Versions Compared

Old Version 15

changes.mady.by.user Andres Aguilar

Saved on

compared with

New Version 16

changes.mady.by.user Andres Aguilar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

AttributeValueDescription
sslEnabledtrueEnables the ssl on the Aspire MongoDB client
sslInvalidHostNameAllowedtrue/falseDisables the hostname verification from the SSL validation


For using TLS/SSL you need to make sure the Certificate Authority (CA) that signed the server certificate that MongoDB is using (server.pem) is a trusted certificate, or that its trust chain can lead to one. If you are using a self signed Certificate Authority to sign your server certificate, you need to add it into the java truststore.

To use a java truststore that you need the Certificate Authority certificate (.cert) and import it using the following command

Code Block
$ keytool -import -trustcacerts -alias slc -file <your-CA-certificate.cert> -keystore truststore.jks -storepass <your-truststore-password> -noprompt

After importing it into a truststore you need to add it into the Aspire startup script, read Crawling via HTTPs for more instructions on how to add the truststore into the startup script.You also need to include the certificate into a java keystore, to configure it follow the instructions on Crawling via HTTPs

X.509 Authentication

Aspire 3.1 only supports authenticating to MongoDB using X.509.

...

Code Block
languagexml
firstline78
linenumberstrue
  <!-- noSql database provider for the 3.1 connector framework -->
  <noSQLConnectionProvider sslEnabled="true" sslInvalidHostNameAllowed="false">
    <implementation>com.searchtechnologies.aspire:aspire-mongodb-provider</implementation>
    <servers>mongodb-host:27017</servers>
    <x509username>CN=user,OU=OrgUnit,O=myOrg</x509username>
  </noSQLConnecitonProvider>

If you don't know what to use into the <x509username> field execute the following command using the x509 client certificate:

Code Block
$ openssl x509 -in client.pem -inform PEM -subject -nameopt RFC2253 | grep subject
subject= CN=aaguilar-lptp.search.local,OU=demouser,O=Search Technologies S.A.,ST=Limon,C=CR


For using x509 authentication you need to import the client x509 certificate into a java keystore for Aspire to be able to present it to the server for authentication. (The truststore should already be set in the startup script for self signed certificates)

For importing the x509 certificate (client.pem) into a java keystore you need to execute the following commands:

Code Block
$ openssl pkcs12 -export -out client.pkcs12 -in client.pem
Enter Export Password: <your-password-here>

$ keytool -import keystore -srckeystore client.pkcs12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password: <your-password-here>
Enter source keystore password: <your-password-here>
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

After importing the client's certificate into a java keystore, you need to include it into the Aspire startup script (aspire.bat) :

Code Block
-Djavax.net.ssl.keyStore=C:\pathToKeyStore\client.jks
-Djavax.net.ssl.keyStorePassword=password

Encrypt sensitive fields in MongoDB

...