Skip to content
/ x509-driver-snippets Public

Connection code snippets for all mongodb drivers using x.509 authentication

0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ccho-mongodb/x509-driver-snippets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
c
c
 
 
certs
certs
 
 
csharp
csharp
 
 
cxx
cxx
 
 
go
go
 
 
java
java
 
 
node
node
 
 
perl
perl
 
 
php
php
 
 
python
python
 
 
ruby
ruby
 
 
scala
scala
 
 
swift
swift
 
 
README.md
README.md
 
 

Repository files navigation

x509-driver-snippets

Connection code snippets for MongoDB drivers using x.509 authentication

Setup

Start mongod without TLS

https://www.mongodb.com/docs/manual/tutorial/manage-mongodb-processes/#start-mongod-processes

Add an admin user

https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/

db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=ChrisChoClient,OU=TestClientCertificateOrgUnit,O=TestClientCertificateOrg,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US",
    roles: [
         { role: "readWrite", db: "test" },
         { role: "userAdminAnyDatabase", db: "admin" }
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)

Record your user values since your client certificate will need to match them.

Stop mongod

https://www.mongodb.com/docs/manual/tutorial/manage-mongodb-processes/#stop-mongod-processes

Add a local hostname for the certificate

Create hostnames in /etc/hosts. e.g. 127.0.0.1 localmongo1

Create certificates for CA, Server, and Client:

Start mongo server with TLS, allowing invalid certificates

mongod --dbpath=/Users/chris.cho/dev/mongo_data/6.0.0 --replSet \"myRS\" --tlsMode requireTLS --tlsCertificateKeyFile test-server1.pem  --tlsCAFile test-ca.pem --bind_ip localmongo1 --tlsAllowInvalidCertificates

Test auth of admin user with mongosh

mongosh --tls --host localmongo1 --tlsCertificateKeyFile test-client.pem  --tlsCAFile test-ca.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' --tlsAllowInvalidCertificates

Additional setup for specific Drivers

On building keystore and truststore

Required for specific drivers.

Bundle the client and intermediate authority certs

$ cat mongodb-test-client.crt mongodb-test-ia.crt > client-bundle.crt

Convert to pfx

$ openssl pkcs12 -export -out client-certificate.pfx -inkey mongodb-test-client.key -in client-bundle.crt

<choose a password>

Convert pfx to pkcs12

$ keytool -importkeystore -destkeystore client.keystore -srckeystore client-certificate.pfx -srcstoretype pkcs12 -alias client-cert

confirm it:

$ keytool -list -keystore client.keystore

Add server and client certs to truststore

$ keytool -import -alias server-cert -file test-server1.pem -keystore client.truststore

$ keytool -import -alias client-cert -file test-client.pem -keystore client.truststore

About

Connection code snippets for all mongodb drivers using x.509 authentication

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages