4.3 Ensure Encryption of Data in Transit TLS or SSL (Transport Encryption)

Information

Use TLS or SSL to protect all incoming and outgoing connections. This should include using TLS or SSL to encrypt communication between the mongod and mongos components of a MongoDB client as well as between all applications and MongoDB.

MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client.

Please note:As of MongoDB version 4.2 SSL has been deprecated.

Also, starting in MongoDB version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.

This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB.

Solution

Configure MongoDB servers to require the use of SSL or TLS to encrypt all MongoDB network communications.

To implement SSL or TLS to encrypt all MongoDB network communication, perform the following steps:

For mongod ('Primary daemon process for the MongoDB system')

In the configuration file /etc/mongod.conf set the PEMKeyFile option to the certificate file's path and then start the component with this command:

net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem

And restart monogdb instance with

mongod --config /etc/mongod.conf

See Also

https://workbench.cisecurity.org/benchmarks/15675

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Windows

Control ID: 80ed74cfa99beb875f7c40075b4ccb77925ab785e61d912abeb25f0e8e6e457d