2.3 Ensure authentication is enabled in the sharded cluster - CAFile

Information

Authentication is enabled in a sharded cluster when the certificate or key files are created and configured for all components. This ensures that every client that accesses the cluster must provide credentials, to include MongoDB instances that access each other within the cluster.

With keyfile authentication, each mongod or mongos instance in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod or mongos instances with the correct keyfile can join the sharded cluster.

For Production Environment: x.509 certificate authentication with secure TSL/SSL connection must be used for authentication.

For Development Purpose: Key file can be used as an authentication mechanism between the shared cluster. Keyfiles are bare-minimum forms of security and are best suited for testing or development environments.

Rationale:

Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component. A MongoDB sharded cluster can enforce user authentication as well as internal authentication of its components to secure against unauthorized access.

Solution

To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords.
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
Change the configuration file /etc/mongod.conf on each host, adding the following rows:

net:
port: 27017
tls:
mode: requireSSL
PEMKeyFile: /etc/mongodb/ssl/server1.pem
CAFile: /etc/mongodb/ssl/mongoCA.crt
clusterFile: /etc/mongodb/ssl/server1.pem
security:
authorization: enabled
clusterAuthMode: x509

Restart the daemon

sudo service mongodb restart




To enable authentication in the sharded cluster, perform the following steps:(Only for Development Purpose)


Generate A Key File

On each component in the shared cluster, enable authentication by editing the configuration file /etc/mongod.conf. Set the keyFile option to the key file's path and then start the component with this command:

keyFile = /srv/mongodb/keyfile

When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file's path.

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/15135

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv7|1.8

Plugin: Unix

Control ID: 0cf2d6e59ccfcce47e6fa7874677ee3001b25716825a07bc79996e009bf83d73