Friday, November 11, 2016

Mongodb Enabling Internal Authentication using X.509



# Copies x.509 Certificates from MongoDB course M310 for this lab.
donghua@database:~$ mkdir -p ~/shared/certs/
donghua@database:~$ cp LAB-certs/*  ~/shared/certs/
donghua@database:~$ ls -l ~/shared/certs/
total 12
-rw-r--r-- 1 donghua donghua 1314 Nov 10 22:44 ca.pem
-rw-r--r-- 1 donghua donghua 3104 Nov 10 22:44 client.pem
-rw-r--r-- 1 donghua donghua 3108 Nov 10 22:44 server.pem

# Setup directory for replication set testing
# hostname: database.LAB.mongodb.university
mkdir -p /home/donghua/LAB002/{r0,r1,r2}

# Setup replset with 3 replicas
mongod --dbpath /home/donghua/LAB002/r0 --logpath /home/donghua/LAB002/r0/mongo.log --port 31130 --replSet TO_BE_SECURED --fork
mongod --dbpath /home/donghua/LAB002/r1 --logpath /home/donghua/LAB002/r1/mongo.log --port 31131 --replSet TO_BE_SECURED --fork
mongod --dbpath /home/donghua/LAB002/r2 --logpath /home/donghua/LAB002/r2/mongo.log --port 31132 --replSet TO_BE_SECURED --fork

mongo --port 31130 --eval "rs.initiate({_id: 'TO_BE_SECURED',members: [{ _id: 1, host: 'database.LAB.mongodb.university:31130' },{ _id: 2, host: 'database.LAB.mongodb.university:31131' },{ _id: 3, host: 'database.LAB.mongodb.university:31132' }]})"
mongo --port 31130 --eval "rs.status()"

MongoDB Enterprise >  use admin;
MongoDB Enterprise >  db.createUser( {user: "donghua", pwd: "webscale", roles:['root']});
MongoDB Enterprise >  db.auth("donghua","webscale")

mongod --dbpath /home/donghua/LAB002/r0 --shutdown
mongod --dbpath /home/donghua/LAB002/r1 --shutdown
mongod --dbpath /home/donghua/LAB002/r2 --shutdown

# Enable x.509 Certificates
# keyFile implies security.authorization
donghua@database:~$ openssl x509 -in ~/shared/certs/client.pem -inform PEM -subject  -nameopt RFC2253 -noout
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=LAB Client

mongod --dbpath /home/donghua/LAB002/r0 --logpath /home/donghua/LAB002/r0/mongo.log --port 31130 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode requireSSL --sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile /home/donghua/shared/certs/ca.pem --auth
mongod --dbpath /home/donghua/LAB002/r1 --logpath /home/donghua/LAB002/r1/mongo.log --port 31131 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode requireSSL --sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile /home/donghua/shared/certs/ca.pem --auth
mongod --dbpath /home/donghua/LAB002/r2 --logpath /home/donghua/LAB002/r2/mongo.log --port 31132 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode requireSSL --sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile /home/donghua/shared/certs/ca.pem --auth

donghua@database:~$ mongo  --host database.LAB.mongodb.university --port 31130 --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile ~/shared/certs/ca.pem
MongoDB shell version: 3.2.10
connecting to: database.LAB.mongodb.university:31130/test
MongoDB Enterprise TO_BE_SECURED:PRIMARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:PRIMARY> db.auth('donghua','webscale')
1

MongoDB Enterprise TO_BE_SECURED:PRIMARY> db.getSiblingDB("$external").runCommand({createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=LAB Client",roles:[{role:'userAdminAnyDatabase',db: 'admin'}]});
{ "ok" : 1 }

MongoDB Enterprise TO_BE_SECURED:PRIMARY> db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509",user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=LAB Client"})

MongoDB Enterprise TO_BE_SECURED:PRIMARY> db.runCommand({getParameter: 1, authenticationMechanisms: 1})
{
        "authenticationMechanisms" : [
                "MONGODB-CR",
                "MONGODB-X509",
                "SCRAM-SHA-1"
        ],
        "ok" : 1
}


# Shutdown and clean up
mongod --dbpath /home/donghua/LAB002/r0 --shutdown
mongod --dbpath /home/donghua/LAB002/r1 --shutdown
mongod --dbpath /home/donghua/LAB002/r2 --shutdown
rm -rf /home/donghua/LAB002/