Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Configuring Encryption in Transit - Mongo DB

RSS
Modified on Mon, Jul 18, 2016, 7:40 AM by Administrator Categorized as Mongo DB

Overview

This article provides the steps to take to configure encryption in transit for Mongo DB.

Assumptions

  • The client machines are assumed to be web servers.
  • The Mongo DB instances are assumed to be running on Linux server(s).
  • All servers are running as EC2 server instances under Amazon Web Services.

Procedure

Create the Root Certificate Authority Certificate

This part of the procedure should be done on a PROTECTED machine — i.e., NOT the Mongo DB or web server.

1. Set ROOTCA environment variable.

Windows
SET ROOTCA=MyRootCA

Linux
ROOTCA='MyRootCA'
export ROOTCA

2. Create a folder to hold the Root CA Files

Windows
mkdir %ROOTCA%
cd %ROOTCA%

Linux
mkdir $ROOTCA
cd $ROOTCA

3. Generate an RSA key pair

Windows
openssl genrsa -out %ROOTCA%.key 2048

Linux
openssl genrsa -out $ROOTCA.key 2048

4. Generate the Root CA Certificate

Windows
openssl req -x509 -new -key %ROOTCA%.key -days 365 -out %ROOTCA%.crt

Linux
openssl req -x509 -new -key $ROOTCA.key -days 365 -out $ROOTCA.crt

  • Fill in fields manually
  • When prompted for the Common Name for the CSR, specify the name of your Root CA. Do NOT use %ROOTCA% or $ROOTCA.

5. Concatenate the CRT and KEY files into a PEM file

Windows
type %ROOTCA%.crt %ROOTCA%.key > %ROOTCA%.pem

Linux
cat $ROOTCA.crt $ROOTCA.key > $ROOTCA.pem

Generate SSL Certificate for Each Server

This part of the procedure should be done on a PROTECTED machine on behalf of each Mongo DB server, as well as each web server.

1. Set HOSTNAME environment variable.

Windows
SET HOSTNAME=PublicDnsOfServer

Linux
HOSTNAME='PublicDnsOfServer'
export HOSTNAME

2. Create a folder for each server's files as a sibling to the MyRootCA folder created above.

Windows
mkdir %HOSTNAME%
CD %HOSTNAME%

Linux
mkdir $HOSTNAME
cd $HOSTNAME

3. Generate Key Pair for the Server

Windows
openssl genrsa -out %HOSTNAME%.key 2048

Linux
openssl genrsa -out $HOSTNAME.key 2048

4. Create CSR (Certificate Signing Request)

Windows
openssl req -new -key %HOSTNAME%.key -out %HOSTNAME%.csr

Linux
openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr

  • Fill in fields manually
  • When prompted for the Common Name for the CSR, specify the Public DNS Name of the server. Do NOT use %HOSTNAME% or $HOSTNAME.

5. Fulfill the CSR

Windows
openssl x509 -req -in %HOSTNAME%.csr -CA ..\%ROOTCA%\%ROOTCA%.crt -CAkey ..\%ROOTCA%\%ROOTCA%.key -CAcreateserial -out %HOSTNAME%.crt -days 365

Linux
openssl x509 -req -in $HOSTNAME.csr -CA ../$ROOTCA/$ROOTCA.crt -CAkey ../$ROOTCA/$ROOTCA.key -CAcreateserial -out $HOSTNAME.crt -days 365

6. Validate the certificate against the CA file

Windows
openssl verify -CAfile ..\%ROOTCA%\%ROOTCA%.crt %HOSTNAME%.crt

Linux
openssl verify -CAfile ../$ROOTCA/$ROOTCA.crt $HOSTNAME.crt

Should get the following.

HOSTNAME.crt: OK

7. Concatenate CRT and KEY files into PEM file

Windows
type %HOSTNAME%.crt %HOSTNAME%.key > %HOSTNAME%.pem

Linux
cat $HOSTNAME.crt $HOSTNAME.key > $HOSTNAME.pem

Install Certificate Files on Mongo DB Servers

1. Set environment variables

HOSTNAME='PublicDnsOfServer'
ROOTCA='MyRootCA'
export HOSTNAME
export ROOTCA

2. Upload files to each Mongo DB server to the /home/ec2-user folder

  • MyRootCA.crt
  • MyMongoServer.com.pem

3. Move the files to the proper folder

cd /etc/ssl
mv /home/ec2-user/$ROOTCA.crt .
mv /home/ec2-user/$HOSTNAME.pem .

4. Adjust security on uploaded files

chown root:root $ROOTCA.crt
chown root:root $HOSTNAME.pem

5. Adjust Mongo DB configuration: Edit the /etc/mongod.conf, adding the following lines to the net: section

   ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/MyMongoServer.com.pem
      CAFile: /etc/ssl/MyRootCA.com.crt

5. Validate the above change

cat /etc/mongod.conf | grep ssl

6. Restart the Mongo DB service

service mongod status
service mongod stop
service mongod status
service mongod start
service mongod status

7. Verify you can log into Mongo locally

mongo --ssl --sslCAFile "/etc/ssl/$ROOTCA.crt" --sslPEMKeyFile "/etc/ssl/$HOSTNAME.pem" --host $HOSTNAME -u root admin -p

Install Certificate Files on Web Servers





ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2018, Patrick Jasinski.