/
configure-x509-client-authentication.txt
215 lines (151 loc) · 6.8 KB
/
configure-x509-client-authentication.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
==============================================
Use x.509 Certificates to Authenticate Clients
==============================================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
.. versionadded:: 2.6
MongoDB supports x.509 certificate authentication for use with a secure
:doc:`TLS/SSL connection </tutorial/configure-ssl>`. The x.509 client
authentication allows :ref:`clients to authenticate to servers with
certificates <x509-client-authentication>` rather than with a username and
password.
To use x.509 authentication for the internal authentication of replica
set/sharded cluster members, see
:doc:`configure-x509-member-authentication`.
.. _`default distribution of MongoDB`: http://www.mongodb.org/downloads
.. _`MongoDB Enterprise`: http://www.mongodb.com/products/mongodb-enterprise
Prerequisites
-------------
.. important::
.. include:: /includes/extracts/security-prereq-configure-x509-client-authentication.rst
Certificate Authority
~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/fact-ssl-certificate-authorities.rst
.. _x509-client-authentication:
Client x.509 Certificate
~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/extracts/x509-certificate-client.rst
Procedures
----------
Configure Replica Set/Sharded Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Outside of rolling upgrade procedures, every component of a :term:`replica
set` or :term:`sharded cluster` should use the same
``--clusterAuthMode`` setting to ensure it can securely connect to all
other components in the deployment.
For :term:`replica set` deployments, this includes all :binary:`~bin.mongod`
members of the replica set.
For :term:`sharded cluster` deployments, this includes all :binary:`~bin.mongod`
and :binary:`~bin.mongos` instances.
.. note::
If you are configuring a standalone :binary:`~bin.mongod`, omit the
``--clusterAuthMode`` option.
Use Command-line Options
````````````````````````
You can configure the MongoDB server from the command line, e.g.:
.. code-block:: sh
mongod --clusterAuthMode x509 --sslMode requireSSL --sslPEMKeyFile <path to SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file>
.. include:: /includes/warning-x509-requires-sslCAfile.rst
Use Configuration File
``````````````````````
You may also specify these options in the :doc:`configuration file
</reference/configuration-options>`.
Starting in MongoDB 2.6, you can specify the configuration for MongoDB
in :doc:`YAML format </reference/configuration-options>`, e.g.:
.. code-block:: yaml
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
PEMKeyFile: <path to TLS/SSL certificate and key PEM file>
CAFile: <path to root CA PEM file>
For backwards compatibility, you can also specify the configuration
using the :v2.4:`older configuration file format </reference/configuration-options>`,
e.g.:
.. code-block:: none
clusterAuthMode = x509
sslMode = requireSSL
sslPEMKeyFile = <path to TLS/SSL certificate and key PEM file>
sslCAFile = <path to the root CA PEM file>
Include any additional options, TLS/SSL or otherwise, that are required for
your specific configuration.
.. _addX509SubjectUser:
Add x.509 Certificate ``subject`` as a User
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To authenticate with a client certificate, you must first add the value
of the ``subject`` from the client certificate as a MongoDB user. Each
unique x.509 client certificate corresponds to a single MongoDB user;
i.e. you cannot use a single client certificate to authenticate more
than one MongoDB user.
.. note::
The RDNs in the ``subject`` string must be compatible with the
`RFC2253 <https://www.ietf.org/rfc/rfc2253.txt>`_ standard.
#. You can retrieve the ``RFC2253`` formatted ``subject`` from the client
certificate with the following command:
.. code-block:: sh
openssl x509 -in <pathToClient PEM> -inform PEM -subject -nameopt RFC2253
The command returns the ``subject`` string as well as certificate:
.. code-block:: sh
subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
#. Add the ``RFC2253`` compliant value of the ``subject`` as a user.
Omit spaces as needed.
For example, in the :binary:`~bin.mongo` shell, to add the user with
both the ``readWrite`` role in the ``test`` database and the
``userAdminAnyDatabase`` role which is defined only in the ``admin``
database:
.. code-block:: javascript
db.getSiblingDB("$external").runCommand(
{
createUser: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
roles: [
{ role: 'readWrite', db: 'test' },
{ role: 'userAdminAnyDatabase', db: 'admin' }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)
In the above example, to add the user with the ``readWrite`` role in
the ``test`` database, the role specification document specified
``'test'`` in the ``db`` field. To add ``userAdminAnyDatabase``
role for the user, the above example specified ``'admin'`` in the
``db`` field.
.. note::
Some roles are defined only in the ``admin`` database, including:
``clusterAdmin``, ``readAnyDatabase``, ``readWriteAnyDatabase``,
``dbAdminAnyDatabase``, and ``userAdminAnyDatabase``. To add a
user with these roles, specify ``'admin'`` in the ``db``.
See :doc:`/tutorial/manage-users-and-roles` for details on adding a user
with roles.
Authenticate with a x.509 Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To authenticate with a client certificate, you must first add a MongoDB
user that corresponds to the client certificate. See
:ref:`addX509SubjectUser`.
To authenticate, use the :method:`db.auth()` method in the
``$external`` database, specifying ``"MONGODB-X509"`` for the
``mechanism`` field, and the :ref:`user that corresponds to the client
certificate <addX509SubjectUser>` for the ``user`` field.
For example, if using the :binary:`~bin.mongo` shell,
1. Connect :binary:`~bin.mongo` shell to the :binary:`~bin.mongod` set up for
SSL:
.. code-block:: sh
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>
#. To perform the authentication, use the :method:`db.auth()` method in
the ``$external`` database. For the ``mechanism`` field, specify
``"MONGODB-X509"``, and for the ``user`` field, specify the user, or
the ``subject``, that corresponds to the client certificate.
.. code-block:: javascript
db.getSiblingDB("$external").auth(
{
mechanism: "MONGODB-X509",
user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
}
)