Today: December 4, 2024 11:49 pm
A collection of Software and Cloud patterns with a focus on the Enterprise

Install SSL Enabled MongoDB Subscriber Build

10gen offers a subscriber build of MongoDB which includes support for SSL communication between nodes in a replicaset and between client and mongod. If the cost of a service subscription is prohibitive, it is possible to build it with SSL enabled.

After download, I followed the process below to get it running. For a permanent solution, more attention should be given to where these are installed and how upgrades are handled.

$ tar xzvf mongodb-linux-x86_64-subscription-rhel62-2.2.3.tgz
$ cp mongodb-linux-x86_64-subscription-rhel62-2.2.3/bin/* /usr/local/bin/

Next, it’s necessary to provide an SSL certificate. For testing, it’s easy to create an SSL certificate.

$ cd /etc/ssl
$ openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -keyout mongodb-cert.key -passout pass:mypass
Generating a 2048 bit RSA private key
........................+++
.....................................+++
writing new private key to 'mongodb-cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Idaho
Locality Name (eg, city) [Default City]:Boise
Organization Name (eg, company) [Default Company Ltd]:ACME
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:host0123
Email Address []:myemail@mail.com

With the certificate created, make a combined pem file as follows

$ cat mongodb-cert.key mongodb-cert.pem > mongodb.pem
$ ll
total 12
lrwxrwxrwx 1 root root   16 May 10  2012 certs -> ../pki/tls/certs
-rw-r--r-- 1 root sys  1704 Feb 14 19:21 mongodb-cert.key
-rw-r--r-- 1 root sys  1395 Feb 14 19:21 mongodb-cert.pem
-rw-r--r-- 1 root sys  3099 Feb 14 19:21 mongodb.pem

Finally, you can start mongodb as follows

$ mongod -dbpath /opt/webhost/local/mongod -logpath /var/log/mongo/mongod.log -keyFile /home/mongod/mongokey --sslOnNormalPorts --sslPEMKeyFile /etc/ssl/mongodb.pem --sslPEMKeyPassword mypass --replSet wildcatset --rest --logappend &

Accessing over SSL

SSL certificate management can be complicated. It is possible to bypass certificate validation when using a self issued certificate. Python does this by default. Java may require additional work to bypass certificate validation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.