Issue #5512
closedCan't connect to remote mongodb when FIPS-enabled
Description
Pulp uses login/password to connect to remote mongo. A passowrd-digest is created that relies on MD5. MD5 is not available on a FIPS-enabled system.
Teach Pulp to be able to use client-certificate-authentication to a remote mongodb, in order to avoid this problem.
Updated by ggainey about 5 years ago
Pre-Mongo4, MONGO-X509
is the best option for skipping the non-FIPS-compliant parts of Mongo authentication. Taking advantage of it requires Pulp and Mongo to communicate via SSL, a change to Pulp's connection.py code, specific extensions to the Pulp-side client certificate, and specific user being added to MongoDB.
Specifics on the full process for setting up/using a Certificate Authority, generating Certificate Requests, and generating/using SSL certificates for mongo and for pulp are left as an exercise for the reader. Assuming you
want to do it 'by hand', one description of the process can be found at https://gist.github.com/Soarez/9688998
An overview of the process for teaching Pulp and Mongo to use X509 authentication follows:
- Pulp must be running a copy of connection.py that has the PR linked in this issue applied
- Teach Mongo how to use X509 auth, and how to recognize the Pulp user. Documentation describing this process is here: https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/#addx509subjectuser . Steps include:
-
Generate a client-cert for Pulp (<pulp-client-cert.pem>), generated by the same CA as Mongo's cert, that has the following extensions:
req_extensions = my_extensions [ my_extensions ] keyUsage = digitalSignature extendedKeyUsage = clientAuth
-
Teach Mongo about a user whose name is the pulp-cert's 'subject', and give that
user readWrite access to the pulp database :# openssl x509 -in <pulp-client-cert.pem> -inform PEM -subject -nameopt RFC2253 subject= CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- # mongo > use pulp_database; > db.getSiblingDB("$external").runCommand( { createUser: "CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US", roles: [ { role: "readWrite", db: pulp_database } ], writeConcern: { w: "majority" , wtimeout: 5000 } } );
-
Teach mongodb to require SSL, and to require x509 auth, in /etc/mongodb.conf :
sslMode = requireSSL sslPEMKeyFile = <mongodb.pem> sslCAFile = <mongo-ca.crt> clusterAuthMode = x509
-
Test login to Mongo using X509:
# mongo --ssl --sslPEMKeyFile <pulp-client-cert.pem> pulp_database --authenticationMechanism MONGODB-X509 MongoDB shell version: 2.6.12 connecting to: pulp_database >
-
Set up Pulp to use SSL to talk to Mongo, and to use x509 auth, using the pulp-cert's
'subject' as username, and the new settingx509_auth
, in/etc/pulp/server.conf
:username: CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US password: ssl: true verify_ssl: true ssl_certfile: <pulp-client-cert.pem> ca_path: <mongo-ca.crt> x509_auth: true
-
Turn FIPS on and reboot - sample FIPS instructions for RHEL/CentOS can be found at https://www.dogtagpki.org/wiki/Configuring_FIPS_on_RHEL
-
Pulp will now talk to your Mongo database using X509 authentication, with both sides of the
conversation set to FIPS-enabled.
Updated by ggainey about 5 years ago
- Status changed from ASSIGNED to POST
Required changes to connection.py and to server.conf
Added by ggainey almost 5 years ago
Updated by ggainey almost 5 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|8c949fe3e6f2b073033bcd3d46e609b8477afef5.
Updated by ipanova@redhat.com almost 5 years ago
- Platform Release set to 2.21.1
Added by ggainey almost 5 years ago
Revision 29d014c1 | View on GitHub
Allow for MONGODB-X509 authentication to Mongo
Adds a config-setting, 'x509_auth: true/false', to the [database] stanza. Can be used only if ssl: true and ssl_certfile: are set, username: is the subject of the specified client-PEM, and Mongo is set to clusterAuthMode = x509
closes #5512
(cherry picked from commit 8c949fe3e6f2b073033bcd3d46e609b8477afef5)
Updated by ggainey almost 5 years ago
Applied in changeset pulp|29d014c14ea6097437549102dd7896548b125146.
Updated by ipanova@redhat.com almost 5 years ago
- Status changed from MODIFIED to 5
Updated by ipanova@redhat.com almost 5 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Allow for MONGODB-X509 authentication to Mongo
Adds a config-setting, 'x509_auth: true/false', to the [database] stanza. Can be used only if ssl: true and ssl_certfile: are set, username: is the subject of the specified client-PEM, and Mongo is set to clusterAuthMode = x509
closes #5512