Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Page History: Configuring Encryption in Transit - Mongo DB

Compare Page Revisions



« Older Revision - Back to Page History - Newer Revision »


Page Revision: Fri, Jul 15, 2016, 8:39 AM


Overview

This article provides the steps to take to configure encryption in transit for Mongo DB.

Assumptions

  • The client machines are assumed to be web servers.
  • The Mongo DB instances are assumed to be running on Linux server(s).
  • All servers are running as EC2 server instances under Amazon Web Services.

Procedure

Prep Work

1. Set HOSTNAME and ROOTCA environment variables.

Windows
SET HOSTNAME=PublicDnsOfServer
SET ROOTCA=MyRootCA

Linux
HOSTNAME='PublicDnsOfServer'
ROOTCA='MyRootCA'
export HOSTNAME
export ROOTCA

Notice

All the commands for the rest of this procedure are the versions for Windows. The equivalent Linux command is found by replacing %HOSTNAME% with $HOSTNAME and %ROOTCA% with $ROOTCA.


Create the Root Certificate Authority Certificate

This part of the procedure should be done on a PROTECTED machine — i.e., NOT the Mongo DB or web server.

1. Create a folder to hold the Root CA Files

mkdir %ROOTCA%
cd %ROOTCA%

2. Generate an RSA key pair

openssl genrsa -out %ROOTCA%.key 2048
openssl rsa -in %ROOTCA%.key -out %ROOTCA%.key

3. Generate the Root CA Certificate

openssl req -x509 -new -key %ROOTCA%.key -days 365 -out %ROOTCA%.crt

4. Concatenate the CRT and KEY files into a PEM file

type %ROOTCA%.crt %ROOTCA%.key > %ROOTCA%.pem

On Linux, use the cat command instead of type.

Generate SSL Certificate for Each Server

This part of the procedure should be done on a PROTECTED machine on behalf of each Mongo DB server, as well as each web server.

1. Create a folder for each server's files as a sibling to the MyRootCA folder created above.

mkdir %HOSTNAME%
CD %HOSTNAME%

2. Generate Key Pair for the Server

openssl genrsa -out %HOSTNAME%.key 2048
openssl rsa -in %HOSTNAME%.key -out %HOSTNAME%.key

3. Create CSR (Certificate Signing Request)

openssl req -new -key %HOSTNAME%.key -out %HOSTNAME%.csr

  • Fill in fields manually
  • When prompted for the Common Name for the CSR, specify the Public DNS Name of the server. Do NOT use %HOSTNAME%.

4. Fulfill the CSR

openssl x509 -req -in %HOSTNAME%.csr -CA ..\%ROOTCA%\%ROOTCA%.crt -CAkey ..\%ROOTCA%\%ROOTCA%.key -CAcreateserial -out %HOSTNAME%.crt -days 365

5. Validate the certificate against the CA file

openssl verify -CAfile ..\%ROOTCA%\%ROOTCA%.crt %HOSTNAME%.crt

Should get the following.

HOSTNAME.crt: OK

6. Concatenate CRT and KEY files into PEM file

type %HOSTNAME%.crt %HOSTNAME%.key > %HOSTNAME%.pem

On Linux, use the cat command instead of type.

Install Certificate Files on Mongo DB Servers

1. Set environment variables

HOSTNAME='PublicDnsOfServer'
ROOTCA='MyRootCA'
export HOSTNAME
export ROOTCA

2. Upload files to each Mongo DB server to the /home/ec2-user folder

  • MyRootCA.crt
  • MyMongoServer.com.pem

3. Move the files to the proper folder

cd /etc/ssl
mv /home/ec2-user/$ROOTCA.crt .
mv /home/ec2-user/$HOSTNAME.pem .

4. Adjust security on uploaded files

chown root:root $ROOTCA.crt
chown root:root $HOSTNAME.pem

5. Adjust Mongo DB configuration: Edit the /etc/mongod.conf, adding the following lines to the net: section

   ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/MyMongoServer.com.pem
      CAFile: /etc/ssl/MyMongoServer.com.crt

5. Validate the above change

cat /etc/mongod.conf | grep ssl

6. Restart the Mongo DB service

service mongod status
service mongod stop
service mongod status
service mongod start
service mongod status

7. Verify you can log into Mongo locally

mongo --ssl --sslCAFile "/etc/ssl/$ROOTCA.crt" --sslPEMKeyFile "/etc/ssl/$HOSTNAME.pem" --host $HOSTNAME -u root admin -p



Install Certificate Files on Web Servers





ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2024, Patrick Jasinski.