Project

Profile

Help

Issue #5512

closed

Can't connect to remote mongodb when FIPS-enabled

Added by ggainey over 4 years ago. Updated about 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.20.0
Platform Release:
2.21.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 63
Quarter:

Description

Pulp uses login/password to connect to remote mongo. A passowrd-digest is created that relies on MD5. MD5 is not available on a FIPS-enabled system.

Teach Pulp to be able to use client-certificate-authentication to a remote mongodb, in order to avoid this problem.

Actions #3

Updated by rchan over 4 years ago

  • Status changed from NEW to ASSIGNED
Actions #4

Updated by ggainey over 4 years ago

Pre-Mongo4, MONGO-X509 is the best option for skipping the non-FIPS-compliant parts of Mongo authentication. Taking advantage of it requires Pulp and Mongo to communicate via SSL, a change to Pulp's connection.py code, specific extensions to the Pulp-side client certificate, and specific user being added to MongoDB.

Specifics on the full process for setting up/using a Certificate Authority, generating Certificate Requests, and generating/using SSL certificates for mongo and for pulp are left as an exercise for the reader. Assuming you
want to do it 'by hand', one description of the process can be found at https://gist.github.com/Soarez/9688998

An overview of the process for teaching Pulp and Mongo to use X509 authentication follows:

  • Generate a client-cert for Pulp (<pulp-client-cert.pem>), generated by the same CA as Mongo's cert, that has the following extensions:

        req_extensions = my_extensions                                                                  
        [ my_extensions ]                                                                               
        keyUsage = digitalSignature                                                                     
        extendedKeyUsage = clientAuth 
    
  • Teach Mongo about a user whose name is the pulp-cert's 'subject', and give that
    user readWrite access to the pulp database :

        # openssl x509 -in <pulp-client-cert.pem> -inform PEM -subject -nameopt RFC2253                 
        subject= CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US
        -----BEGIN CERTIFICATE-----                                                                     
        ...                                                                                             
        -----END CERTIFICATE-----                                                                       
        # mongo                                                                                         
        > use pulp_database;                                                                            
        > db.getSiblingDB("$external").runCommand( {                                                    
            createUser: "CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US",                          
            roles: [ { role: "readWrite", db:  pulp_database } ],                                       
            writeConcern: { w: "majority" , wtimeout: 5000 }                                            
            } ); 
    
  • Teach mongodb to require SSL, and to require x509 auth, in /etc/mongodb.conf :

        sslMode = requireSSL                                                                            
        sslPEMKeyFile = <mongodb.pem>                                                                   
        sslCAFile =  <mongo-ca.crt>                                                                     
        clusterAuthMode = x509 
    
  • Test login to Mongo using X509:

        # mongo --ssl --sslPEMKeyFile <pulp-client-cert.pem> pulp_database                              
              --authenticationMechanism MONGODB-X509                                                    
        MongoDB shell version: 2.6.12                                                                   
        connecting to: pulp_database                                                                    
        >  
    
  • Set up Pulp to use SSL to talk to Mongo, and to use x509 auth, using the pulp-cert's
    'subject' as username, and the new setting x509_auth, in /etc/pulp/server.conf:

        username: CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US                                   
        password:                                                                                       
        ssl: true                                                                                       
        verify_ssl: true                                                                                
        ssl_certfile: <pulp-client-cert.pem>                                                            
        ca_path: <mongo-ca.crt>                                                                         
        x509_auth: true  
    
  • Turn FIPS on and reboot - sample FIPS instructions for RHEL/CentOS can be found at https://www.dogtagpki.org/wiki/Configuring_FIPS_on_RHEL

  • Pulp will now talk to your Mongo database using X509 authentication, with both sides of the
    conversation set to FIPS-enabled.

Actions #5

Updated by ggainey over 4 years ago

  • Status changed from ASSIGNED to POST

Required changes to connection.py and to server.conf

https://github.com/pulp/pulp/pull/3964

Actions #6

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 60 to Sprint 61
Actions #7

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 61 to Sprint 62
Actions #8

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 62 to Sprint 63

Added by ggainey about 4 years ago

Revision 8c949fe3 | View on GitHub

Allow for MONGODB-X509 authentication to Mongo

Adds a config-setting, 'x509_auth: true/false', to the [database] stanza. Can be used only if ssl: true and ssl_certfile: are set, username: is the subject of the specified client-PEM, and Mongo is set to clusterAuthMode = x509

closes #5512

Actions #9

Updated by ggainey about 4 years ago

  • Status changed from POST to MODIFIED
Actions #10

Updated by ipanova@redhat.com about 4 years ago

  • Platform Release set to 2.21.1

Added by ggainey about 4 years ago

Revision 29d014c1 | View on GitHub

Allow for MONGODB-X509 authentication to Mongo

Adds a config-setting, 'x509_auth: true/false', to the [database] stanza. Can be used only if ssl: true and ssl_certfile: are set, username: is the subject of the specified client-PEM, and Mongo is set to clusterAuthMode = x509

closes #5512

(cherry picked from commit 8c949fe3e6f2b073033bcd3d46e609b8477afef5)

Actions #12

Updated by ipanova@redhat.com about 4 years ago

  • Status changed from MODIFIED to 5
Actions #13

Updated by ipanova@redhat.com about 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

Also available in: Atom PDF