By Alex Komyagin, Technical Services Engineer at MongoDB
Setting up Kerberos authentication and SSL encryption in a MongoDB Java application is not as simple as other languages. In this post, I’m going to show you how to create a Kerberos and SSL enabled Java application that communicates with MongoDB.
My original setup consists of the following:
1) KDC server:
kerberos config file (/etc/krb5.conf):
KDC has the following principals:
- gssapitest@MONGOTEST.COM - user principle (for java app)
- mongodb/rhel64.mongotest.com@MONGOTEST.COM - service principle (for mongodb server)
2) MongoDB server:
MongoDB version: 2.6.0
MongoDB config file:
This server also has the global environment variable
$KRB5_KTNAME set to the keytab file exported from KDC.
Application user is configured in the admin database like this:
3) Application server: has stock OS with krb5 installed
All servers are running with RHEL6.4 onboard.
Now let’s talk about how to create a Java application with Kerberos and SSL enabled, and that will run on the application server. Here is the sample code that we will use (SSLApp.java):
Download the java driver:
Install java and jdk:
sudo yum install java-1.7.0
sudo yum install java-1.7.0-devel
Create a certificate store for Java and store the server certificate there, so that Java knows who it should trust:
(mongodb.crt is just a public certificate part of mongodb.pem)
Copy kerberos config file to the application server:
/etc/krb5.conf or “
`C:\WINDOWS\krb5.ini” (otherwise you’ll have to specify kdc and realm as Java runtime options)
Use kinit to store the principal password on the application server:
As an alternative to kinit, you can use JAAS to cache kerberos credentials.
Compile and run the Java program
It is important to specify
useSubjectCredsOnly=false, otherwise you’ll get the “No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)” exception from Java. As we discovered, this is not strictly necessary in all cases, but it is if you are relying on kinit to get the service ticket.
The Java driver needs to construct MongoDB service principal name in order to request the Kerberos ticket. The service principal is constructed based on the server name you provide (unless you explicitly asked to canonicalize server name). For example, if I change
rhel64.mongotest.com to the host IP address in the connection URI, I would be getting Kerberos exceptions No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]. So be sure you specify the same server host name as you used in the Kerberos principal (). Adding
-Dsun.security.krb5.debug=true to Java runtime options helps a lot in debugging kerberos auth issues.
These steps should help simplify the process of connecting Java applications with SSL. Before deploying any application with MongoDB, be sure to read through our 12 tips for going into production and the Security Checklist which outlines recommended security measures to protect your MongoDB installation. More information on configuring MongoDB Security can be found in the MongoDB Manual.
For further questions, feel free to reach out to the MongoDB team through google-groups.