then I am getting in response It looks like you are trying to access MongoDB over HTTP on the native driver port.. So I think connection is successfully happening to host server.
Can anyone please tell me why this is happening.