Securing MongoDB

---

For security reasons we strongly recommend configuring the TLS encryption:

• Configuring the ssl encryption

and for SEAL Print Client also changing the token used for encrypting the credentials:

• Changing the Token for Encrypting the Credentials

For enhancing the security activate the user authentication for MongoDB in addition:

• Activating the user authentication

---

Configuring the TLS Encryption

... in a PLOSSYS 5 Sytem

In order to secure the connection to MongoDB you need a combined PEM file that contains both, the TLS certificate and the private key.

1. Combine the file containing the certificate:

   C:\ProgramData\SEAL Systems\config\tls\cert.pem
   

   and the file containing the private key:

   C:\ProgramData\SEAL Systems\config\tls\key.pem
   

2. Save the combined file as:

   C:\ProgramData\SEAL Systems\config\tls\cert-key-combined.pem
   

---

... in a PLOSSYS 5 Cluster

If you run PLOSSYS 5 in a cluster, execute the above configuration steps on each PLOSSYS 5 server.

---

Changing the Token for Encrypting the Credentials

In the standard installation, MongoDB is used as credential store. For security reasons, change the pre-configured token used for encrypting the credentials. The token may be any string.

1. In the configuration of SEAL Print Client, specify the token with MONGO_TOKEN, see SEAL Print Client.

2. Stop all SEAL Print Client services.

3. Delete the complete data directory of MongoDB:

   C:\ProgramData\SEAL Systems\data\seal-mongodb
   

4. Restart MongoDB:

   • seal-mongodb

5. Start the complete SEAL Print Client System, see SEAL Print Client.

---

Activating the User Authentication

... in a Single System

After the installation the user authentication of MongoDB is disabled by default. Activate the user authentication to enhance the security.

1. Open a PowerShell (Administrator) and change to the following directory:

   C:\Program Files\SEAL Systems\seal-mongodb
   

2. Execute the following script:

   .\secure-mongo.ps1
   

... in a Cluster

If you run PLOSSYS 5 in a cluster, execute the above steps on the first cluster server. Then execute the following steps on any other cluster server:

1. Copy the key file created by secure-mongo.ps1 on the first cluster server

   C:\ProgramData\SEAL Systems\config\mongod.keyfile
   

   into the following directory on your current cluster server:

   C:\ProgramData\SEAL Systems\config\
   

2. Add the following lines to the C:\ProgramData\SEAL Systems\config\mongod.conf file:

   security:
     authorization: enabled
     keyFile: C:\ProgramData\SEAL Systems\config\mongod.keyfile
   

3. Restart MongoDB:

   seal-mongodb
   

4. Proceed with step 1 on the next cluster server.

---

Specifying a CA Certificate

This is necessary only, if a CA certificate has been specified.

In this case MongoDB requires a client certificate from each client, i. e. from all PLOSSYS 5 services that access MongoDB. This requires corresponding properties of the certificate.

This is how you configure a CA certificate with MongoDB:

1. On the PLOSSYS 5 server, edit the configuration file of MongoDB:

   C:\ProgramData\SEAL Systems\config\mongod.conf
   

2. Replace the following line:

   allowInvalidCertificates: true
   

   by this line:

   CAFile: C:\ProgramData\SEAL Systems\config\tls\ca.pem
   

3. Save the configuration file.

4. Restart MongoDB:

   seal-mongodb
   

---