Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
MongoDB Administrator???s Guide

You're reading from   MongoDB Administrator???s Guide Over 100 practical recipes to efficiently maintain and administer your MongoDB solution

Arrow left icon
Product type Paperback
Published in Oct 2017
Publisher Packt
ISBN-13 9781787126480
Length 226 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Cyrus Dasadia Cyrus Dasadia
Author Profile Icon Cyrus Dasadia
Cyrus Dasadia
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Installation and Configuration FREE CHAPTER 2. Understanding and Managing Indexes 3. Performance Tuning 4. High Availability with Replication 5. High Scalability with Sharding 6. Managing MongoDB Backups 7. Restoring MongoDB from Backups 8. Monitoring MongoDB 9. Authentication and Security in MongoDB 10. Deploying MongoDB in Production

Enabling SSL for MongodDB

By default, connections to MongoDB server are not encrypted. If one were to intercept this traffic, almost all the data transferred between the client and the server is visible as clear text. If you are curious, I would encourage you to use tcpdump or wireshark to capture packets between a mongod daemon and the client. As a result, it is highly advisable to make sure that you encrypt all connections to your mongod set by enabling Transport Layer Security (TLS) also commonly known as SSL.

Getting ready

Make sure you have MongoDB installed on your system as shown in the previous recipes.

The default MongoDB binaries for OS X are not compiled with SSL, you may need to manually recompile the source code or use Homebrew:
brew install mongodb --with-openssl.

How to do it..

  1. First, let us generate a self-signed certificate using OpenSSL, in the /data directory:
openssl req -x509 -newkey rsa:4096 -nodes -keyout mongo-secure.key -out mongo-secure.crt -days 365
  1. Combine the key and certificate into a single .pem file:
cat mongo-secure.key mongo-secure.crt > mongo-secure.pem
  1. Start the mongod daemon, with SSL enabled and listening on the default socket that is, localhost 27017:
mongod  --dbpath /data/db  --sslMode requireSSL --sslPEMKeyFile /data/mongo-secure.pem
  1. In another window, connect to this server using a mongo client:
mongo localhost:27017
  1. You should see a connect failed error on the client Terminal. Switch to the server's console window and you should see a log message indicating that the connection was rejected, something like this:
2017-05-13T16:51:08.031+0000 I NETWORK  [thread1] connection accepted from 192.168.200.200:43441 #4 (1 connection now open)
2017-05-13T16:51:08.032+0000 I - [conn4] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-05-13T16:51:08.032+0000 I - [conn4] end connection 192.168.200.200:43441 (1 connection now open)
  1. Now, switch back to the other console window and connect to the server again but this time using SSL:
mongo --ssl --sslAllowInvalidCertificates
  1. You should be connected to the server and see the mongo shell.

How it works...

In step 1, we created a self-signed certificate to get us started with SSL enabled connections. One could very well use a certificate signed by a valid Certificate Authority (CA), but for test purposes we are good with a self-signed certificate. In all honesty, if connection security is all you need, a self-signed certificate can also be used in a production environment as long as you keep the keys secure. You might as well take it a step forward by creating your own CA certificate and use it to sign your certificates.

In step 2, we concatenate the key and the certificate file. Next, in step 3, we start the mongod daemon with --sslMode requireSSL followed by providing the path to the concatenated .pem file. At this point, we have a standalone MongoDB server listening to the default port 27017, ready to accept only SSL based clients.

Next, we attempt to connect to the mongod server using the default non-SSL mode, which is immediately rejected by the sever. Finally, in step 5 we explicitly make an SSL connection by providing the --ssl parameter followed by --sslAllowInvalidCertificates. The latter parameter is used because we are using a self-signed certificate on the server. If we were using an certificate signed by a authorized CA or even a self-signed CA, we could very well use the --sslCAFile to provide the CA certificate.

There's more…

MongoDB also supports X.509 certificate-based authentication as an option to username and passwords. We will cover this topic in Chapter 9, Authentication and Security in MongoDB.

You have been reading a chapter from
MongoDB Administrator???s Guide
Published in: Oct 2017
Publisher: Packt
ISBN-13: 9781787126480
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image