MongoDB SSL encryption and Spring's Driver

mongodb ssl springframework

There is very limited information regarding MongoDB and SSL encryption for the transport between replica sets and drivers (java clients). Anyone have any experience setting this up? Looking to have traffic (queries and replica information) between nodes encrypted without having to use stunnel or some other SSL proxy method.


Solution 1:

First, let me say that the MongoDB SSL docs are being worked on, most of the information here will be included there eventually, but until then.....

The Java driver, which I believe spring uses, does support SSL. In terms of getting mongoDB running with SSL, there are currently two options. First, you can become a subscriber and use the subscriber edition - that has SSL (and SNMP) support built in:

https://www.10gen.com/mongodb-subscriber-edition-download

As of writing this, it is very much a new offering and is only available for Amazon Linux and Ubuntu.

The second option, thanks to the fact that MongoDB is open source, is to build yourself a copy of mongoDB with SSL support. To do so, first I would recommend following the general build instructions until you succeed with a non-SSL build:

http://www.mongodb.org/display/DOCS/Building+for+Linux

Then build with the --ssl flag passed to scons to enable SSL. You will also likely have to install the required openssl libraries or the configure will fail dependencies check (generally libssl and libssl-dev).

Once you complete that step, you should be good to go. When running MongoDB with SSL enabled bear in mind that you have to connect with SSL for everything. All clients, the shell, the driver and MMS will all have to connect via SSL or fail. In order to start mongod with SSL you will need a cert, a key, the password and something like these options (in addition to any other options you want to pass):

mongod --sslOnNormalPorts --sslPEMKeyFile <pem> --sslPEMKeyPassword <pass>

You may also specify these option in a config file (usually /etc/mongodb.conf) like so:

sslOnNormalPorts = true
sslPEMKeyFile = /etc/ssl/mongodb.pem
sslPEMKeyPassword = pass

For the shell simply use

mongo --ssl --host <hostname> --port <port>

Finally, you mentioned using Java, here is an example "sslApp.java" class file: 

import com.mongodb.*;
import javax.net.ssl.SSLContext;
public class sslApp {
public static void main(String args[])
throws Exception {
         MongoOptions o = new MongoOptions();
         o.socketFactory = SSLSocketFactory.getDefault();
         Mongo m = new Mongo( "localhost" , o );
         DB db = m.getDB( "test" );
         DBCollection c = db.getCollection( "foo" );
         System.out.println( c.findOne() );
} }

Related

ERROR: Message not sent. Server replied: 354
WipeDrive Utility?
Rsync command to synchronize two NTFS drives?
OS X 10.8: redirecting locally initiated ssh connections to localhost:22
How can I run a process as "NT Authority\NetworkService"?
Defining a persistent static route on Mac OS X
Incrond running but not executing commands CentOS 6.4
Configure proper DNS records for separate web host and e-mail server
SMTP-AUTH required for local domains?
Basic auth only if a certain header is present in the request?
ssh fails to execute remote command when run from cron bash script - works from CLI
Postifx header_checks not working