Linux-UNIX: MongoDB IE configuration
View a typical insepction engine configuration, and flows for enabling and disabling A-TAP, and opening the SSL console for a MongoDB inspection engine.
Note: Redaction is not supported with or without SSL for Mongo 4.2 and higher.
MongoDB does not include OS_USER in the login packet, however you can use the UID chain to determine the DB_USER for reports. For more information, see Linux-UNIX: UID chains.
Typical MongoDB inspection engine configuration
[DB_0]
connect_to_ip=127.0.0.1
db2_fix_pack_adjustment=20
db2_shmem_client_position=0
db2_shmem_size=131072
db2bp_path=NULL
db_exec_file=/usr/bin/mongod-guard-original
db_install_dir=/var/lib
db_type=MONGODB
db_user=mongod
encryption=0
db_version=9
instance_running=1
intercept_types=NULL
load_balanced=1
port_range_end=27017
port_range_start=27017
priority_count=20
real_db_port=27017
tap_identifier=MONGODB_mongo42-rhl7(27017,27017,DB_0)
tee_listen_port=0
unix_domain_socket_marker=NULL
networks=0.0.0.0/0.0.0.0
exclude_networks=
Activate and deactivate A-TAP for SSL traffic
Before activating A-TAP, you need to
stop the MongoDB instance:
systemctl stop mongod
Activate A-TAP:/usr/local/guardium/guard_stap/guardctl --db-user=mongod --db-type=mongodb --db-instance=mongo --db-base=/home/ibmuser --db-home=/usr activate
Restart
the MongoDB instance:systemctl start mongod
Set up mongo with TLS/SSL certificate and key
For example, on an instance with SSL and kerberization:mongo --ssl --sslPEMKeyFile /etc/ssl/mongo40standalone-va.pem --sslPEMKeyPassword guardium --sslAllowInvalidCertificates --host <hostname> --port 27017 --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username <username>
Deactivating A-TAP
Before deactivating A-TAP, you need to
stop the DB instance.
systemctl stop mongod
Deactivate A-TAP:/usr/local/guardium/guard_stap/guardctl --db-user=mongod --db-type=mongodb --db-instance=mongo --db-base=/var/lib --db-home=/usr deactivate
Restart
the MONGO DB instance:systemctl start mongod