You are currently viewing Implementing Transport Layer Security (TLS) for MongoDB Replica Set

Implementing Transport Layer Security (TLS) for MongoDB Replica Set

  • Post author:
  • Post category:RedHat

This guide will provide step-by-step instructions on setting up TLS (Transport Layer Security) for a MongoDB replica set. By following the provided information and configuration file, you can establish secure communication between MongoDB clients and servers through encrypted network traffic. TLS ensures the confidentiality and integrity of the data transmitted between the two endpoints..

Most of the articles on the web were signing the TLS certificate using the CA on the Linux server itself. My requirement was to sign the CSR using the existing Window Certificate Authority.

Requirements

  • MongoDB installed on each replica set member
  • The following requirements need to be considered for MongoDB certificate subjects:
    • Issuing Authority: Both client and server certificates should be issued by the same Certificate Authority (CA).
    • Organization, Organizational Unit, and Domain Components: The values for Organization (O), Organizational Unit (OU), and Domain Components (DC) must match those of the certificates used by other members in the cluster.
    • Client Certificate Subjects: The subjects of client certificates must differ from the cluster members’ certificates in at least one of the following: Organization (O), Organizational Unit (OU), or Domain Component (DC).
    • Common Name (CN) or Subject Alternative Name (SAN): Either the Common Name (CN) or one of the entries in the Subject Alternative Name (SAN) must match the hostname of the server. Starting from MongoDB 4.2, MongoDB supports comparison of DNS names or IP addresses when performing SAN comparison. In previous versions, MongoDB only supports DNS name comparisons.
    • By ensuring these requirements are met, you can establish proper certificate configuration for MongoDB and maintain consistency within the cluster.

Step 1: Create a Configuration File

Create a file named openssl-san.cnf and paste the following configuration into it:

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
countryName = US
stateOrProvinceName = VA
localityName = woodbridge
organizationName = bomzan
commonName = mongo-db1.bomzan.net

# Optionally, specify some defaults.
countryName_default = [Country]
stateOrProvinceName_default = [State]
localityName_default = [City]
0.organizationName_default = [Organization]
organizationalUnitName_default = [Organization unit]
emailAddress_default = [Email]

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = 127.0.0.1
DNS.2 = 192.168.10.145
DNS.3 = mongo-db1.bomzan.net

Save the file

Step 2: Create Key and CSR for Members of Replica Set

Run the following commands to generate key and certificate signing request (CSR) files for each member of the replica set:

openssl req -newkey rsa:2048 -nodes -out mongo-db1.csr -keyout mongo-db1.key -subj '/CN=mongo-db1.bomzan.net/OU=IT/O=bomzan/L=woodbridge/ST=VA/C=US' -config openssl-san.cnf

openssl req -newkey rsa:2048 -nodes -out mongo-db2.csr -keyout mongo-db2.key -subj '/CN=mongo-db2.bomzan.net/OU=IT/O=bomzan/L=woodbridge/ST=VA/C=US' -config openssl-san.cnf

openssl req -newkey rsa:2048 -nodes -out mongo-db3.csr -keyout mongo-db3.key -subj '/CN=mongo-db3.bomzan.net/OU=IT/O=bomzan/L=woodbridge/ST=VA/C=US' -config openssl-san.cnf

Step 3: Sign the Certificate Signing Requests with Windows CA

Submit the CSR files to a Windows Certificate Authority (CA) using certificate web enrollment http://caserver/certsrv and obtain signed certificates for each member of the replica set. Make sure to follow the CA’s instructions for signing the CSRs. Use Server-Client certificate template and obtain signed certificate for each member of the replica set.

Step 4: Create PEM file for Each Replica Set Member

After receiving the signed certificates, create a PEM file for each member of the replica set by combining the certificate and private key. Run the following commands:

cat mongo-db1.cer > mongo-db1.pem
cat mongo-db1.key >> mongo-db1.pem

Repeat these commands for each replica set member, replacing the appropriate file names (e.g., mongo-db2.cer, mongo-db2.key for the second member, and so on).

Step 5: Create Key and CSR for Clients of Replica Set

Similar to Step 2, generate a key and CSR files for the clients of the MongoDB replica set. Run the following command:

openssl req -newkey rsa:2046 -nodes -out client.csr -keyout client.key -subj '/CN=admin/OU=MONGO_CLIENTS/O=bomzan/L=woodbridge/ST=VA/C=US'

Step 6: Create PEM file for the client

After generating the client CSR file, create a PEM file for the client using the following command:

cat client.cer client.key > client.pem

Step 7: Download Root CA cerificate as DER and convert to .crt

openssl x509 --inform DER -in bomazn-ca.cer -out bomzan-ca.crt

Copy the file to appropriate location as per the mongod.conf file

Step 8: Update mongod.conf File

Open the mongod.conf file on each replica set member and add the following configuration under the net section:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/mongodb/mongo-db1.pem
    CAFile: /etc/ssl/bomzan_ca.crt

Make sure to adjust the certificateKeyFile path to the appropriate location of the PEM file for each replica set member.

Step 9: Connect to MongoDB with TLS

To connect to the MongoDB replica set using TLS, use the following command:

mongosh --tls --host mongo-db1.bomzan.net --tlsCertificateKeyFile client.pem --tlsCAFile /etc/bomzan_ca.crt -u test -p --authenticationDatabase admin

Note: tlsCertificateKeyFile (the client certificate) option alone does not authenticate you to the MongoDB instance. It only provides the client with certificate and key that can be used to establish a TLS/SSL connection to the server. To authenticate to the MongoDB instance, you need provide username and password for a user that has the appropriate privileges.

Tags: , ,