Skip to content

DOCSP-44856: x509 authentication fixes #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 19, 2025
Merged

DOCSP-44856: x509 authentication fixes #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a115940
DOCSP-44856: x509 authentication fixes
norareidy Feb 19, 2025
1dabf38
fix
norareidy Feb 19, 2025
d6357bf
fix code
norareidy Feb 19, 2025
9960020
wording
norareidy Feb 19, 2025
139ac53
JS feedback
norareidy Feb 19, 2025
c347eb4
IA feedback
norareidy Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions source/fundamentals/authentication.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,12 +282,22 @@ The ``MONGODB-X509`` authentication mechanism uses Transport Level Security (TLS
with X.509 certificates to authenticate your user, which is identified
by the relative distinguished names (RDNs) of your client certificate.

When you specify this authentication mechanism, the server authenticates
the connection by reading the following files:
When specifying this authentication mechanism, you must provide the
following files:

- A certificate authority (CA) file, which contains one or more
certificate authorities to trust when making a TLS connection
- A certificate key file, which references the client certificate private key
certificate authorities to trust when making a TLS connection.
Before connecting to the server, the driver uses this file to verify that the
server's certificate is from one of the specified certificate authorities.

- A certificate key file, which contains the client certificate
and private key. The driver presents this file to the server to
verify the client.

.. tip::

To learn more about X.509 certificates, see
:manual:`x.509 </core/security-x.509/>` in the {+server+} manual.

To specify the ``MONGODB-X509`` authentication mechanism, set the
``mechanism`` field of your ``Credential`` struct to
Expand Down
6 changes: 4 additions & 2 deletions source/includes/fundamentals/code-snippets/auth.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,15 @@ async fn main() -> mongodb::error::Result<()> {

// start-x509
let uri = format!(
"mongodb://<hostname>:<port>/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}",
"mongodb://<hostname>:<port>/?tlsCAFile={tlsCAFile}\
&tlsCertificateKeyFile={tlsCertificateKeyFile}\
&tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}",
tlsCAFile = "<path to CA certificate>",
tlsCertificateKeyFile = "<path to private client key>",
tlsCertificateKeyFilePassword = "<password for client key>"
);
let mut client_options = ClientOptions::parse(uri).await?;
let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbAws).build();
let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbX509).build();

client_options.credential = Some(x509_cred);
let client = Client::with_options(client_options)?;
Expand Down
Loading