I am trying to set up mongoid to connect to a mongodb server using ssl with client certificates for authentication. However, I cannot find a comprehensive reference for the options in mongoid.yml .
For example, I found this: How to enable SSL/TLS in Mongoid 3 client? - which references a ssl: true option (which seems to work), but that mongoid.yml option does not appear to be documented anywhere I can find.
I am able to connect using the client certificate using the mongo shell. If I leave out the ssl: true option in mongoid.yml, at the server I get "AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections"
If I do use the ssl: true option, I get "ERROR: no SSL certificate provided by peer; connection rejected" suggesting that the ssl: true option is working.
So, is there a way to provide the client cert/key and ca cert to mongoid using mongoid.yml? Or is there another way to make the connection to the mongod and provide the connection to mongoid? Or is it simply not possible to use ssl client certificates for authentication with mongoid?
This question was posted several years ago, before the Mongoid gem was taken over by the MongoDB team. Mongoid 5 is a significant upgrade, and the documentation has also been dramatically improved.
I updated my applications to use Mongoid 5; the biggest change was that I had been using the lower level driver (Moped) for some operations, for better efficiency. However, with Mongoid 5, the standard ruby MongoDB driver is used, so I had to rewrite the code that used the lower level driver.
However, it was well worth it. Among the improvements in Mongoid 5 is documentation that clearly explains how to provide the client cert/key and ca cert to the Mongoid driver at https://docs.mongodb.com/ecosystem/tutorial/mongoid-installation/
You will also want to provide the matching configuration for the mongod server, which is explained at https://docs.mongodb.com/manual/tutorial/configure-ssl/
Also, as indicated on that latter page, as of MongoDB distributions now include support for SSL.
Related
After reviewing several MongoDB official documents (see list at the bottom) I understand that MongoDB security in communications (as in community version 4.2) works as follows:
For internal communication authentication (i.e. between the members of a replica set or between mongos and the replica sets which implement the different shards) there are two mechanisms available:
shared keyfile (--keyFile)
x.509 certificates
For internal communication encryption, SSL/TLS is the only possibility. In other words, shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative. Using SSL/TLS requires to use x.509 certificates also (so, we can say that encryption also provides authentication)
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster):
there isn't keyfile option
the only way to secure communication (which provides both authentication and encryption) is SSL/TLS with x.509 certificates
I'd like just to confirm my understanding, as the documentation I have browsed is a little "disperse" and I'm not sure if I have got the point. Any feedback, comment, extra info or documentation pointers is really welcome!
PD: the statement which I'm most unsure is this one: "shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative"
References checked:
https://docs.mongodb.com/manual/tutorial/configure-ssl
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
https://docs.mongodb.com/manual/core/security-internal-authentication
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster) there are several authentication methods:
No authentication
Internal authentication with username/password
Kerberos Authentication
LDAP Proxy Authentication
LDAP Authentication
Note, you can always connect to MongoDB database, even without an account. However, you are not permitted to execute any command unless you are authenticated.
Mongo C++ driver has two compilation option. From driver documentation:
--ssl Enables SSL support. You will need a compatible version of the SSL libraries available.The default authorization mechanism since MongoDB version 3.0 is SCRAM-SHA-1. If you want to use standard MongoDB authentication, you should compile with –ssl option for SCRAM-SHA-1 mechanism support.
--use-sasl-client Enables SASL, which MongoDB uses for the Kerberos authentication available on MongoDB Enterprise. You will need a compatible version of the SASL implementation libraries available. The Cyrus SASL libraries are what we test with, and are recommended.
I wonder about clients not using authentication (which is a typical scenario in which the CB-MongoDB connection is secured using other means, e.g. level 3 firewalling, or simply the user doesn't want it, for whatever reason) from the point of view of performance. I mean, it is fine that users wanting authentication pay a price for it (in terms of performance penalty of the SSL CB-MongoDB communication needed to authentication) but users not wanting authentication shouldn't be affected .
Is the driver clever enough so even having being compiled using --ssl and --use-sasl-client clients not using authentication gets the same performance than if the driver would have been compiled without these options?
Note: I know this is question about Mongo C++ legacy driver which is a legacy piece of software. However, maybe a similar one applies also to the new driver (assuming it has a similar option-based compilation configurability) so I understand that the question is meaningfull anyway.
In the beginning of the year, lots of MongoDB databases were hacked. This also included my database. Yesterday I noticed my brand new database with authorization enabled was hacked as well. The username and password is very secure (16+ characters password with random characters and symbols).
I've now decided to fully secure it, but I honestly don't know where to proceed. I already have:
security:
authorization: enabled
and that should be enough (after sudo service mongod restart). I only have 1 database and no admin user, but anonymous access from a remote connection is still allowed. I keep reading many places, that I should run mongod like mongod --auth, but that it's the same as enabling authorization as I've done above.
At this point I'm struggling to disable anonymous authentication on the server. What did I miss? Why can I authenticate without an account?
To enable security you'll want to follow the Security Checklist on the MongoDB Website.
Here you are provided with role based authorization and authentication instructions. It's also advised you disable listening to all ethernet interfaces and bind your MongoDB ports to the interfaces you'd like exposed.
For a guide to network hardening, you will want to review these instructions, but the most important aspect is to avoid unwanted network exposure. Consider using a firewall or security groups (if in cloud).
I'm trying to run a blockchain explorer which requires connection to MongoDb. I decided to use DocumentDB, since it's supposed to be compatible with apps written for mongo. I used my DocumentDb credentials and found out that it won't work, because DocumentDB requires /ssl=true at the end of a connection string, enforcing SSL connection. This explorer cannot connect via SSL. So, I need to disable SSL for DocumentDB. How can I do that?
DocumentDB does not support disabling SSL (it's secure by default).
As blockchain explorer is written in nodejs, it should be pretty easy to modify it to connect using SSL.
Just append "/?ssl=true" at the end of connection string (i.e. dbString variable) generated .js files listed in
https://github.com/iquidus/explorer/search?utf8=%E2%9C%93&q=dbsettings (excluding settings.js which holds the actual values)
We have a mondogDB deployment currently in our test environment. We have a 7 member Replica Set and no Arbiter.
We want to configure the data replication between the replica set members secure.
We don't want to configure SSL for the clients to our MongoDB cluster as the communication from the client to this MongoDB cluster is via Stunnel. So the client doesn't need to use SSL to connect.
Just curious to see if this possible i.e configure only the data being replicated between replica set members Secure but not the actual communication from the Client to this MongoDB cluster
_THanks much
I've not tried this personally but I do believe you can do this. In addition to compiling mongodb with ssl, or purchasing one of the MongoDb subscriptions that support SSL you will need to run with the following option:
--sslMode
set to preferSSL. This will use SSL for inter-server communications but allow both SSL and non-SSL for other connections:
http://docs.mongodb.org/manual/reference/program/mongod/
That of course is all in addition to the other configuration settings required for running with SSL:
http://docs.mongodb.org/manual/tutorial/configure-ssl/
Note that this is new for version 2.6. I don't have a version of mongodb compiled with ssl support so it's not been tested by me.
#DurgaDeep in MongoDB v2.6 you can run the MongoDB instance in mixed mode SSL while also specifying the x509 certificates for the cluster members to authenticate each other. Please note that SSL is not part of the default community build and you may need to build the binary on your own if you are using community build. x509 certificates is only available on subscription builds so that will not work for you if you are using a community build.
The easiest option to achieve what you want to do irrespective of the MongoDB version would be to setup stunnel between the replica-set nodes and let it take care of encrypted channel independently. This is the usual route a lot of applications take which do not have SSL embedded as an option.