TLS/SSL (Transport Encryption) in MongoDB

TLS/SSL (Transport Encryption) in MongoDB

When establishing a TLS/SSL connection, the mongod/mongos presents a certificate key file (containing a public key certificate and its associated private key) to its clients to establish its identity.

MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. If you use a self-signed certificate, although the communications channel will be encrypted to prevent eavesdropping on the connection, there will be no validation of server identity. This leaves you vulnerable to a man-in-the-middle attack. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity.

Generating certificate

Openssl

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mongodb.key -out mongodb.crt

Result

After filling all the information we will get two files: mongodb.crt and mongodb.key

Generating a 2048 bit RSA private key
.................................+++++
.................................................+++++
writing new private key to 'mongodb.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

The common name in this case will be localhost because we are working on our local machine, but for production you should use your domain name and also get certificate issued by a certificate authority.

Generating Mongodb.pem

cat mongodb.key mongodb.crt > mongodb.pem

Set Up mongod and mongos with Client Certificate Validation (TLS/SSL)

In this part we will configure our mongod/mongos to use TLS/SSL connections and perform client certificate validation but first we'll list some options you need to know before:

  • tlsMode: (disabled | allowTLS | preferTLS | requireTLS) it Enables TLS used for all network connections. For example the requireTLS will only accepts TLS encrypted connections.
  • tlsCertificateKeyFilePassword: Certificate and key file for TLS
  • tlsCertificateKeyFile: Password to unlock key in the TLS certificate key file
  • tlsCAFile: Certificate Authority file for TLS (for man in the middle protection)

Set Up mongod and mongos on Launch time

mongod --tlsMode requireTLS --tlsCertificateKeyFile mongodb.pem

Set Up mongod and mongos from mongodb configuration file

net:
    tls:
        mode: requireTLS
        certificateKeyFile: /etc/ssl/mongodb.pem
        CAFile: /etc/ssl/caToValidateClientCertificates.pem

Connection with mongo using TLS/SSL certificate

Before working with mongo here is a list of parameters you should know about:

  • tls: use TLS for all connections
  • tlsCertificateKeyFile: PEM certificate/key file for TLS
  • tlsCertificateKeyFilePassword: Password for key in PEM file for TLS
  • tlsCAFile: Certificate Authority file for TLS

Because we set up the mongod with requireTLS, a mongo command without any certificate information will fail and throw an error while connecting.

Connecting to mongo using TLS/SSL certificate

mongo --tls --tlsCAFile mongodb.crt --host localhost