add certificate authentication to mongod

[jalogisch]

Context

You should be able to secure your Mongo Cluster with SSL certificates and certificate validation. If you run a Cluster with certificate validation, activated with the following configuration:

net:
   ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/ca.pem

The Cluster/Server expect that every client provide a client certificate. With the given configuration options in Graylog ( http://api.mongodb.com/java/current/com/mongodb/MongoClientURI.html ) providing this configuration is not possible.

Graylog is only able to connect to a Mongo Cluster/Server that has SSL enabled with the given string.

mongodb_uri = mongodb://localhost/graylog?ssl=true

This works only if you have added your (internal) CA to the java keystore that is used by Graylog.

feature request

Add the configuration (and client) option to include certificates for authentication

Additional information

• https://stackoverflow.com/questions/26837113/configuring-java-mongoclient-to-use-x-509-certificate-for-the-authentication
• Add CA.der to the keystore

Your Environment

• Graylog Version: 2.4
• Mongo Version: 3.6

[joschi]

With the given configuration options in Graylog […] providing this configuration is not possible.

Why not? IMHO all necessary parts are there (although not too user-friendly and as always under-documented):

• Enable TLS/SSL by adding ssl=true to the MongoDB Client URI and optionally disable hostname verification via sslInvalidHostNameAllowed=true (not recommended). ➡️ https://mongodb.github.io/mongo-java-driver/3.5/javadoc/com/mongodb/MongoClientURI.html
• Add the client certificate (and all required intermediate certificates) to the JVM key store. ➡️ https://mongodb.github.io/mongo-java-driver/3.5/driver/tutorials/ssl/#jvm-system-properties-for-tls-ssl
• Use the subject name of the X.509 certificate as "user" part in the MongoDB Client URI and set authMechanism to MONGODB-X509, i. e. mongodb://subjectName@host1/?authMechanism=MONGODB-X509&ssl=true. ➡️ https://mongodb.github.io/mongo-java-driver/3.5/driver/tutorials/authentication/#x-509
• Optionally add the CA certificate to the JVM trust store if it's not from a well-known CA which already is in the trust store.

[isodude]

In most software one can specify which certificate to use, this could be one of many reasons to most obvious being security.

I want to use LoadCredential= in systemd where the certificate, which is rotated quite often. The certificate is copied to a path only readable by the user running the service.

This works great with graylog-server with the listening side of things. It thus make sense that this should be the case for the client side as well.

If there's a need to create a keystore, why can't graylog-server handle that on startup?

The endgame here is to allow a simple restart on the service to refresh the client certificates. Sure it's possible to generate keystores etc, but it does not make sense that it should be that much extra effort to make it work. TLS should be very easy to set up so that more people use it.

[vikshith-s]

Overcame same issue by defining trust store and cacert. Would be nice to have an option to directly define certificate paths within configs.

[isodude]

This is actually a limit with the mongod driver. Reading the "docs" in the driver test reveals this nugget:

openssl pkcs12 -CAfile ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -export -in ${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem -out client.pkc -password pass:bithere

If you specify that file (client.pkc) as keyStore to graylog-server, it actually connects to mongodb with and presents a client certificate. This should at least be well documented.

[isodude]

What would make things simpler here, given that you would need to write a hook for e.g. letsencrypt, is to add certificates to the keystore via the configuration.

certificates:
  keyStore:
  - /etc/ssl/mongod.pem
  trustStore:
  - /etc/ssl/ca.pem

And internally just add them to the store as you see fit.

For what it's worth, here's a small write up. The mongosh part was especially troublesome since the tool did not provide any info that I needed --tlsAllowInvalidHostnames and that you should escape / with %2F to be able to connect to a socket.

Would that suffice to document @jalogisch?

net:
   tls:
      mode: requireTLS
      PEMKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/ca.pem
security:
  clusterAuthMode: x509

Add to graylog config

mongodb_uri = mongodb://localhost/graylog?ssl=true

I ended up adding &authMechanism=MONGODB-X509 to the mongodb_uri, but it should suffice as above as the client chooses the best auth mechanism by itself.

Add to /etc/default/graylog-server

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.keyStore=/etc/graylog/graylog.keystore -Djavax.net.ssl.keyStorePassword=changeme"

Generate the password store

openssl pkcs12 -CAfile /etc/ssl/ca.pem -export -in /etc/ssl/mongodb.pem -out /etc/graylog/graylog.keystore -password pass:changeme

Create the user with mongosh

use $external
db.createUser({
    user: 'CN=<hostname>',
    roles: [
      { role: 'readWrite', db: 'graylog' },
      { role: 'userAdminAnyDatabase', db: 'admin' }
    ]
  })

A simple way to connect to mongodb through the socket

mongosh --shell --tls --tlsAllowInvalidHostnames --tlsCAFile /etc/ssl/ca.pem  --tlsCertificateKeyFile /etc/ssl/mongodb.pem mongodb://admin:pass@%2Ftmp%2Fmongodb-27017.sock