Configuring secure MongoDB connections in Liberty

You can configure application-managed or container-managed security for MongoDB connections in Liberty.

Before you begin

Enable your application to use MongoDB. See Creating Liberty applications that use MongoDB.

Stabilized feature: The mongodb-2.0 feature is stabilized. The MongoDB Java driver versions 2.10.0 to 2.14.2 that the feature supports are no longer in service. Instead of using the mongodb-2.0 feature, create a CDI producer for Mongo. The CDI producer can use any Mongo version that meets your requirements.

About this task

You can secure MongoDB applications by using application-managed security, container-managed security, SSL-managed security, or certificate authentication. For all types of security, the MongoDB server must be running with authentication that is explicitly enabled to secure MongoDB connections.

Procedure

  • Configure application-managed security for MongoDB.

    If the mongo configuration element does not specify user and password attributes, the product assumes that an application is either using application-managed security or is not using security. To enable application-managed security, the application must authenticate by using the MongoDB APIs, for example:

    <mongo id="mongo1" libraryRef="MongoLib" />
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
    
{
    ...
    // Java snippet
    @Resource(name = "mongo/testdb")
    protected DB db;

    private void auth(){
        if (!db.isAuthenticated())
            db.authenticate("user", "password".toCharArray());
    }
    ...
}
  • Configure container-managed security for MongoDB.

    To use container-managed security, the mongo configuration element must specify a user and password. Only one user is allowed for each mongo configuration. All MongoDB instances use the specified user and password. For example, all MongoDB instances that reference mongo1 in the following example use mongoUserName and pw:

    <mongo id="mongo1" libraryRef="MongoLib" user="mongoUserName" password="pw"/>
<mongoDB jndiName="mongo/testdb" mongoRef="mongo1" databaseName="db-test-1"/>
<mongoDB jndiName="mongo/testdb2" mongoRef="mongo1" databaseName="db-test-2"/>

    Applications that use container-managed security must not call com.mongodb.DB.authenticate(user, pass).

  • Create an SSL connection between Liberty and the MongoDB server.

    To create an SSL connection between Liberty and the MongoDB server, add the transportSecurity-1.0 Liberty feature in the server.xml file and specify sslEnabled="true" on the MongoDB configuration element. SSL must be explicitly enabled on the MongoDB server to ensure that connections are encrypted.

    <featureManager>
      <feature>mongodb-2.0</feature>
      <feature>transportSecurity-1.0</feature>
</featureManager>
<mongo id="mongo3" libraryRef="MongoLib" user="mongoUserName" password="pw" sslEnabled="true"/>
<mongoDB jndiName="mongo/testdb3" mongoRef="mongo3" databaseName="db-test-3" />
  • Use a custom SSL configuration.

    To use a custom SSL configuration, which, for example, might be used to specify a truststore, add the sslRef attribute to the MongoDB configuration element. Use the sslRef attribute to specify an SSL configuration, which can be set up in the server.xml file.

    <featureManager>
	<feature>mongodb-2.0</feature>
	<feature>transportSecurity-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<ssl id="mySSLConfig" keyStoreRef="myTrustStore" />
<mongo id="mongo4" libraryRef="MongoLib" user="mongoUserName" password="mongopw" sslEnabled="true" sslRef="mySSLConfig"/>
<mongoDB jndiName="mongo/testdb4" mongoRef="mongo4" databaseName="db-test-4" />
  • Use certificate authentication.
    To configure the use of certificate authentication with MongoDB, add useCertificateAuthentication, and remove userid and password:
    <featureManager>
      <feature>mongodb-2.0</feature>
      <feature>transportSecurity-1.0</feature>
</featureManager>
<keyStore id="myTrustStore" password="truststorepw" location="${server.output.dir}/resources/security/trustStore.jks"></keyStore>
<keyStore id="myKeyStore" password="keystorepw" location="${server.output.dir}/resources/security/keyStore.jks"></keyStore>
<ssl id="mySSLConfigCertAuth" trustStoreRef="myTrustStore" keyStoreRef="myKeyStore" clientKeyAlias="alias_name_of_key" />
<mongo id="mongo5" libraryRef="MongoLib"  sslEnabled="true" sslRef="mySSLConfigCertAuth" useCertificateAuthentication="true" />
<mongoDB jndiName="mongo/testdb5" mongoRef="mongo5" databaseName="db-test-5" />

    clientKeyAlias is only required if the keystore contains multiple keys. For more information about configuring the keystore and truststore, see the MongoDB documentation.

What to do next

Ensure that the MongoDB server is running, and then test the MongoDB security from your application.