You can configure application-managed or container-managed security for MongoDB
connections in Liberty.
Before you begin
Enable your application to use MongoDB. See Creating Liberty applications that
use MongoDB.
Stabilized feature: The
mongodb-2.0
feature is
stabilized. The MongoDB Java driver versions 2.10.0 to 2.14.2 that the feature supports are no
longer in service. Instead of using the
mongodb-2.0
feature,
create a CDI producer for Mongo. The CDI producer can use any Mongo version
that meets your requirements.
About this task
You can secure MongoDB applications by using application-managed security, container-managed
security, SSL-managed security, or certificate authentication. For all types of security, the
MongoDB server must be running with authentication that is explicitly enabled to secure MongoDB
connections.
Procedure
- Configure application-managed security for MongoDB.
If the mongo
configuration element does not specify user and password
attributes, the product assumes that an application is either using application-managed security or
is not using security. To enable application-managed security, the application must authenticate by
using the MongoDB APIs, for example:
<mongo id="mongo1" libraryRef="MongoLib" />
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
{
...
// Java snippet
@Resource(name = "mongo/testdb")
protected DB db;
private void auth(){
if (!db.isAuthenticated())
db.authenticate("user", "password".toCharArray());
}
...
}
- Configure container-managed security for MongoDB.
To use container-managed security, the mongo
configuration element must specify a user and password. Only one
user is allowed for each mongo
configuration. All
MongoDB instances use the specified user and password. For example,
all MongoDB instances that reference mongo1
in the
following example use mongoUserName
and pw
:
<mongo id="mongo1" libraryRef="MongoLib" user="mongoUserName" password="pw"/>
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
<mongoDB jndiName="mongo/testdb2" mongoRef="mongo1" databaseName="db-test-2"/>
Applications that use container-managed security must not call com.mongodb.DB.authenticate(user, pass)
.
-
Create an SSL connection between Liberty
and the MongoDB server.
To create an SSL connection between Liberty and the MongoDB server, add the transportSecurity-1.0
Liberty feature in the
server.xml file and specify sslEnabled="true"
on the MongoDB
configuration element. SSL must be explicitly enabled on the MongoDB server to ensure that
connections are encrypted.
<featureManager>
<feature>mongodb-2.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<mongo id="mongo3" libraryRef="MongoLib" user="mongoUserName" password="pw" sslEnabled="true"/>
<mongoDB jndiName="mongo/testdb3" mongoRef="mongo3" databaseName="db-test-3" />
-
Use a custom SSL configuration.
To use a custom SSL configuration, which, for example, might be used to specify a truststore, add
the sslRef
attribute to the MongoDB configuration element. Use the
sslRef
attribute to specify an SSL configuration, which can be set up in the
server.xml file.
<featureManager>
<feature>mongodb-2.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<ssl id="mySSLConfig" keyStoreRef="myTrustStore" />
<mongo id="mongo4" libraryRef="MongoLib" user="mongoUserName" password="mongopw" sslEnabled="true" sslRef="mySSLConfig"/>
<mongoDB jndiName="mongo/testdb4" mongoRef="mongo4" databaseName="db-test-4" />
-
Use certificate authentication.
To configure the use of certificate authentication with MongoDB, add
useCertificateAuthentication
, and remove
userid
and
password
:
<featureManager>
<feature>mongodb-2.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<keyStore id="myKeyStore" password="keystorepw" location="${server.output.dir}/resources/security/keyStore.jks"></keyStore>
<ssl id="mySSLConfigCertAuth" trustStoreRef="myTrustStore" keyStoreRef="myKeyStore" clientKeyAlias="alias_name_of_key" />
<mongo id="mongo5" libraryRef="MongoLib" sslEnabled="true" sslRef="mySSLConfigCertAuth" useCertificateAuthentication="true" />
<mongoDB jndiName="mongo/testdb5" mongoRef="mongo5" databaseName="db-test-5" />
clientKeyAlias
is only required if the keystore contains multiple keys. For more
information about configuring the keystore and truststore, see the MongoDB documentation.
What to do next
Ensure that the MongoDB server is running, and then test
the MongoDB security from your application.