Skip to content

Secure MongoDB


For security reasons, we strongly recommend configuring the TLS encryption. For even more security, activate the user authentication for MongoDB.


Configure the TLS Encryption

In order to secure the connection with MongoDB, you need a combined PEM file containing both the TLS certificate and the private key.

  1. Combine the file containing the certificate:

    C:\ProgramData\SEAL Systems\config\tls\cert.pem
    

    and the file containing the private key:

    C:\ProgramData\SEAL Systems\config\tls\key.pem
    
  2. Save the combined file as:

    C:\ProgramData\SEAL Systems\config\tls\cert-key-combined.pem
    

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the configuration steps above on all PLOSSYS 5 servers.


Enable the User Authentication

After the installation, the user authentication of MongoDB is disabled. In order to make MongoDB more secure, activate the user authentication.

  1. Open a PowerShell (Administrator) and change to the following directory:

    C:\Program Files\SEAL Systems\seal-mongodb
    
  2. Execute the following script:

    .\secure-mongo.ps1
    

Enable the User Authentication in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the steps above on one of the servers and execute the following steps on all other servers belonging to the cluster:

  1. On all cluster servers, copy C:\ProgramData\SEAL Systems\config\mongod.keyfile created by secure-mongo.ps1 on the first server into the following directory:

    C:\ProgramData\SEAL Systems\config\
    
  2. On all cluster servers, add the following lines to C:\ProgramData\SEAL Systems\config\mongod.conf:

    security:
      authorization: enabled
      keyFile: C:\ProgramData\SEAL Systems\config\mongod.keyfile
    
  3. On all cluster servers, restart the following service:

    • seal-mongodb

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, MongoDB requires a client certificate from each client, that means from all PLOSSYS 5 services in the case of MongoDB. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with MongoDB:

  1. Open the configuration file of MongoDB on the PLOSSYS 5 server:

    C:\ProgramData\SEAL Systems\config\mongod.conf
    
  2. Replace the following line:

    allowInvalidCertificates: true
    

    by the following line:

    CAFile: C:\ProgramData\SEAL Systems\config\tls\ca.pem
    
  3. Save the configuration file.

  4. Restart the following service:

    • seal-mongodb

Next Step

Continue with: Secure Filebeat


Back to top