In the previous recipe, we saw how authentication can be enforced for a user to be logged in before allowing any operations on Mongo. In this recipe, we will look at interprocess security. By the term interprocess security, we don't mean encrypting the communication but only ensuring that the node, which is added to a replica set, is authenticated before being added to the replica set.
In this recipe, we will be starting multiple Mongo instances as part of a replica set. Thus, you might have to refer to the Starting multiple instances as part of a replica set recipe in Chapter 1, Installing and Starting the MongoDB Server, if you are not aware of how to start a replica set. Apart from that, in this recipe, all we will be looking at is how to generate a key file to be used, and the behavior when an unauthenticated node is added to the replica set.
To set the ground, we will be starting three instances, each listening to ports 27000
, 27001
, and 27002
respectively. The first two will be started by providing them with a path to the key file while the third will not receive this. Later, we will try adding these three instances to the same replica set. Let us take a look at the steps in detail:
base64
character set. On the Linux filesystem, you may choose to generate pseudo random bytes using openssl
, and encode them to base64
. The following command will generate 500 random bytes, and these bytes will then be base64
encoded and written to keyfile
:$ openssl rand –base64 500 > keyfile
$ chmod 400 keyfile
openssl
doesn't come out of the box and thus, you have to download it. The archive is extracted and the bin
folder is added to the operating system's path variable. For Windows, we can download openssl
from http://gnuwin32.sourceforge.net/packages/openssl.htm.openssl
) and can take an easy way out by just typing plain text in the key file from any text editor of your choice. However, note that the characters
,
, and spaces are stripped off by Mongo and the remaining text is considered as the key. For example, we may create a file with the following content added to the key file. Again, the file will be named keyfile
:somecontentaddedtothekeyfilefromtheeditorwithoutspaces
Using any approach mentioned earlier, we would now have a keyfile in place that will be used for the next steps of the recipe
keyfile
is placed on c:MongoDB
, and the data paths are c:MongoDBdatac1
, c:MongoDBdatac2
, and c:MongoDBdatac3
respectively, for the three instances.27000
as follows:C:> mongod --dbpath c:MongoDBdatac1 --port 27000 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100
27001
as follows:C:> mongod --dbpath c:MongoDBdatac2 --port 27001 --auth --keyFile c:MongoDBkeyfile --replSet secureSet --smallfiles --oplogSize 100
--auth
and --keyFile
options, listening to port 27002
as follows:C:> mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100
27000
, which is the first instance started. From the Mongo shell, we type the following command:> rs.initiate()
27001
, as follows (you will need to add the appropriate hostname; Amol-PC
is the hostname in my case):> rs.add({_id:1, host:'Amol-PC:27001'})
rs.status()
. It should soon come up as a secondary.--auth
and --keyFile
options, as follows:> rs.add({_id:2, host:'Amol-PC:27002'})
rs.status()
will show the status of the instance as UNKNOWN
. The server logs for the instance running on 27002
should show some authentication errors as well.--auth
and --keyFile
options as follows:C:> mongod --dbpath c:MongoDBdatac3 --port 27002 --replSet secureSet --smallfiles --oplogSize 100 --auth --keyFile c:MongoDBkeyfile
rs.status()
. In a few moments, it should come up as a secondary instance.In this recipe, we explored interprocess security to prevent unauthenticated nodes from being added to the mongo replica set. We still haven't encrypted the data that is being sent over the wire to ensure it's delivered securely. In Appendix, Concepts for Reference, we will see how to build the MongoDB server from the source and how to enable encryption of the contents over the wire.