TLS/SSL (Transport Encryption) in MongoDB
When establishing a TLS/SSL connection, the mongod/mongos presents a certificate key file (containing a public key certificate and its associated private key) to its clients to establish its identity.
MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. If you use a self-signed certificate, although the communications channel will be encrypted to prevent eavesdropping on the connection, there will be no validation of server identity. This leaves you vulnerable to a man-in-the-middle attack. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity.
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mongodb.key -out mongodb.crt
After filling all the information we will get two files: mongodb.crt and mongodb.key
Generating a 2048 bit RSA private key .................................+++++ .................................................+++++ writing new private key to 'mongodb.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :localhost Email Address :
The common name in this case will be localhost because we are working on our local machine, but for production you should use your domain name and also get certificate issued by a certificate authority.
cat mongodb.key mongodb.crt > mongodb.pem
Set Up mongod and mongos with Client Certificate Validation (TLS/SSL)
In this part we will configure our mongod/mongos to use TLS/SSL connections and perform client certificate validation but first we'll list some options you need to know before:
- tlsMode: (disabled | allowTLS | preferTLS | requireTLS) it Enables TLS used for all network connections. For example the requireTLS will only accepts TLS encrypted connections.
- tlsCertificateKeyFilePassword: Certificate and key file for TLS
- tlsCertificateKeyFile: Password to unlock key in the TLS certificate key file
- tlsCAFile: Certificate Authority file for TLS (for man in the middle protection)
Set Up mongod and mongos on Launch time
mongod --tlsMode requireTLS --tlsCertificateKeyFile mongodb.pem
Set Up mongod and mongos from mongodb configuration file
net: tls: mode: requireTLS certificateKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/caToValidateClientCertificates.pem
Connection with mongo using TLS/SSL certificate
Before working with mongo here is a list of parameters you should know about:
- tls: use TLS for all connections
- tlsCertificateKeyFile: PEM certificate/key file for TLS
- tlsCertificateKeyFilePassword: Password for key in PEM file for TLS
- tlsCAFile: Certificate Authority file for TLS
Because we set up the mongod with requireTLS, a mongo command without any certificate information will fail and throw an error while connecting.
Connecting to mongo using TLS/SSL certificate
mongo --tls --tlsCAFile mongodb.crt --host localhost