Skip to content

Securing MongoDB

For security reasons we strongly recommend configuring the TLS encryption:

For enhancing the security activate the user authentication for MongoDB in addition:

Configuring the TLS Encryption

... in a PLOSSYS 5 Sytem

In order to secure the connection to MongoDB you need a combined PEM file that contains both, the TLS certificate and the private key.

  1. Combine the file containing the certificate:

    /opt/seal/etc/tls/cert.pem

    and the file containing the private key:

    /opt/seal/etc/tls/key.pem

  2. Save the combined file as:

    /opt/seal/etc/tls/cert-key-combined.pem

... in a PLOSSYS 5 Cluster

If you run PLOSSYS 5 in a cluster, execute the above configuration steps on each PLOSSYS 5 server.

Changing the Token for Encrypting the Credentials

In the standard installation, MongoDB is used as credential store. For security reasons, change the pre-configured token used for encrypting the credentials. The token may be any string.

  1. In the configuration of SEAL Print Client, specify the token with MONGO_TOKEN, see SEAL Print Client.

  2. Stop all SEAL Print Client services.

  3. Delete the complete data directory of MongoDB:

    /opt/seal/data/seal-mongodb

  4. Restart MongoDB:

    • seal-mongodb

  5. Start the complete SEAL Print Client System, see SEAL Print Client.

Activating the User Authentication

... in a Single System

After the installation the user authentication of MongoDB is disabled by default. Activate the user authentication to enhance the security.

  1. Execute the following shell script as administrator:

    /opt/seal/seal-mongodb/secure-mongo.sh

... in a Cluster

If you run PLOSSYS 5 in a cluster, execute the above step on the first cluster server. Then execute the following steps on any other cluster server:

  1. Copy the key file created by secure-mongo.sh on the first cluster server

    /opt/seal/etc/mongod.keyfile

    into the following directory on your current cluster server:

    /opt/seal/etc

  2. Add the following lines to the /opt/seal/etc/mongod.conf file:

    security:
  authorization: enabled
  keyFile: /opt/seal/etc/mongod.keyfile

  3. Restart MongoDB:

    seal-mongodb

  4. Proceed with step 1 on the next cluster server.

Specifying a CA Certificate

This is necessary only, if a CA certificate has been specified.

In this case MongoDB requires a client certificate from each client, i. e. from all PLOSSYS 5 services that access MongoDB. This requires corresponding properties of the certificate.

This is how you configure a CA certificate with MongoDB:

  1. On the PLOSSYS 5 server, edit the configuration file of MongoDB:

    /opt/seal/etc/mongod.conf

  2. Replace the following line:

    allowInvalidCertificates: true

    by this line:

    CAFile: /opt/seal/etc/tls/ca.pem

  3. Save the configuration file.

  4. Restart MongoDB:

    seal-mongodb
Back to top