Skip to content

Secure MongoDB

For security reasons, we strongly recommend configuring the TLS encryption. For even more security, activate the user authentication for MongoDB.

Configure the TLS Encryption

In order to secure the connection with MongoDB, you need a combined PEM file containing both the TLS certificate and the private key.

  1. Combine the file containing the certificate:

    /opt/seal/etc/tls/cert.pem

    and the file containing the private key:

    /opt/seal/etc/tls/key.pem

  2. Save the combined file as:

    /opt/seal/etc/tls/cert-key-combined.pem

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the configuration steps above on all PLOSSYS 5 servers.

Enable the User Authentication

After the installation, the user authentication of MongoDB is disabled. In order to make MongoDB more secure, activate the user authentication.

  1. Execute the following shell script as administrator:

    /opt/seal/seal-mongodb/secure-mongo.sh

Enable the User Authentication in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the steps above on one of the servers and execute the following steps on all other servers belonging to the cluster:

  1. On all cluster servers, copy /opt/seal/etc/mongod.keyfile created by secure-mongo.sh on the first server into the following directory:

    /opt/seal/etc

  2. On all cluster servers, add the following lines to /opt/seal/etc/mongod.conf:

    security:
  authorization: enabled
  keyFile: /opt/seal/etc/mongod.keyfile

  3. On all cluster servers, restart the following service:

    • seal-mongodb

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, MongoDB requires a client certificate from each client, that means from all PLOSSYS 5 services in the case of MongoDB. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with MongoDB:

  1. Open the configuration file of MongoDB on the PLOSSYS 5 server:

    /opt/seal/etc/mongod.conf

  2. Replace the following line:

    allowInvalidCertificates: true

    by the following line:

    CAFile: /opt/seal/etc/tls/ca.pem

  3. Save the configuration file.

  4. Restart the following service:

    • seal-mongodb

Next Step

Continue with: Secure Filebeat

Back to top