https://pulp.plan.io/https://pulp.plan.io/favicon.ico2019-09-27T17:47:29ZPulpPulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=479982019-09-27T17:47:29Zrchan
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>ASSIGNED</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=484662019-10-15T17:56:00Zggainey
<ul></ul><p>Pre-Mongo4, <code>MONGO-X509</code> is the best option for skipping the non-FIPS-compliant parts of Mongo authentication. Taking advantage of it requires Pulp and Mongo to communicate via SSL, a change to Pulp's connection.py code, specific extensions to the Pulp-side client certificate, and specific user being added to MongoDB.</p>
<p>Specifics on the full process for setting up/using a Certificate Authority, generating Certificate Requests, and generating/using SSL certificates for mongo and for pulp are left as an exercise for the reader. Assuming you<br>
want to do it 'by hand', one description of the process can be found at <a href="https://gist.github.com/Soarez/9688998" class="external">https://gist.github.com/Soarez/9688998</a></p>
<p>An overview of the process for teaching Pulp and Mongo to use X509 authentication follows:</p>
<ul>
<li>Pulp must be running a copy of connection.py that has the PR linked in this issue applied</li>
<li>Teach Mongo how to use X509 auth, and how to recognize the Pulp user. Documentation describing this process is here: <a href="https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/#addx509subjectuser" class="external">https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/#addx509subjectuser</a> . Steps include:</li>
</ul>
<ul>
<li>
<p>Generate a client-cert for Pulp (<pulp-client-cert.pem>), generated by the same CA as Mongo's cert, that has the following extensions:</p>
<pre><code> req_extensions = my_extensions
[ my_extensions ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
</code></pre>
</li>
<li>
<p>Teach Mongo about a user whose name is the pulp-cert's 'subject', and give that<br>
user readWrite access to the pulp database :</p>
<pre><code> # openssl x509 -in <pulp-client-cert.pem> -inform PEM -subject -nameopt RFC2253
subject= CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# mongo
> use pulp_database;
> db.getSiblingDB("$external").runCommand( {
createUser: "CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US",
roles: [ { role: "readWrite", db: pulp_database } ],
writeConcern: { w: "majority" , wtimeout: 5000 }
} );
</code></pre>
</li>
<li>
<p>Teach mongodb to require SSL, and to require x509 auth, in /etc/mongodb.conf :</p>
<pre><code> sslMode = requireSSL
sslPEMKeyFile = <mongodb.pem>
sslCAFile = <mongo-ca.crt>
clusterAuthMode = x509
</code></pre>
</li>
<li>
<p>Test login to Mongo using X509:</p>
<pre><code> # mongo --ssl --sslPEMKeyFile <pulp-client-cert.pem> pulp_database
--authenticationMechanism MONGODB-X509
MongoDB shell version: 2.6.12
connecting to: pulp_database
>
</code></pre>
</li>
<li>
<p>Set up Pulp to use SSL to talk to Mongo, and to use x509 auth, using the pulp-cert's<br>
'subject' as username, and the new setting <code>x509_auth</code>, in <code>/etc/pulp/server.conf</code>:</p>
<pre><code> username: CN=pulp2_dev_service_auth,O=Pulp Service,ST=NC,C=US
password:
ssl: true
verify_ssl: true
ssl_certfile: <pulp-client-cert.pem>
ca_path: <mongo-ca.crt>
x509_auth: true
</code></pre>
</li>
<li>
<p>Turn FIPS on and reboot - sample FIPS instructions for RHEL/CentOS can be found at <a href="https://www.dogtagpki.org/wiki/Configuring_FIPS_on_RHEL" class="external">https://www.dogtagpki.org/wiki/Configuring_FIPS_on_RHEL</a></p>
</li>
<li>
<p>Pulp will now talk to your Mongo database using X509 authentication, with both sides of the<br>
conversation set to FIPS-enabled.</p>
</li>
</ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=484692019-10-15T18:07:08Zggainey
<ul><li><strong>Status</strong> changed from <i>ASSIGNED</i> to <i>POST</i></li></ul><p>Required changes to connection.py and to server.conf</p>
<p><a href="https://github.com/pulp/pulp/pull/3964" class="external">https://github.com/pulp/pulp/pull/3964</a></p> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=486412019-10-25T07:44:24Zrchan
<ul><li><strong>Sprint</strong> changed from <i>Sprint 60</i> to <i>Sprint 61</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=491482019-11-14T19:30:04Zrchan
<ul><li><strong>Sprint</strong> changed from <i>Sprint 61</i> to <i>Sprint 62</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=498122019-12-06T14:43:36Zrchan
<ul><li><strong>Sprint</strong> changed from <i>Sprint 62</i> to <i>Sprint 63</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=517012020-01-07T12:12:04Zggainey
<ul><li><strong>Status</strong> changed from <i>POST</i> to <i>MODIFIED</i></li></ul><p>Applied in changeset <a class="changeset" title="Allow for MONGODB-X509 authentication to Mongo Adds a config-setting, 'x509_auth: true/false', t..." href="https://pulp.plan.io/projects/pulp/repository/pulp/revisions/8c949fe3e6f2b073033bcd3d46e609b8477afef5">pulp|8c949fe3e6f2b073033bcd3d46e609b8477afef5</a>.</p> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=522722020-01-22T15:40:50Zipanova@redhat.comipanova@redhat.com
<ul><li><strong>Platform Release</strong> set to <i>2.21.1</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=534052020-02-25T13:35:07Zggainey
<ul></ul><p>Applied in changeset <a class="changeset" title="Allow for MONGODB-X509 authentication to Mongo Adds a config-setting, 'x509_auth: true/false', t..." href="https://pulp.plan.io/projects/pulp/repository/pulp/revisions/29d014c14ea6097437549102dd7896548b125146">pulp|29d014c14ea6097437549102dd7896548b125146</a>.</p> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=535222020-02-27T16:38:33Zipanova@redhat.comipanova@redhat.com
<ul><li><strong>Status</strong> changed from <i>MODIFIED</i> to <i>5</i></li></ul> Pulp - Issue #5512: Can't connect to remote mongodb when FIPS-enabledhttps://pulp.plan.io/issues/5512?journal_id=537392020-03-04T16:46:37Zipanova@redhat.comipanova@redhat.com
<ul><li><strong>Status</strong> changed from <i>5</i> to <i>CLOSED - CURRENTRELEASE</i></li></ul>