How can I authenticate mongodb server identity via mongodb shell?

Question 1

I am trying to deploy a mongodb instance in my environment. I have settled a ssl connection so it is possible to authenticate clients (using a certificate they enter and agreed root ca by both the server and the client). Is there a way to authenticate the server identity too? (I could not find any reference to this issue)

I would like to use the mongo shell (without any side programming)

Thank you

Question 2

I am trying to deploy a mongodb instance in my environment. I have settled a ssl connection so it is possible to authenticate clients (using a certificate they enter and agreed root ca by both the server and the client). Is there a way to authenticate the server identity too? (I could not find any reference to this issue) . I would like to use the mongo shell (without any side programming).

As per MongoDB documentation here MongoDB supports the following authentication mechanisms:

SCRAM (Default)
MongoDB Challenge and Response (MONGODB-CR) (Deprecated as of MongoDB 3.6)
x.509 Certificate Authentication.

New in version 2.6.

MongoDB supports x.509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.

x.509 certificate authentication requires a secure TLS/SSL connection.

Certificate Authority

For production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor.

Client x.509 Certificates

To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords.

Client Certificate Requirements

The client certificate must have the following properties:

A single Certificate Authority (CA) must issue the certificates for both the client and the server.
Client certificates must contain the following fields:

keyUsage = digitalSignature extendedKeyUsage = clientAuth
Each unique MongoDB user must have a unique certificate.
A client x.509 certificate’s subject, which contains the Distinguished Name (DN), must differ from that of a Member x.509 Certificate. Specifically, the subjects must differ with regards to at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

WARNING If a client x.509 certificate’s subject has the same O, OU, and DC combination as the Member x.509 Certificate, the client will be identified as a cluster member and granted full permission on the system.

For your further ref here

score 0 · Answer 1 · 2018-06-03 07:57:20Z

I am trying to deploy a mongodb instance in my environment. I have settled a ssl connection so it is possible to authenticate clients (using a certificate they enter and agreed root ca by both the server and the client). Is there a way to authenticate the server identity too? (I could not find any reference to this issue) . I would like to use the mongo shell (without any side programming).

As per MongoDB documentation here MongoDB supports the following authentication mechanisms:

SCRAM (Default)
MongoDB Challenge and Response (MONGODB-CR) (Deprecated as of MongoDB 3.6)
x.509 Certificate Authentication.

New in version 2.6.

MongoDB supports x.509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.

x.509 certificate authentication requires a secure TLS/SSL connection.

Certificate Authority

For production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor.

Client x.509 Certificates

To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords.

Client Certificate Requirements

The client certificate must have the following properties:

A single Certificate Authority (CA) must issue the certificates for both the client and the server.
Client certificates must contain the following fields:

keyUsage = digitalSignature extendedKeyUsage = clientAuth
Each unique MongoDB user must have a unique certificate.
A client x.509 certificate’s subject, which contains the Distinguished Name (DN), must differ from that of a Member x.509 Certificate. Specifically, the subjects must differ with regards to at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

WARNING If a client x.509 certificate’s subject has the same O, OU, and DC combination as the Member x.509 Certificate, the client will be identified as a cluster member and granted full permission on the system.

For your further ref here

Stack Exchange Network

How can I authenticate mongodb server identity via mongodb shell?

1 Answer 1

Certificate Authority

Client x.509 Certificates

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

How can I authenticate mongodb server identity via mongodb shell?

1 Answer 1

Certificate Authority

Client x.509 Certificates

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions