A . Spawn mongod and mongos with no authentication first
Configure MongoDB cluster, with no authentication, enabled using config files
Please follow my other post for same here
B. Follow below steps for enabling certificate based authentication
1. We need certificates to be created on every node of the cluster from CA server.
2. Then create certificate user under config server and primary shard server
3. Once this is done, enable authentication x509 on cluster and login with the user creted in above step.
Let's see how to create certificates on every node first.
a. Here for testing purpose, we will use config server as CA server and create requests for all other nodes with certificate requests
On config server, run below command
openssl genrsa -out mongoCA.key -aes256
openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 300 -out mongo-CA-cert.crt
b. Once this is done, create certificates for all nodes using above
openssl req -new -nodes -newkey rsa:2048 -keyout node1.key -out node1.csr
on node2 openssl req -new -nodes -newkey rsa:2048 -keyout node2.key -out node2.csr
one node 3 openssl req -new -nodes -newkey rsa:2048 -keyout node3.key -out node3.csr
In this example, node1 is config server and node2 and node3 are part of the first shard
c. Now, using above .key and .csr files, create crt files for all nodes
on CA
openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node1.csr -out node1.crt
openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node2.csr -out node2.crt
openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 1000 -in node3.csr -out node3.crt
d. We need to generate .pem files for all nodes on CA server now suing .crt created above. Please follow below command to generate
on node1
cat node1.key node1.crt > node1.pem
on node2
cat node2.key node2.crt > node2.pem
on node3
cat node2.key node2.crt > node2.pem
on node3
cat node3.key node3.crt > node3.pem
e. We need one user to be created under cluster which will enable access to shells (mongod and mongos) once we enable the authentication.
i. We first need user certificate to be created for x509 access
Run below command on config server which is CA server for our environment.
- openssl req -new -nodes -newkey rsa:2048 -keyout user1.key -out user1.csr
- openssl x509 -CA mongo-CA-cert.crt -CAkey mongoCA.key -CAcreateserial -req -days 2000 -in user1.csr -out user1.crt
Now create .pem file for this user
cat user1.key user1.crt > user1.pem
ii. Before we create a certificate for this user, we need CN used for this user under the certificate. This CN can be extracted from certificate using below command
openssl x509 -in user1.pem -inform PEM -subject -nameopt RFC2253
e.g. Below is CN that we will use for certificate creation of user1
Once we have CN for user1, we will create the certificate for this user under external database with below command.
Run below command under mongod shell from
- Config server
- Primary shard server
db.getSiblingDB("$external").runCommand({ createUser:"CN=user1,OU=UNT,O=COM,L=AU,ST=NW,C=US", roles: [{role: "root", db: "admin"}] })
With this our config files are ready and we can spawn mongod/mongos using above files.
C. Now spawn mongod and mongos using these certificates and mentioning config files as below under conf files
Note- Copy above cretead certificates to all nodes
1. On config server, kill currently running mongod process with
pkill mongod
pkill mongos
Ensure that both of these are killed
2. Now, respawn both of these using below config files.
mongod --config /etc/mongod.conf
mongod on config server-
net:
port: 26050
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /root/node1.pem
CAFile: /root/m-CA-cert.crt
storage:
dbPath: /data
directoryPerDB: true
systemLog:
destination: file
path: "/data/log.cfg0"
logAppend: true
storage:
journal:
enabled: true
sharding:
clusterRole: configsvr
replication:
replSetName: endu151rset
processManagement:
fork: true
security:
clusterAuthMode: x509
mongos on config server--
mongos --config /etc/mongos.conf
net:
port: 26051
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /root/node1.pem
CAFile: /root/m-CA-cert.crt
systemLog:
destination: file
path: '/data/log.mongos0'
logAppend: true
processManagement:
fork: true
pidFilePath: '/data/mongos.pid'
sharding:
configDB: endu151rset/endu151:26050
security:
clusterAuthMode: x509
Here we specify to enable x509 authentication using certificates and also enable ssl communication on all nodes using requireSSL mode
3. Similarly, kill mongod on shard server on both primary and secondary servers
pkill mongod
Also copy all certificates to node1 and node2 and provide same path for ccertificates under conf file to spwan mongod process as below
4. Now, respawn mongod on shard serverse using below conf file.
mongod --config /etc/mongod.conf
mongod on shard server- (node2)
net:
port: 28002
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /root/node2.pem
CAFile: /root/m-CA-cert.crt
storage:
dbPath: /data
directoryPerDB: true
systemLog:
destination: file
path: "/data/log.cfg0"
logAppend: true
storage:
journal:
enabled: true
sharding:
clusterRole: shardsvr
replication:
replSetName: endu152rset
processManagement:
fork: true
security:
clusterAuthMode: x509
5. Ensure that all mongod and mongos processes are started successfully without any error on all nodes using above switches for enabling authentication and SSL
IS YOUR CLUSTER IS READY WITH CERTIFICATES, YES/NO ???/
YES, ITS PARTIALLY ENABLED.
D. Now, we need to login to mongod or mongos shell using these certificates.
mongo --ssl --sslPEMKeyFile user1.pem --sslCAFile m-CA-cert.crt --host hostname admin --port 26050
Above will login us to mongod on onfig server.
Similarly, we can log in to shard using configured port and hostnames
You should login to mongod shell with above and allow/authorize this user for accessing config. This can be done using below command..
db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509", user: "CN=user1,OU=nbu,O=vrts,L=pune,ST=mh,C=in"})
The ourput should be seen here as 1,else this user will always get 'not authorized error' for every action.
======
Say Thanks if this post helps you... :)
No comments:
Post a Comment