This document outlines the requirements and steps for setting up a secure MongoDB Atlas enterprise database cluster, emphasizing key components such as TLS, LDAP authentication, encryption at rest, and database auditing. It includes checklists and specifications for configuration to fulfill management's urgent request for a highly available, 3-node replica set with various security measures. The author, Joanna Cheng, offers assistance and invites feedback on the setup process.

1. MongoDB
Atlas For Your Enterprise
Joanna Cheng – Team Lead, Technical Services

2. Joanna Cheng
Team Lead, Technical Services @ MongoDB

3. About Me

4. A Quick Show of Hands
How many of you need an enterprise database cluster with:
● TLS
● LDAP authentication
● LDAP authorization
● Encryption at Rest with KMIP Key Management
● Encrypted Backups
● Analytics Integration
How many have setup a database cluster with some of the above?

5. Ding… a new email
Dear DBA,
We forgot to tell you earlier, we need a database to run some numbers and do some analysis stuff.
Please configure the following before 12:00 PM today, Mar 14:
Highly Available, 3 Node, MongoDB Replica Set
TLS for all connections
LDAP authentication and authorization for 30,000 users
Database Auditing – ALL authentication attempts must be logged
Encryption at Rest using our AWS KMS credentials
BI tools – integration with existing tools
Regards,
- Management

6. With MongoDB Atlas:
YOU CAN DO IT!

7. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools – integration with existing tools

8. 3 Node Replica Set w/TLS

9. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools – integration with existing tools

10. LDAP Auth - Requirements
Authentication
1. Server Hostname
2. Server Port
3. Bind User Credentials
4. (Optional) CA Certificate for LDAP Server
5. (Optional) LDAP Query for Mapping
Authorization
1. An attribute to match to MongoDB Roles
2. An LDAP query to find these attributes

11. CN=Joanna Cheng,OU=people,DC=MongoDB,DC=COM
LDAP Authentication
Bind DN
Bind Password
User DN
User Password
BIND SUCCESS - Bind User
BIND SUCCESS - Client User
MongoDB Authorization
User @ $external
GOING LIVE

12. Another email
Dear DBA,
Hope all is going well! Time is ticking!
Regards,
- Management

13. LDAP Authorization
memberOf: CN=DBAs,OU=groups,DC=MongoDB,DC=COM
memberOf: CN=Ballet,OU=groups,DC=MongoDB,DC=COM
memberOf: CN=Puzzles,OU=groups,DC=MongoDB,DC=COM
And MORE!
MongoDB Authorization
Roles @ admin
Bind DN
Bind Password
User DN
User Password
BIND SUCCESS - Bind User
BIND SUCCESS - Client User
CN=Joanna Cheng,OU=people,DC=MongoDB,DC=COM
GOING LIVE

14. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools – integration with existing tools

15. Database Auditing

16. Database Auditing - Got ‘em!
GOING LIVE
2019/02/26

17. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools – integration with existing tools

18. Encryption at Rest - Requirements
Amazon KMS
1. IAM User
a. DescribeKey
b. Encrypt
c. Decrypt
2. Access Key
3. Access Secret
4. Region key will reside
5. AWS Customer Master Key (CMK)
Azure Key Vault
1. The Tenant ID (or Directory ID) for an Active Directory tenant.
2. The Client ID (or Application ID) w/ non-expired application
Password
3. The Resource Group name
a. Must have Owner Role in Resource Group
4. The Subscription ID and Key Vault Name of an Azure Key Vault.
5. The Key Vault must have the following Access Policies:
a. Key Management Operations
i. GET
ii. LIST
b. Cryptographic Operations
i. ENCRYPT
ii. DECRYPT
6. The Key Identifier for a key in the specified Azure Key Vault.
GOING LIVE

19. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools – integration with existing tools

20. BI-Connector
GOING LIVE

21. Checklist:
 Highly Available, 3 Node, MongoDB Replica Set
 TLS for all connections
 LDAP authentication and authorization for 30,000 users
 Database Auditing - ONLY authentication attempts must be logged
 Encryption at Rest using our AWS KMS credentials
 BI tools - integration with existing tools

22. One More Message
Dear DBA,
Thank you for saving our bacon and getting this MongoDB cluster up
in time! We didn’t think it was possible but here we are.
Take the rest of the afternoon off!
Regards,
- Management

23. With MongoDB Atlas:
You shouldn't feel the weight of the
world on your shoulders when
setting up a secure MongoDB

24. Thank You!
Joanna Cheng - Team Lead, Technical Services
Any feedback would be greatly appreciated!

25. Questions?
Joanna Cheng - Team Lead, Technical Services
Any feedback would be greatly appreciated!