# Copies x.509 Certificates from MongoDB course
M310 for this lab.
donghua@database:~$ mkdir
-p ~/shared/certs/
donghua@database:~$ cp LAB-certs/* ~/shared/certs/
donghua@database:~$ ls -l
~/shared/certs/
total 12
-rw-r--r-- 1 donghua
donghua 1314 Nov 10 22:44 ca.pem
-rw-r--r-- 1 donghua
donghua 3104 Nov 10 22:44 client.pem
-rw-r--r-- 1 donghua
donghua 3108 Nov 10 22:44 server.pem
# Setup directory for replication set testing
# hostname: database.LAB.mongodb.university
mkdir -p /home/donghua/LAB002/{r0,r1,r2}
# Setup replset with 3 replicas
mongod --dbpath
/home/donghua/LAB002/r0 --logpath /home/donghua/LAB002/r0/mongo.log --port
31130 --replSet TO_BE_SECURED --fork
mongod --dbpath
/home/donghua/LAB002/r1 --logpath /home/donghua/LAB002/r1/mongo.log --port
31131 --replSet TO_BE_SECURED --fork
mongod --dbpath
/home/donghua/LAB002/r2 --logpath /home/donghua/LAB002/r2/mongo.log --port
31132 --replSet TO_BE_SECURED --fork
mongo --port 31130 --eval
"rs.initiate({_id: 'TO_BE_SECURED',members: [{ _id: 1, host: 'database.LAB.mongodb.university:31130'
},{ _id: 2, host: 'database.LAB.mongodb.university:31131' },{ _id: 3, host:
'database.LAB.mongodb.university:31132' }]})"
mongo --port 31130 --eval
"rs.status()"
MongoDB Enterprise
> use admin;
MongoDB Enterprise
> db.createUser( {user: "donghua",
pwd: "webscale", roles:['root']});
MongoDB Enterprise
>
db.auth("donghua","webscale")
mongod --dbpath
/home/donghua/LAB002/r0 --shutdown
mongod --dbpath
/home/donghua/LAB002/r1 --shutdown
mongod --dbpath
/home/donghua/LAB002/r2 --shutdown
# Enable x.509 Certificates
# keyFile implies security.authorization
donghua@database:~$
openssl x509 -in ~/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253 -noout
subject= C=US,ST=New
York,L=New York City,O=MongoDB,OU=University2,CN=LAB Client
mongod --dbpath
/home/donghua/LAB002/r0 --logpath /home/donghua/LAB002/r0/mongo.log --port
31130 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode requireSSL
--sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile
/home/donghua/shared/certs/ca.pem --auth
mongod --dbpath
/home/donghua/LAB002/r1 --logpath /home/donghua/LAB002/r1/mongo.log --port
31131 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode
requireSSL --sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile
/home/donghua/shared/certs/ca.pem --auth
mongod --dbpath
/home/donghua/LAB002/r2 --logpath /home/donghua/LAB002/r2/mongo.log --port
31132 --replSet TO_BE_SECURED --fork --clusterAuthMode x509 --sslMode
requireSSL --sslPEMKeyFile /home/donghua/shared/certs/server.pem --sslCAFile
/home/donghua/shared/certs/ca.pem --auth
donghua@database:~$
mongo --host database.LAB.mongodb.university
--port 31130 --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile
~/shared/certs/ca.pem
MongoDB shell version:
3.2.10
connecting to: database.LAB.mongodb.university:31130/test
MongoDB Enterprise
TO_BE_SECURED:PRIMARY> use admin
switched to db admin
MongoDB Enterprise
TO_BE_SECURED:PRIMARY> db.auth('donghua','webscale')
1
MongoDB Enterprise
TO_BE_SECURED:PRIMARY>
db.getSiblingDB("$external").runCommand({createUser:
"C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=LAB
Client",roles:[{role:'userAdminAnyDatabase',db: 'admin'}]});
{ "ok" : 1 }
MongoDB Enterprise
TO_BE_SECURED:PRIMARY>
db.getSiblingDB("$external").auth({mechanism:
"MONGODB-X509",user: "C=US,ST=New York,L=New York
City,O=MongoDB,OU=University2,CN=LAB Client"})
MongoDB Enterprise
TO_BE_SECURED:PRIMARY> db.runCommand({getParameter: 1,
authenticationMechanisms: 1})
{
"authenticationMechanisms" :
[
"MONGODB-CR",
"MONGODB-X509",
"SCRAM-SHA-1"
],
"ok" : 1
}
# Shutdown and clean up
mongod --dbpath
/home/donghua/LAB002/r0 --shutdown
mongod --dbpath
/home/donghua/LAB002/r1 --shutdown
mongod --dbpath
/home/donghua/LAB002/r2 --shutdown
rm -rf /home/donghua/LAB002/
No comments:
Post a Comment