In the previous recipe, we saw how authentication can be enforced for user to be logged in before allowing any operations on Mongo. In this recipe, we will look at interprocess security. By the term interprocess security, we don't mean to encrypt the communication but only to ensure that the node being added to a replica set is authenticated before being added to the replica set.
In this recipe, we will start multiple mongo instances as part of a replica set and thus you might have to refer to the recipe Starting multiple instances as part of a replica set from Chapter 1, Installing and Starting the Server if you are not aware of how to start a replica set. Apart from that, in this recipe, all we would be looking at how to generate key file to be used and the behavior when an unauthenticated node is added to the replica set.
To set the ground, we would be starting three instances, each listening to port 27000, 27001, and 27002, respectively. The first two would be started by providing it a path to the key file and the third wouldn't be. Later, we will try to add these three instances to the same replica set.
- Let's generate key the key file first. There is nothing spectacular about generating the key file. This is as simple as having a file with 6 to 1024 characters from the
base64character set. On Linux filesystem, you may choose to generate pseudo random bytes usingopenssland encode them tobase64. The following command will generate 500 random bytes and those bytes will then bebase64encoded and written to the filekeyfile:$ openssl rand –base64 500 > keyfile - On a Unix filesystem, the key file should not have permissions for world and group. Thus, we should do the following after it is created:
$ chmod 400 keyfile - Not giving write permission to the creator ensures that we don't overwrite the contents accidently. On Windows platform, however,
openssldoesn't come out of the box and thus you have to download it, the archive extracted, and thebinfolder added to the OS path variable. For Windows, we can download it from the following URL: http://gnuwin32.sourceforge.net/packages/openssl.htm. - You may even choose not to generate the key file using the approach mentioned here (using
openssl) and can take an easy way out by just typing in plain text in the key file from any text editor or your choice. However, note that the characterskeyfilewith the following content:somecontentaddedtothekeyfilefromtheeditorwithoutspaces
- Using any approach mentioned here, we must not have a
keyfilein place that would be used for next steps of the recipe. - We will now secure the mongo processes by starting the mongo instance as follows. I will start the following on windows, and my key file ID is named
keyfileand is placed onc:MongoDB. The data path isc:MongoDBdatac1, c:MongoDBdatac2, andc:MongoDBdatac3for the three instances, respectively. - Start the first instance listening to port
27000as follows:C:>mongod --dbpath c:MongoDBdatac1 --port 27000 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100 - Similarly, start the second server listening to port
27001as follows:C:>mongod --dbpath c:MongoDBdatac2 --port 27001 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100 - The third instance would be started but without the
--authand the--keyFileoption listening to port27002as follows:C:>mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100 - We then start a mongo shell and connect it to port
27000, which is the first instance started. From the mongo shell, we type:> rs.initiate() - In few seconds, the replica set would be initiated with just one instance in it. We will now try to add two new instances to this replica set. First, add the one listening on port
27001as follows (you will need to add the appropriate hostname,Amol-PCis the hostname in my case):> rs.add({_id:1, host:'Amol-PC:27001'}) - We will execute
rs.status()command to see the status of our replica set. In the command's output, we should see our newly added instance. - We will now finally try and add an instance that was started without the
--authand the--keyFileoption as follows:> rs.add({_id:2, host:'Amol-PC:27002'})This should add the instance to the replica set, but using
rs.status()will show the status of the instance as UNKNOWN. The server logs for the instance running on27002too should show some authentication errors. - We would finally have to restart this instance; however, this time we provide the
--authand the--keyFileoption as follows:C:>mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100 --auth --keyFile c:MongoDBkeyfile - Once the server is started, connect to it from the shell again and type in
rs.status()in few moments, it should come up as a secondary instance.
In this recipe, we saw interprocess security for preventing unauthenticated nodes from being added to the mongo replica set. We still haven't secured the transport by encrypting the data that is being sent over the wire. In the Appendix, we will show how to build the mongo server from the source and how to enable encryption of the contents over the wire.