Linux-UNIX: MongoDB IE configuration

View a typical insepction engine configuration, and flows for enabling and disabling A-TAP, and opening the SSL console for a MongoDB inspection engine.

Note: Redaction is not supported with or without SSL for Mongo 4.2 and higher.

MongoDB does not include OS_USER in the login packet, however you can use the UID chain to determine the DB_USER for reports. For more information, see Linux-UNIX: UID chains.

Typical MongoDB inspection engine configuration

[DB_0]
 connect_to_ip=127.0.0.1
 db2_fix_pack_adjustment=20
 db2_shmem_client_position=0
 db2_shmem_size=131072
 db2bp_path=NULL
 db_exec_file=/usr/bin/mongod-guard-original
 db_install_dir=/var/lib
 db_type=MONGODB
 db_user=mongod
 encryption=0
 db_version=9
 instance_running=1
 intercept_types=NULL
 load_balanced=1
 port_range_end=27017
 port_range_start=27017
 priority_count=20
 real_db_port=27017
 tap_identifier=MONGODB_mongo42-rhl7(27017,27017,DB_0)
 tee_listen_port=0
 unix_domain_socket_marker=NULL
 networks=0.0.0.0/0.0.0.0
 exclude_networks=

Activate and deactivate A-TAP for SSL traffic

Before activating A-TAP, you need to stop the MongoDB instance:
systemctl stop mongod
Activate A-TAP:
/usr/local/guardium/guard_stap/guardctl --db-user=mongod --db-type=mongodb --db-instance=mongo --db-base=/home/ibmuser --db-home=/usr activate
Restart the MongoDB instance:
systemctl start mongod

Set up mongo with TLS/SSL certificate and key

For example, on an instance with SSL and kerberization:
mongo --ssl --sslPEMKeyFile /etc/ssl/mongo40standalone-va.pem  --sslPEMKeyPassword guardium --sslAllowInvalidCertificates --host <hostname> --port 27017 --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username <username>

Deactivating A-TAP

Before deactivating A-TAP, you need to stop the DB instance.
systemctl stop mongod
Deactivate A-TAP:
/usr/local/guardium/guard_stap/guardctl --db-user=mongod --db-type=mongodb --db-instance=mongo --db-base=/var/lib --db-home=/usr deactivate
Restart the MONGO DB instance:
systemctl start mongod