Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.

1. Securing your MongoDB
Deployment
Rob Moore
President, Allanbank Consulting
Dave Erickson
Senior Solutions Architect, MongoDB
MongoDB Days: Washington DC, October 14th, 2014

2. This Talk
• Database security myths
• MongoDB security features vs. threats
• Developing for least privilege
• Explaining TLS (a.k.a. SSL)
• Configuring TLS in MongoDB
• Common Pitfalls

3. Useful Links
The Manual
http://docs.mongodb.org/manual/security/
Security Checklist
http://docs.mongodb.org/manual/administration/s
ecurity-checklist/
Security Technical Implementation Guide (STIG)
http://www.mongodb.com/lp/contact/stig-requests

4. Security Myth 1)
I can defer thinking about
security until later

5. Timeline
Team plans and design security as early as possible.
Design Implement Test Deploy
YES! NO!

6. Security Myth 2)
My RDBMS didn’t require
<security feature> so
neither should MongoDB

7. Security Myth 3)
• My database is on a trusted network
– Reality: there is no such thing in 2014
• My database is in a building owned by my company
– Reality: if it’s not already in the “cloud” it may be soon
• My database is only accessed by a small number of
trusted users
– Reality: this may be true ..
But what about information reuse, sharing, open data,
public access, etc. ?

8. Security Features
Authentication Authorization
Auditing Encryption

9. Authentication
Who are you in MongoDB?
• Username / Password
• x.509 certs (PKI)
• Kerberos and LDAP
• All approaches still require db.createUser()
• Most apps log into database using an application level identity.
Authenticating a business user into the database is rare.

10. Authorization
What you allowed to do in MongoDB?
• Basic Role Based Access Control (DB level)
– Built in roles: read, readWrite, dbAdmin, root
• Create Custom Roles (Collection level)
– Lock down a user to specific actions on specific resources.
– Roles can inherit other roles
• Field Level Access Control (Document, Sub-Document)
– a.k.a Compartment Security, Cell Level Security
– $redact command in aggregation pipeline
– Document level and field level access control

11. Auditing
• Most audit trails can be made by the application
– No stored procedures
• DB Auditable Events
– Schema (DDL)
• DB, Collection, Indexes
– Authentication and Authorization
• Including user changes
– General Operations
• Replica Set Config Changes
• Sharding Changes
• Server Shutdowns, Etc
– Data Changes?
• OpLog

12. Encryption
• Over the Network
– Between DB and Clients – SSL, x.509 certs
– Intra-cluster – SSL, with keyfiles / certs
• At Rest
– File System Level
– Process Level
• Field-by-field
– Typically done by application
– Restricts in database analytics, search, etc.
• 3:10 PM … Understanding Database Encryption & Protecting Against the
Insider Threat with MongoDB

13. Develop for “Least Privilege”
• Create read and
read/write roles for all
collections
• Maintain a matrix of
which threads in your
app need access to
which of collection
– Your auditors will love
you.
• Group threads into users
and assign roles.

14. TLS (a.k.a. SSL)

15. https:// ≠ mongodbs://

16. TLS Handshake - https://
Client Server

17. TLS Handshake - Client Authentication
Client Server

18. Trust
know
Alice Bob
CA CA CA
trust trust
Alice Bob
Web of Trust
Cody David
Alice Bob
No Trust
Alice Bob

19. Cryptographic Identity
CA
Eve Eve
Alice Eve
Bob
• Browsers avoid via Hostname Verification

20. MongoDB Trust
• Cluster membership
– Single CA
– At least one of: O, OU, DC, and DN
– O, OU, and DC components match.
– Recommendation:
• Add an OU for you cluster member certificates.
• Client (x.509) Authorization
– Must explicitly request via the driver

21. MongoDB Server Configuration
net:
ssl:
mode: requireSSL
PEMKeyFile: ./ca/server.pem
PEMKeyPassword: supersecret
clusterFile: ./ca/server.pem
clusterPassword:supersecret
CAFile: ./ca/trust.crt
# CRLFile:
weakCertificateValidation: false
allowInvalidCertificates: false
# Enterprise Only
# FIPSMode: true
security:
authorization: enabled
clusterAuthMode: x509
storage:
dbPath : ./data
systemLog:
destination: file
path: ./mongodb.log
logAppend: true

22. MongoDB Client Authentication
• Read your Drivers Documentation!
– Java:
• http://www.allanbank.com/mongodb-async-driver/userguide/tls.html
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#java
– C#:
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#net
– Python:
• http://api.mongodb.org/python/current/examples/authentication.html#mongodb-x509
• Leverage the built-in TLS library.
– Remember this will most likely not do hostname
verification

23. Wrong DN
• Symptom
– Reported to the client.
• Error: 18 Username "C=US, ST=DC, L=Washington,
O=Allanbank Consulting, Inc., CN=client1" does not match
the provided client certificate user "CN=client1,O=Allanbank
Consulting, Inc.,L=Washington,ST=DC,C=US"
• Problem / Fix
– Use the right DN string
– Order and spacing matter and must match the
addUser() name.

24. Client Validation Error
• Symptom
– Server Log
• ERROR: SSL peer certificate validation failed:self signed
certificate
– Client
• Connection error: exception: connect failed
• Problem / Fix
– Add the issuer for the client's certificate to the CAFile.
• You can simply concatenate the certificate entries (-----BEGIN
CERTIFICATE----- to -----END CERTIFICATE-----).

25. No TLS Client Certificate
• Symptom
– On server startup via <stdout> - not log.
• warning: No SSL certificate validation can be performed since no
CA file has been provided; please specify an sslCAFile parameter
– Client sees
• Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
– Server Log:
• Failed to authenticate <DN>@$external with mechanism
MONGODB-X509: AuthenticationFailed There is no x.509 client
certificate matching the user.
• Problem / Fix
– Make sure you supply a CAFile parameter

26. Client Key Missing
• Symptom
– Server Log
• warning: no SSL certificate provided by peer
• Problem / Fix
– Make sure the client’s TLS configuration is correct.
– Make sure weakCertificateValidation is set to
false.
• Setting “weakCertificateValidation: true” provides
“want” vs. “must” semantics.

27. Authenticate as Cluster Member
• Symptom
– You can do things you should not be able to.
– Authentication log record look just like a user’s.
• Problem / Fix
– Add or change the OU to the cluster member
certificates.
– User a different CA for the cluster member
certificates.

28. THANK YOU!!!
Questions?