Monday, 17 September 2018

Configure certificate based authentication for mongodb (MongoDB-X509 authentication)


A . Spawn mongod and mongos with no authentication first

Configure MongoDB cluster, with no authentication, enabled using config files
Please follow my other post for same here


B. Follow below steps for enabling certificate based authentication

 1. We need certificates to be created on every node of the cluster from CA server.
2. Then create certificate user under config server and primary shard server 
3. Once this is done, enable authentication x509 on cluster and login with the user creted in above step.

 Let's see how to create certificates on every node first.
a. Here for testing purpose, we will use config server as CA server and create requests for all other nodes with certificate requests

   On config server, run below command

  openssl genrsa -out mongoCA.key -aes256

   openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 300 -out mongo-CA-cert.crt

 b. Once this is done, create certificates for all nodes using  above 

 openssl req -new -nodes -newkey rsa:2048 -keyout node1.key -out node1.csr 

 on node2 openssl req -new -nodes -newkey rsa:2048 -keyout node2.key -out node2.csr 

 one node 3 openssl req -new -nodes -newkey rsa:2048 -keyout node3.key -out node3.csr 

In this example, node1 is config server and node2 and node3 are part of the first shard


c. Now, using above .key and  .csr files, create crt files for all nodes
on CA
openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node1.csr -out node1.crt

openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node2.csr -out node2.crt

openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node3.csr -out node3.crt



d. We need to generate .pem files for all nodes on CA server now suing .crt created above. Please follow below command to generate

on node1
cat node1.key node1.crt > node1.pem
on node2
cat node2.key node2.crt > node2.pem
on node3
cat node3.key node3.crt > node3.pem


e. We need one user to be created under cluster which will enable access to shells (mongod and mongos) once we enable the authentication.

   i. We first need user certificate to be created for x509 access
      Run below command on config server which is CA server for our environment.

 - openssl req -new -nodes -newkey rsa:2048 -keyout user1.key -out user1.csr


- openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 2000 -in user1.csr -out user1.crt

   Now create .pem file for this user

  cat user1.key user1.crt > user1.pem



ii. Before we create a certificate for this user, we need CN used for this user under the certificate. This CN can be extracted from certificate using below command


openssl x509 -in user1.pem -inform PEM -subject -nameopt RFC2253
 e.g. Below is CN that we will use for certificate creation of user1



Once we have CN for user1, we will create the certificate for this user under external database with below command.

Run below command under mongod shell from
- Config server
- Primary shard server

db.getSiblingDB("$external").runCommand({ createUser:"CN=user1,OU=UNT,O=COM,L=AU,ST=NW,C=US", roles: [{role: "root", db: "admin"}] })


With this our config files are ready and we can spawn mongod/mongos using above files.




C. Now spawn mongod and mongos using these certificates and mentioning config files as below under conf files
Note- Copy above cretead certificates to all nodes

1. On config server, kill currently running mongod process with 
     pkill mongod
    pkill mongos

    Ensure that both of these are killed
2. Now, respawn both of these using below config files.
    mongod --config /etc/mongod.conf 
mongod on config server-

net:
   port: 26050
   bindIp: 0.0.0.0 
   ssl:       
    mode: requireSSL       
    PEMKeyFile: /root/node1.pem        
    CAFile: /root/m-CA-cert.crt
   
     
storage:
   dbPath: /data
   directoryPerDB: true   
systemLog:
   destination: file
   path: "/data/log.cfg0"
   logAppend: true
storage:
   journal:
     enabled: true
sharding:
    clusterRole: configsvr
replication:
    replSetName: endu151rset
processManagement:
   fork: true
security:
   clusterAuthMode:  x509

mongos on config server--   

mongos --config /etc/mongos.conf 

net:
   port: 26051
   bindIp: 0.0.0.0 
   ssl:       
    mode: requireSSL       
    PEMKeyFile: /root/node1.pem        
    CAFile: /root/m-CA-cert.crt      
systemLog:
  destination: file
  path: '/data/log.mongos0'
  logAppend: true
processManagement:
  fork: true
  pidFilePath: '/data/mongos.pid'
sharding:
   configDB: endu151rset/endu151:26050
security:
   clusterAuthMode:  x509




Here we specify to enable x509 authentication using certificates and also enable ssl communication on all nodes using requireSSL mode



3. Similarly, kill mongod on shard server on both primary and secondary servers
     pkill mongod

Also copy all certificates to node1 and node2 and provide same path for ccertificates under conf file to spwan mongod process as below
4. Now, respawn mongod on  shard serverse using below conf file.
    mongod --config /etc/mongod.conf 

mongod on shard server- (node2)

net:
   port: 28002
   bindIp: 0.0.0.0 
   ssl:       
    mode: requireSSL       
    PEMKeyFile: /root/node2.pem        
    CAFile: /root/m-CA-cert.crt 
  
storage:
   dbPath: /data
   directoryPerDB: true
   
systemLog:
   destination: file
   path: "/data/log.cfg0"
   logAppend: true
storage:
   journal:
     enabled: true
sharding:
    clusterRole: shardsvr
replication:
    replSetName: endu152rset
processManagement:
   fork: true
security:
   clusterAuthMode:  x509

5. Ensure that all mongod and mongos processes are started successfully without any error on all nodes using above switches for enabling authentication and SSL



IS YOUR CLUSTER IS READY WITH CERTIFICATES, YES/NO ???/

YES, ITS PARTIALLY ENABLED. 

D. Now, we need to login to mongod or mongos shell using these certificates.

mongo --ssl --sslPEMKeyFile user1.pem --sslCAFile m-CA-cert.crt --host hostname admin --port 26050


Above will login us to mongod on onfig server.
Similarly, we can log in to shard using configured port and hostnames


You should login to mongod shell with above and allow/authorize this user for accessing config. This can be done using below command..

db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509", user: "CN=user1,OU=nbu,O=vrts,L=pune,ST=mh,C=in"})

The ourput should be seen here as 1,else this user will always get 'not authorized error' for every action.




======
Say Thanks if this post helps you...  :) 




at No comments:
Labels: , , , ,

Monday, 10 September 2018

MongoDB installation and configuration with non-root user


MongoDB can be installed with root or non root. for root its always easy to install and configure MongoDB.
But for non-root, there are some steps you need to follow for configuring the environment.

Important notes

 a.  All below steps need to be executed on all nodes of MongoDB cluster
b.  non-root user should be logged in before executing any CLI command
c.  non-root user should be added under sudoers list (vi /etc/sudoers) on Linux platforms


MongoDB installation and configuration with non-root user
Yum repository way-

1. Launch https://docs.mongodb.com/manual/installation/  to see the steps for different platforms
2. For non-root, you need to execute all commands with sudo
3. Once it's installed, you need to spawn the mongod and mongos processes .
    Ensure that you non root user you are logged in with has ownership to below

    - Data paths/folder used for config
   - mongod.conf file (is used)
   - mongos.conf file (is used)
   - Security key used for enabling authentication (if used)
   - mongodb installation paths

      [use chwon command to own the environment for linux]



 Tar Ball installation


1. Launch https://docs.mongodb.com/manual/installation/  to see the steps for different platforms with tarball installation
2. Untar the mongdb.tar to the folder
3. Set the path to bin folder under bashrc of this user so that you can execute the mongod/mongos from anywhere else you will see "command not error" as the system doesn't know where the h*** is mongod extracted.

  e.g. if you are logged in with the admin user, navigate to /home/admin/.bashrc and set below value

 



  4. Once this is set, save the file and execute below
        source /bashrc_path

   5. Now you won't see command not found error as it will be executed from bin directory by system 

   6. Ensure that you non root user you are logged in with has ownership to below

   - Data paths/folder used for config/data 
   - mongod.conf file (is used)
   - mongos.conf file (is used)
   - Security key used for enabling authentication (if used)
   - mongodb installation/extracted folder

      [use chwon command to own the environment for linux]
 7. Once this is spawned using conf or CLI , you can access it like root user

  8. For spawning mongod or mongos using config files or CLI methos, please read by other post


















  
at No comments:
Labels: , , ,

mongodb installation types



MongoDB can be installed in two ways.

a. Using tarball installation for different versions available.
    Download tar for different platforms from https://www.mongodb.com/download-center?  jmp=tutorials#enterprise
    Old releases-
    https://www.mongodb.com/download-center/enterprise/releases/archive

  - If you select tarball install, you need to edit the bashrc file for setting the environment variables and path for MongoDB with bin directory path.
  - you can install this using non-root user or root user





b. Using yum install way and configure yum repos for your hosts in below way.

e.g.

         vi /etc/yum.repos.d/mongodb-enterprise.repo

Add below text in this file for installing Mongo 3.6 version
[mongodb-enterprise]
name=MongoDB Enterprise Repository
baseurl=https://repo.mongodb.com/yum/redhat/$releasever/mongodb-enterprise/3.6/$basearch/
gpgcheck=1
enabled=1

gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc


Follow MongoDB official page for this.
https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-red-hat/


Ensure that you have pre-requisites ready before you install MongoDB on selected platform.
         -Using yum repo installation  will configure all Linux paths for you and set environment within bashrc
   - You can install this using non-root user or root user where non root is recommended


at No comments:
Labels: ,

Warnings for MongoDB


When we login to mongdb shell, there are different warnings seen as below, what do they mean, will it affect functioanlity?? See inline...



1. WARNING: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted.
     Well, this means that you have not enabled authentication to mongodb shell.
      You can configure either simple auth with username and password else you can configure
      cert based auth.
      Follow this  to enable auth


2. ** WARNING: You are running this process as the root user, which is not recommended.

     Well, we tend to configure MongoDB using root credentials, we need to configure this using user other than root. Please follow my other post to configure non root user for MongoDB 


3.  WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine  See http://dochub.mongodb.org/core/prodnotes-filesystem



   Well, this means that you are running MongoDB processes and file system on  ext3/4. MongoDB recommends it to be xfs as its a scale-out architecture and xfs do support it.
When you run mongodb processes on xfs partition, this warning will go away


at No comments:
Labels: ,

Friday, 7 September 2018

mongo config files



There are 2 ways, we can spawn mongodb processes

a. CLI way

User can use below mongodb CLIs to spawn processes for auth
mongod-
mongod --configsvr --replSet setname --dbpath /data --port 26050 --fork --logpath /data/log.cfg0 --logappend --oplogSize 50 --directoryperdb --auth --keyFile /home/key

mongos-
mongos --configdb setname/host1.pne.ven.veritas.com:26050 --fork --logappend --logpath /data/log.mongos0 --port 26051 --keyFile /home/key

Note- Just remove --auth switch and key file if you don't wish to enable auth for testing purpose

b. Using conf files

Let's see how to spawn it using conf files.
Below is the typical example for mongodb.conf file

Here, I have enabled auth using key file and placed same under /home/key with 400 permission








Available mongod.conf options are as below, you can edit and enable required options as per required environment to be set.


net:
      port: 27017
      bindIp: 0.0.0.0
     ssl:
          mode: requireSSL
          PEMKeyFile: /home/mongodb/host2.pem
          CAFile: /home/mongodb/mongo-CA-cert.crt
storage:
      dbPath: /data
systemLog:
      destination: file
      path: "/data/log.cfg0"
      logAppend: true
storage:
      journal:
          enabled: true
sharding:
     clusterRole: configsvr
replication:
     replSetName: cert2set
#security: authorization: enabled
#clusterFile:/home/mongodb/host1.pem
security:
clusterAuthMode: x509
processManagement:
fork: true



A typical example of mongos.conf will be like below





at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)

Configure certificate based authentication for mongodb (MongoDB-X509 authentication)

A . Spawn mongod and mongos with no authentication first Configure MongoDB cluster, with no authentication, enabled using config files ...