Deploy Percona for MongoDB with SSL/TLS

What is Percona for MongoDB ?

We all know that MongoDB is popular document database and its used everywhere in the market . Its having multiple edition . In which MongoDB community edition is the core for Percona Server for MongoDB . Which is having same features available in MongoDB Community edition but it doesn't stop in there including that below are additional features are available to use ,

  1. In-Memory Engine
  2. Audit Logging
  3. Hot backups
  4. Data-at-rest encryption
  5. LDAP Authentication

Launched Ubuntu 16.04.7 LTS with minimal configuration in AWS to test all of our scenarios

First level , Modify the hostname changes according to the requirements and reboot the system to affect the hostname changes

vi /etc/hostname and vi /etc/hosts

As per percona documentation, decided to install latest version of the percona server for mongoDB ,

Installing the Percona server for MongoDB ,

1.Fetch percona-release packages from Percona web

wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb

2. Install the downloaded package with dpkg

sudo dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb

3. Enable the repository

sudo percona-release enable psmdb-50 release

4. To update the local cache

sudo apt update

5. To install the latest version of Percona Server for MongoDB

sudo apt install percona-server-mongodb

Once installed , we can locate mongoDB Configuration files in /etc/mongod.cnf

Start the mongodb service and login into the server ,

sudo systemctl start mongod

Configure RBAC ( Role-based Access Control )

Its mandatory , to configure RBAC for encryption . With RBAC, We can create restrict mongodb users and restrict privileges for collections and databases as well administrator operation on MongoDB

  1. Create admin user in mongoprimary

rs01:PRIMARY> use admin
switched to db admin
rs01:PRIMARY> db.createUser({user: ‘mongoadmin’, pwd: ‘zU2iU9pF7mO7rZ4z’, roles:[‘root’]});
Successfully added user: { “user” : “mongoadmin”, “roles” : [ “root” ] }
rs01:PRIMARY>

2.Modify the configuration file to enable authentication and restart the mongoDB Server

3.Connect with MongoDB Credentials and Test the connectivity

mongo -u mongoadmin -p zU2iU9pF7mO7rZ4z -authenticationDatabase ‘admin’

Create and configure secure SSL/TLS Connection

1.Create private key using openssl in mongo primary

MongoDB supports x.509 authentication for use with a secure SSL/TLS connections . We can create SSL certificates using third parties and its come with cost. We are going to use for internal purpose so we have used self signed certificates with help of openssl

root@mongoprimary:~# openssl genrsa -out mongoCA.key -aes256 8192
Generating RSA private key, 8192 bit long modulus
…………………………………………………++
e is 65537 (0x10001)
Enter pass phrase for mongoCA.key:
Verifying — Enter pass phrase for mongoCA.key:

Create a strong password for private key

2.Using openssl create local certification authority

While creating certificate authority , add correspondence details . In this scenario we are having only one mongo instance so not entered any details for it

root@mongoprimary:~# openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 3650 -out mongoCA.crt
Enter pass phrase for mongoCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@mongoprimary:~#

In this case if you have multiple secondary add primary server FQDN on above highlighted line

3.Self signed certificate for mongo primary server

root@mongoprimary:~# openssl req -new -nodes -newkey rsa:4096 -keyout mongoprimary.key -out mongoprimary.csr
Generating a 4096 bit RSA private key
………………………………………………………………………………………
………++
writing new private key to ‘mongoprimary.key’
— — -
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mongoprimary
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@mongoprimary:~#

root@mongoprimary:~# openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 365 -in mongoprimary.csr -out mongoprimary.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mongoprimary
Getting CA Private Key
Enter pass phrase for mongoCA.key:
root@mongoprimary:~#

root@mongoprimary:~# cat mongoprimary.key mongoprimary.crt > mongoprimary.pem

Once we generated keys and certificate file , needs to verify

root@mongoprimary:~#
root@mongoprimary:~# openssl verify -CAfile mongoCA.crt mongoprimary.pem
mongoprimary.pem: OK
root@mongoprimary:~#

Once verified keep the keys in specific folder and assign mongod permissions

sudo chmod 700 /etc/mongodb/ssl

sudo chown -R mongod:mongod /etc/mongodb

Initially we have faced connectivity issues with other agents , due to below warnings ,

root@mongoprimary:# mongo admin — ssl — sslCAFile /etc/mongodb/ssl/mongoCA.crt — sslPEMKeyFile /etc/mongodb/ssl/mongoprimary.pem -u mongouser -p zU2iU9pF7mO7rZ4z — host mongoprimary
{“t”:{“$date”:”2022–01–03T14:36:47.622Z”},”s”:”W”, “c”:”CONTROL”, “id”:23321, “ctx”:”main”,”msg”:”Option: This name is deprecated. Please use the preferred name instead.”,”attr”:{“deprecatedName”:”ssl”,”preferredName”:”tls”}}
{“t”:{“$date”:”2022–01–03T14:36:47.622Z”},”s”:”W”, “c”:”CONTROL”, “id”:23321, “ctx”:”main”,”msg”:”Option: This name is deprecated. Please use the preferred name instead.”,”attr”:{“deprecatedName”:”sslPEMKeyFile”,”preferredName”:”tlsCertificateKeyFile”}

With SSL configuration mongo connections working fine , but percona server dependent agents not connected successfully . So we have modified configuration file as below , to make successful connections

root@mongoprimary:~# mongo admin — tls — tlsCAFile /etc/mongodb/ssl/mongoCA.crt — tlsCertificateKeyFile /etc/mongodb/ssl/mongoprimary.pem -u mongouser -p zU2iU9pF7mO7rZ4z — host mongoprimary
Percona Server for MongoDB shell version v4.4.9–10
connecting to: mongodb://mongoprimary:27017/admin?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { “id” : UUID(“105dd242–8fc4–496b-bfb6–7bcceb924a43”) }
Percona Server for MongoDB server version: v4.4.9–10
— -
rs01:PRIMARY>

Now , able to login successfully

Krishnakumar Mani SelvaKumar Kuppusamy — We will see you soon in Percona Backup for MongoDB with SSL/TLS in the next blog

8+ years of experience in IT with enhanced skills in Database Administration, Business Intelligence tools well worked with Cloud Technologies like AWS, AZURE