Configuration file for SSL format

One z/TPF server for MongoDB can use only one SSL configuration file for MongoDB. Multiple z/TPF servers for MongoDB can share one SSL configuration file.

You must specify the following required parameters in the SSL configuration file for MongoDB:

VERSION

Determines the minimum SSL version that is used to start a secure connection to the z/TPF server for MongoDB.

CIPHER

Defines the ciphers that are supported when a secure connection to the z/TPF server for MongoDB is being started. To define all of the ciphers that this z/TPF server for MongoDB supports, you can specify more than one cipher by separating those ciphers by a comma.

The MongoDB remote client can choose any supported cipher that is defined by using this parameter to start the secure connection.

If you use TLS 1.2 or earlier, z/TPF support for MongoDB supports the following ciphers: End of change

DES-CBC3-SHA: Triple DES encryption with SHA-1 message digests.
AES128-SHA: 128-bit AES encryption with SHA-1 message digests.
AES256-SHA: 256-bit AES encryption with SHA-1 message digests.
AES128-SHA256: 128-bit AES encryption with SHA-256 message digests.
AES256-SHA256: 256-bit AES encryption with SHA-256 message digests.
AES128-GCM-SHA256: 128-bit AES encryption in Galois Counter Mode (GCM) by using the Rivest-Shamir-Adelman (RSA) key exchange with SHA-256 message digests.
AES256-GCM-SHA384: 256-bit AES encryption in GCM by using the Rivest-Shamir-Adelman (RSA) key exchange with SHA-384 message digests.
DHE-RSA-AES128-GCM-SHA256: 128-bit AES encryption in GCM by using the Ephemeral Diffie-Hellman (DHE) key exchange with SHA-256 message digests.
DHE-RSA-AES256-GCM-SHA384: 256-bit AES encryption in GCM by using the Ephemeral Diffie-Hellman (DHE) key exchange with SHA-384 message digests.
ECDHE-RSA-NULL-SHA: No data encryption. Uses the Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange with SHA message digests. Use this cipher only for testing and debugging; do not use this cipher to secure sensitive data.
ECDHE-RSA-AES128-SHA256: 128-bit AES encryption by using the ECDHE key exchange with SHA-256 message digests.
ECDHE-RSA-AES256-SHA384: 256-bit AES encryption by using the ECDHE key exchange with SHA-384 message digests.
ECDHE-RSA-AES128-GCM-SHA256: 128-bit AES encryption in GCM by using the ECDHE key exchange with SHA-256 message digests.
ECDHE-RSA-AES256-GCM-SHA384: 256-bit AES encryption in GCM by using the ECDHE key exchange with SHA-384 message digests.

If you use TLS 1.3, z/TPF support for MongoDB supports the following ciphers:

TLS_AES_128_GCM_SHA256: 128-bit AES encryption in GCM by using the ECDHE key exchange with SHA-256 message digests.
TLS_AES_256_GCM_SHA384: 256-bit AES encryption in GCM by using the ECDHE key exchange with SHA-384 message digests.

CERTIFICATE

Defines the fully qualified path name of the certificate file in PEM format for the z/TPF server for MongoDB.

KEY

Defines the fully qualified path name of the Rivest-Shamir-Adelman (RSA) private key file in PEM format for the z/TPF server for MongoDB to use.

You optionally can specify the following parameters in the SSL configuration file for MongoDB:

VERIFYPEER

Specifies whether the z/TPF system verifies the MongoDB remote client SSL certificate. You can specify one of the following values:

NO: Specifies that the MongoDB remote client SSL certificate is not verified.
YES: Specifies that the MongoDB remote client SSL certificate is verified by using the file name that is specified for the CAINFO parameter or the directory that is specified for the CAPATH parameter. If the MongoDB remote client does not have a certificate or key file that is configured, the SSL connection fails.

If you do not specify this parameter, the default value of NO is assumed.

CAINFO

Specifies the fully qualified path name of the file that contains one or more certificate authority (CA) certificate or certificate revocation list (CRL).

If you specify VERIFYPEER=YES, you must specify the CAINFO or CAPATH parameter.

If you specify VERIFYPEER=NO, the CAINFO parameter is ignored.

CAPATH

Specifies the fully qualified path name of the directory that contains one or more certificate authority (CA) certificate files or certificate revocation list (CRL) files.

If you specify VERIFYPEER=YES, you must specify the CAINFO or CAPATH parameter.

If you specify VERIFYPEER=NO, the CAPATH parameter is ignored.

MAXVERSION

Specifies the maximum TLS version to be used. If you do not specify this parameter, the maximum TLS version is the maximum version that the z/TPF system supports.

If you specify any other valid SSL configuration file parameters, those parameters are ignored. If the SSL configuration file parameters that you specify are not valid, an error occurs when the z/TPF server for MongoDB is being started. For more information about the SSL configuration file syntax, see Create the application configuration files for SSL.

The following example shows a typical SSL configuration file for MongoDB:

VERSION=TLSV1               # TLS v1 for MongoDB
# Support for TDES and AES ciphers
CIPHER=DES-CBC3-SHA,AES128-SHA,AES256-SHA,AES128-SHA256,AES256-SHA256
# Certificate of MongoDB server
CERTIFICATE=/certs/MongoCert.pem
# Key file of MongoDB server
KEY=/tpfpubk/MongoKey.pem
# Enable client authentication
VERIFYPEER=YES
# CA certificate used to verify peer.
CAINFO=/certs/cacert.pem