In the previous recipe, we saw how authentication can be enforced for user to be logged in before allowing any operations on Mongo. In this recipe, we will look at interprocess security. By the term interprocess security, we don't mean to encrypt the communication but only to ensure that the node being added to a replica set is authenticated before being added to the replica set.
In this recipe, we will start multiple mongo instances as part of a replica set and thus you might have to refer to the recipe Starting multiple instances as part of a replica set from Chapter 1, Installing and Starting the Server if you are not aware of how to start a replica set. Apart from that, in this recipe, all we would be looking at how to generate key file to be used and the behavior when an unauthenticated node is added to the replica set.
To set the ground, we would be starting three instances, each listening to port 27000
, 27001
, and 27002
, respectively. The first two would be started by providing it a path to the key file and the third wouldn't be. Later, we will try to add these three instances to the same replica set.
base64
character set. On Linux filesystem, you may choose to generate pseudo random bytes using openssl
and encode them to base64
. The following command will generate 500 random bytes and those bytes will then be base64
encoded and written to the file keyfile
:$ openssl rand –base64 500 > keyfile
$ chmod 400 keyfile
openssl
doesn't come out of the box and thus you have to download it, the archive extracted, and the bin
folder added to the OS path variable. For Windows, we can download it from the following URL: http://gnuwin32.sourceforge.net/packages/openssl.htm.openssl
) and can take an easy way out by just typing in plain text in the key file from any text editor or your choice. However, note that the characters
,
, and spaces are stripped off by mongo and the remainder text is considered as the key. For example, we may create a file with the following content added to the key file. Again, the file will be named keyfile
with the following content:somecontentaddedtothekeyfilefromtheeditorwithoutspaces
keyfile
in place that would be used for next steps of the recipe.keyfile
and is placed on c:MongoDB
. The data path is c:MongoDBdatac1, c:MongoDBdatac2
, and c:MongoDBdatac3
for the three instances, respectively.27000
as follows:C:>mongod --dbpath c:MongoDBdatac1 --port 27000 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100
27001
as follows:C:>mongod --dbpath c:MongoDBdatac2 --port 27001 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100
--auth
and the --keyFile
option listening to port 27002
as follows:C:>mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100
27000
, which is the first instance started. From the mongo shell, we type:> rs.initiate()
27001
as follows (you will need to add the appropriate hostname, Amol-PC
is the hostname in my case):> rs.add({_id:1, host:'Amol-PC:27001'})
rs.status()
command to see the status of our replica set. In the command's output, we should see our newly added instance.--auth
and the --keyFile
option as follows:> rs.add({_id:2, host:'Amol-PC:27002'})
This should add the instance to the replica set, but using rs.status()
will show the status of the instance as UNKNOWN. The server logs for the instance running on 27002
too should show some authentication errors.
--auth
and the --keyFile
option as follows:C:>mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100 --auth --keyFile c:MongoDBkeyfile
rs.status()
in few moments, it should come up as a secondary instance.In this recipe, we saw interprocess security for preventing unauthenticated nodes from being added to the mongo replica set. We still haven't secured the transport by encrypting the data that is being sent over the wire. In the Appendix, we will show how to build the mongo server from the source and how to enable encryption of the contents over the wire.