Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Page History: Configuring Encryption in Transit - Mongo DB

Compare Page Revisions



« Older Revision - Back to Page History - Newer Revision »


Page Revision: Thu, Jul 14, 2016, 1:27 PM


Overview

This article provides the steps to take to configure encryption in transit for Mongo DB.

Assumptions

  • The client machines are assumed to be web servers.
  • The Mongo DB instances are assumed to be running on Linux server(s).
  • All servers are running as EC2 server instances under Amazon Web Services.

Procedure

Create the Root Certificate Authority Certificate

This part of the procedure should be done on a PROTECTED machine -- i.e., NOT the Mongo DB or web server.

1. Create a folder to hold the Root CA Files

mkdir MyRootCA

2. Generate an RSA key pair

openssl genrsa -out MyRootCA.key 2048

3. Generate the Root CA Certificate

openssl req -x509 -new -key MyRootCA.key -days 365 -out MyRootCA.crt

4. Concatenate the CRT and KEY files into a PEM file

Windows
type MyRootCA.crt MyRootCA.key > MyRootCA.pem

Linux
cat MyRootCA.crt MyRootCA.key > MyRootCA.pem

Generate SSL Certificate for Each Server

This part of the procedure should be done on a PROTECTED machine on behalf of each Mongo DB server, as well as each web server.

1. Create a folder for each server's files as a sibling to the MyRootCA folder created above.

mkdir PublicDnsOfServer

2. Set HOSTNAME environment variable

Windows
SET HOSTNAME=PublicDnsOfServer
SET ROOTCA=MyRootCA

Linux
HOSTNAME='PublicDnsOfServer'
ROOTCA='MyRootCA'
export HOSTNAME
export ROOTCA

Notice

All the commands for the rest of this part of the procedure are the versions for Windows. The equivalent Linux command is found by replacing %HOSTNAME% with $HOSTNAME and %ROOTCA% with $ROOTCA.


3. Generate Key Pair for the Server

openssl genrsa -out %$HOSTNAME%.key 2048

4. Create CSR (Certificate Signing Request)

openssl req -new -key %$HOSTNAME%.key -out %$HOSTNAME%.csr

  • Fill in fields manually
  • When prompted for the Common Name for the CSR, specify the Public DNS Name of the server

5. Fulfill the CSR

openssl x509 -req -in %$HOSTNAME%.csr -CA ..\%ROOTCA%\%ROOTCA%.crt -CAkey ..\%ROOTCA%\%ROOTCA%.key -CAcreateserial -out %$HOSTNAME%.crt -days 500

6. Validate the certificate against the CA file

openssl verify -CAfile ..\%ROOTCA%\%ROOTCA%.crt $HOSTNAME.crt

Should get the following.

HOSTNAME.crt: OK

7. Concatenate CRT and KEY files into PEM file

cat %HOSTNAME%.crt %HOSTNAME%.key > %HOSTNAME%.pem

Install Certificate Files on Mongo DB Servers

1. Upload files to each Mongo DB server to a /tmp folder

  • MyRootCA.crt
  • MyMongoServer.com.pem

2. Move the files to the proper folder

cd /etc/ssl
mv MyRootCA.crt .
. . .

3. Adjust security on uploaded files

chown root:root MyRootCA.crt

=Install Certificate Files on Web Servers





ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2024, Patrick Jasinski.