What is Percona for MongoDB ?
We all know that MongoDB is popular document database and its used everywhere in the market . Its having multiple edition . In which MongoDB community edition is the core for Percona Server for MongoDB . Which is having same features available in MongoDB Community edition but it doesn't stop in there including that below are additional features are available to use ,
- In-Memory Engine
- Audit Logging
- Hot backups
- Data-at-rest encryption
- LDAP Authentication
Launched Ubuntu 16.04.7 LTS with minimal configuration in AWS to test all of our scenarios
First level , Modify the hostname changes according to the requirements and reboot the system to affect the hostname changes
vi /etc/hostname and vi /etc/hosts
As per percona documentation, decided to install latest version of the percona server for mongoDB ,
Installing the Percona server for MongoDB ,
1.Fetch percona-release packages from Percona web
wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb
2. Install the downloaded package with dpkg
sudo dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb
3. Enable the repository
sudo percona-release enable psmdb-50 release
4. To update the local cache
sudo apt update
5. To install the latest version of Percona Server for MongoDB
sudo apt install percona-server-mongodb
Once installed , we can locate mongoDB Configuration files in /etc/mongod.cnf
Start the mongodb service and login into the server ,
sudo systemctl start mongod
Configure RBAC ( Role-based Access Control )
Its mandatory , to configure RBAC for encryption . With RBAC, We can create restrict mongodb users and restrict privileges for collections and databases as well administrator operation on MongoDB
- Create admin user in mongoprimary
rs01:PRIMARY> use admin
switched to db admin
rs01:PRIMARY> db.createUser({user: ‘mongoadmin’, pwd: ‘zU2iU9pF7mO7rZ4z’, roles:[‘root’]});
Successfully added user: { “user” : “mongoadmin”, “roles” : [ “root” ] }
rs01:PRIMARY>
2.Modify the configuration file to enable authentication and restart the mongoDB Server
3.Connect with MongoDB Credentials and Test the connectivity
mongo -u mongoadmin -p zU2iU9pF7mO7rZ4z -authenticationDatabase ‘admin’
Create and configure secure SSL/TLS Connection
1.Create private key using openssl in mongo primary
MongoDB supports x.509 authentication for use with a secure SSL/TLS connections . We can create SSL certificates using third parties and its come with cost. We are going to use for internal purpose so we have used self signed certificates with help of openssl
root@mongoprimary:~# openssl genrsa -out mongoCA.key -aes256 8192
Generating RSA private key, 8192 bit long modulus
…………………………………………………++
e is 65537 (0x10001)
Enter pass phrase for mongoCA.key:
Verifying — Enter pass phrase for mongoCA.key:
Create a strong password for private key
2.Using openssl create local certification authority
While creating certificate authority , add correspondence details . In this scenario we are having only one mongo instance so not entered any details for it
root@mongoprimary:~# openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 3650 -out mongoCA.crt
Enter pass phrase for mongoCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@mongoprimary:~#
In this case if you have multiple secondary add primary server FQDN on above highlighted line
3.Self signed certificate for mongo primary server
root@mongoprimary:~# openssl req -new -nodes -newkey rsa:4096 -keyout mongoprimary.key -out mongoprimary.csr
Generating a 4096 bit RSA private key
………………………………………………………………………………………
………++
writing new private key to ‘mongoprimary.key’
— — -
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mongoprimary
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@mongoprimary:~#root@mongoprimary:~# openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 365 -in mongoprimary.csr -out mongoprimary.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mongoprimary
Getting CA Private Key
Enter pass phrase for mongoCA.key:
root@mongoprimary:~#root@mongoprimary:~# cat mongoprimary.key mongoprimary.crt > mongoprimary.pem
Once we generated keys and certificate file , needs to verify
root@mongoprimary:~#
root@mongoprimary:~# openssl verify -CAfile mongoCA.crt mongoprimary.pem
mongoprimary.pem: OK
root@mongoprimary:~#
Once verified keep the keys in specific folder and assign mongod permissions
sudo chmod 700 /etc/mongodb/ssl
sudo chown -R mongod:mongod /etc/mongodb
Initially we have faced connectivity issues with other agents , due to below warnings ,
root@mongoprimary:# mongo admin — ssl — sslCAFile /etc/mongodb/ssl/mongoCA.crt — sslPEMKeyFile /etc/mongodb/ssl/mongoprimary.pem -u mongouser -p zU2iU9pF7mO7rZ4z — host mongoprimary
{“t”:{“$date”:”2022–01–03T14:36:47.622Z”},”s”:”W”, “c”:”CONTROL”, “id”:23321, “ctx”:”main”,”msg”:”Option: This name is deprecated. Please use the preferred name instead.”,”attr”:{“deprecatedName”:”ssl”,”preferredName”:”tls”}}
{“t”:{“$date”:”2022–01–03T14:36:47.622Z”},”s”:”W”, “c”:”CONTROL”, “id”:23321, “ctx”:”main”,”msg”:”Option: This name is deprecated. Please use the preferred name instead.”,”attr”:{“deprecatedName”:”sslPEMKeyFile”,”preferredName”:”tlsCertificateKeyFile”}
With SSL configuration mongo connections working fine , but percona server dependent agents not connected successfully . So we have modified configuration file as below , to make successful connections
root@mongoprimary:~# mongo admin — tls — tlsCAFile /etc/mongodb/ssl/mongoCA.crt — tlsCertificateKeyFile /etc/mongodb/ssl/mongoprimary.pem -u mongouser -p zU2iU9pF7mO7rZ4z — host mongoprimary
Percona Server for MongoDB shell version v4.4.9–10
connecting to: mongodb://mongoprimary:27017/admin?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { “id” : UUID(“105dd242–8fc4–496b-bfb6–7bcceb924a43”) }
Percona Server for MongoDB server version: v4.4.9–10
— -
rs01:PRIMARY>
Now , able to login successfully
Krishnakumar Mani SelvaKumar Kuppusamy — We will see you soon in Percona Backup for MongoDB with SSL/TLS in the next blog