From a115940e9ea39d436a35006cc9b182a8b9883bc8 Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 14:37:34 -0500 Subject: [PATCH 1/6] DOCSP-44856: x509 authentication fixes --- source/fundamentals/authentication.txt | 14 ++++++++++++-- source/includes/fundamentals/code-snippets/auth.rs | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index fdcbb4a1..ab95acd7 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -286,8 +286,18 @@ When you specify this authentication mechanism, the server authenticates the connection by reading the following files: - A certificate authority (CA) file, which contains one or more - certificate authorities to trust when making a TLS connection -- A certificate key file, which references the client certificate private key + certificate authorities to trust when making a TLS connection. + Before connecting to the server, the driver uses this file to verify that the + server's certificate is from the specified certificate authorities. + +- A certificate key file, which contains the client certificate + and private key. The driver presents this file to the server to + verify the client. + +.. tip:: + + To learn more about X.509 certificates, see + :manual:`x.509 ` in the {+server+} manual. To specify the ``MONGODB-X509`` authentication mechanism, set the ``mechanism`` field of your ``Credential`` struct to diff --git a/source/includes/fundamentals/code-snippets/auth.rs b/source/includes/fundamentals/code-snippets/auth.rs index da701da9..34c45939 100644 --- a/source/includes/fundamentals/code-snippets/auth.rs +++ b/source/includes/fundamentals/code-snippets/auth.rs @@ -80,7 +80,7 @@ async fn main() -> mongodb::error::Result<()> { tlsCertificateKeyFilePassword = "" ); let mut client_options = ClientOptions::parse(uri).await?; - let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbAws).build(); + let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbX509).build(); client_options.credential = Some(x509_cred); let client = Client::with_options(client_options)?; From 1dabf384b9a10a2f73869525f6ee5d7a12bfd344 Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 14:39:19 -0500 Subject: [PATCH 2/6] fix --- source/fundamentals/authentication.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index ab95acd7..b069c762 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -297,7 +297,7 @@ the connection by reading the following files: .. tip:: To learn more about X.509 certificates, see - :manual:`x.509 ` in the {+server+} manual. + :manual:`X.509 ` in the {+server+} manual. To specify the ``MONGODB-X509`` authentication mechanism, set the ``mechanism`` field of your ``Credential`` struct to From d6357bfb357c1eeeaf6d1be783da6590e5ac827b Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 14:46:34 -0500 Subject: [PATCH 3/6] fix code --- source/fundamentals/authentication.txt | 2 +- source/includes/fundamentals/code-snippets/auth.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index b069c762..bd55f608 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -288,7 +288,7 @@ the connection by reading the following files: - A certificate authority (CA) file, which contains one or more certificate authorities to trust when making a TLS connection. Before connecting to the server, the driver uses this file to verify that the - server's certificate is from the specified certificate authorities. + server's certificate is from one of the specified certificate authorities. - A certificate key file, which contains the client certificate and private key. The driver presents this file to the server to diff --git a/source/includes/fundamentals/code-snippets/auth.rs b/source/includes/fundamentals/code-snippets/auth.rs index 34c45939..08759356 100644 --- a/source/includes/fundamentals/code-snippets/auth.rs +++ b/source/includes/fundamentals/code-snippets/auth.rs @@ -74,7 +74,7 @@ async fn main() -> mongodb::error::Result<()> { // start-x509 let uri = format!( - "mongodb://:/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}", + "mongodb://:/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}&tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}", tlsCAFile = "", tlsCertificateKeyFile = "", tlsCertificateKeyFilePassword = "" From 9960020d1cda13cfe7de4ea472623c400082646e Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 14:54:20 -0500 Subject: [PATCH 4/6] wording --- source/fundamentals/authentication.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index bd55f608..f0d87cde 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -282,8 +282,8 @@ The ``MONGODB-X509`` authentication mechanism uses Transport Level Security (TLS with X.509 certificates to authenticate your user, which is identified by the relative distinguished names (RDNs) of your client certificate. -When you specify this authentication mechanism, the server authenticates -the connection by reading the following files: +When specifying this authentication mechanism, you must provide the +following files: - A certificate authority (CA) file, which contains one or more certificate authorities to trust when making a TLS connection. From 139ac535aa2b87aaed064f83735d0c7a0abeeef0 Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 15:24:49 -0500 Subject: [PATCH 5/6] JS feedback --- source/fundamentals/authentication.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index f0d87cde..9ebabc38 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -297,7 +297,7 @@ following files: .. tip:: To learn more about X.509 certificates, see - :manual:`X.509 ` in the {+server+} manual. + :manual:`x.509 ` in the {+server+} manual. To specify the ``MONGODB-X509`` authentication mechanism, set the ``mechanism`` field of your ``Credential`` struct to From c347eb4486c7507b5b374c3ffec2598828c78fa4 Mon Sep 17 00:00:00 2001 From: norareidy Date: Wed, 19 Feb 2025 16:35:15 -0500 Subject: [PATCH 6/6] IA feedback --- source/includes/fundamentals/code-snippets/auth.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source/includes/fundamentals/code-snippets/auth.rs b/source/includes/fundamentals/code-snippets/auth.rs index 08759356..824fdfc5 100644 --- a/source/includes/fundamentals/code-snippets/auth.rs +++ b/source/includes/fundamentals/code-snippets/auth.rs @@ -74,7 +74,9 @@ async fn main() -> mongodb::error::Result<()> { // start-x509 let uri = format!( - "mongodb://:/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}&tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}", + "mongodb://:/?tlsCAFile={tlsCAFile}\ + &tlsCertificateKeyFile={tlsCertificateKeyFile}\ + &tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}", tlsCAFile = "", tlsCertificateKeyFile = "", tlsCertificateKeyFilePassword = ""