You can configure application-managed or container-managed security for MongoDB
connections in Liberty.
About this task
You can secure MongoDB applications by using application-managed security, container-managed
security, SSL-managed security, or certificate authentication. For all types of security, the
MongoDB server must be running with authentication that is explicitly enabled to secure MongoDB
connections.
Procedure
- Configure application-managed security for MongoDB.
If the mongo configuration element does not specify user and password
attributes, the product assumes that an application is either using application-managed security or
is not using security. To enable application-managed security, the application must authenticate by
using the MongoDB APIs, for example:
<mongo id="mongo1" libraryRef="MongoLib" />
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
{
...
// Java snippet
@Resource(name = "mongo/testdb")
protected DB db;
private void auth(){
if (!db.isAuthenticated())
db.authenticate("user", "password".toCharArray());
}
...
}
- Configure container-managed security for MongoDB.
To use container-managed security, the mongo configuration element must specify a user and password. Only one
user is allowed for each mongo configuration. All
MongoDB instances use the specified user and password. For example,
all MongoDB instances that reference mongo1 in the
following example use mongoUserName and pw:
<mongo id="mongo1" libraryRef="MongoLib" user="mongoUserName" password="pw"/>
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
<mongoDB jndiName="mongo/testdb2" mongoRef="mongo1" databaseName="db-test-2"/>
Applications that use container-managed security must not call com.mongodb.DB.authenticate(user, pass).
Create an SSL connection between Liberty
and the MongoDB server. To create an SSL connection between Liberty and the MongoDB server, add the ssl-1.0
Liberty feature in the
server.xml file and specify sslEnabled="true" on the MongoDB
configuration element. SSL must be explicitly enabled on the MongoDB server to ensure that
connections are encrypted.
<featureManager>
<feature>mongodb-2.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<mongo id="mongo3" libraryRef="MongoLib" user="mongoUserName" password="pw" sslEnabled="true"/>
<mongoDB jndiName="mongo/testdb3" mongoRef="mongo3" databaseName="db-test-3" />
Use a custom SSL configuration. To use a custom SSL configuration, which, for example, might be used to specify a truststore, add
the sslRef attribute to the MongoDB configuration element. Use the
sslRef attribute to specify an SSL configuration, which can be set up in the
server.xml file.
<featureManager>
<feature>mongodb-2.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<ssl id="mySSLConfig" keyStoreRef="myTrustStore" />
<mongo id="mongo4" libraryRef="MongoLib" user="mongoUserName" password="mongopw" sslEnabled="true" sslRef="mySSLConfig"/>
<mongoDB jndiName="mongo/testdb4" mongoRef="mongo4" databaseName="db-test-4" />
Use certificate authentication. To configure the use of certificate authentication with MongoDB, add
useCertificateAuthentication, and remove
userid and
password:
<featureManager>
<feature>mongodb-2.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<keyStore id="myKeyStore" password="keystorepw" location="${server.output.dir}/resources/security/keyStore.jks"></keyStore>
<ssl id="mySSLConfigCertAuth" trustStoreRef="myTrustStore" keyStoreRef="myKeyStore" clientKeyAlias="alias_name_of_key" />
<mongo id="mongo5" libraryRef="MongoLib" sslEnabled="true" sslRef="mySSLConfigCertAuth" useCertificateAuthentication="true" />
<mongoDB jndiName="mongo/testdb5" mongoRef="mongo5" databaseName="db-test-5" />
clientKeyAlias is only required if the keystore contains multiple keys. For more
information about configuring the keystore and truststore, see the MongoDB documentation.
What to do next
Ensure that the MongoDB server is running, and then test
the MongoDB security from your application.