If we want to connect to a MongoDB instance running on one machine from a different machine (over internet), it would be more than advisable to secure the communication using SSL encryption. Fortunately MongoDB has in-built support for SSL and its very straight forward to enable it.
We can setup SSL connection using a certificate issues by a Certificate Authority or by using a self-signed certificate.
In this post we will cover steps for setting up SSL connection using a self-signed certificate on Ubuntu machine.
Follow below steps to setup self-signed SSL secured connection to MongoDB server from a remote machine.
1. Verify that your MongoDB installation supports SSL connection.
Run following command from command line
If you do not see 'OpenSSL' in the output, then your MongoDB installation probably does not support SSL. In this case you will have to install a version that come pre-built with SSL support or manually compile a version of MongoDB by enabling SSL.
2. Generate Self-signed certificate for Server.
To generate a self-signed certificate we would use OpenSSL. Most Ubuntu distributions come pre-installed with OpenSSL.
To install OpenSSL manually type command:
Once you have OpenSSL installed use following command to generate certificate.
Now use below command to concatenate certificate and key file to generate .pem file. MongoDB only supports .pem file.
Copy mongodb.pem file to a preferred directory from where you want MongoDB to read this file. E.g.
Generating certificate for Client is similar to generating certificate for server. Use below commands to generate client certificates.
We can setup SSL connection using a certificate issues by a Certificate Authority or by using a self-signed certificate.
In this post we will cover steps for setting up SSL connection using a self-signed certificate on Ubuntu machine.
Follow below steps to setup self-signed SSL secured connection to MongoDB server from a remote machine.
1. Verify that your MongoDB installation supports SSL connection.
Run following command from command line
mongod --versionIt should give output like:
db version v3.2.8
git version: ed70e33130c977bda0024c125b56d159573dbaf0
OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
allocator: tcmalloc
modules: none
build environment:
distmod: ubuntu1404
distarch: x86_64
target_arch: x86_64
Notice the 'OpenSSL version' in the output. This suggests that your MongoDB installation supports SSL. If you do not see 'OpenSSL' in the output, then your MongoDB installation probably does not support SSL. In this case you will have to install a version that come pre-built with SSL support or manually compile a version of MongoDB by enabling SSL.
2. Generate Self-signed certificate for Server.
To generate a self-signed certificate we would use OpenSSL. Most Ubuntu distributions come pre-installed with OpenSSL.
To install OpenSSL manually type command:
sudo apt-get install openssl
Once you have OpenSSL installed use following command to generate certificate.
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.keyYou will be asked series of questions for generating the certificate.
Now use below command to concatenate certificate and key file to generate .pem file. MongoDB only supports .pem file.
cat mongodb-cert.key mongodb-cert.crt > mongodb.pemStore mongodb-cert.key, mongodb-cert.crt and mongodb.pem files securely. You will need these files to connect to your MongoDB using SSL connection.
Copy mongodb.pem file to a preferred directory from where you want MongoDB to read this file. E.g.
/etc/ssl3. Generate Self-signed certificate for Client.
Generating certificate for Client is similar to generating certificate for server. Use below commands to generate client certificates.
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out client-cert.crt -keyout client-cert.key
cat client-cert.key client-cert.crt > client.pem4. Configure MongoDB to enable SSL
Open mongd.conf file
sudo vi /etc/mongod.confand add following lines to enable SSL.
'mode' as 'requireSSL' means that only SSL connects can be established non SSL connection will not work. You can set 'mode' to 'allowSSL' to support both SSL and non-SSL connections.net: ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/client.pem
Restart mongod service to load new configurations.
sudo service mongod restart
4. Test SSL connection
Use --ssl option while starting MongoDB shell to connect using SSL connection
mongo --ssl --sslCAFile /etc/ssl/mongodb.pem --sslPEMKeyFile /etc/ssl/client.pem --host <host-name>
0 comments:
Post a Comment