Enabling Internal X.509 Authentication: clusterFile

Walter_Fortunato · August 20, 2020, 11:45am

in my studio environment I have a replicaset with mongodb 4.2.8 community edition. When I configure RS members to work with internal authentication, I must necessarily define 2 certificates: CAFile and certificateKeyFile. It is not possible to insert only clusterFile, in fact if it is not present
certificateKeyFile I get this error when mongod starts:

“Failed global initialization: BadValue: need tlsCertificateKeyFile or certificateSelector when TLS is enabled”.

clusterFile is optional and if it is not present, mongodb uses certicateKeyFile.

On the certificateKeyFile certificate, mongod verifies the subject; on the clusterFile certificate instead, there is no verification on the subject and I can put any certificate signed by the CA, even of other members, it can be the same for all members or not, and everything works correctly
(I created a certificate with a CN equal to the name of the replica set, and I distributed it on the members and it works).

I therefore miss the meaning of the clusterFile certificate.

In the Mongodb documentation, its meaning is described like this:

security:
clusterAuthMode: x509
net:
tls:
mode: requireTLS
certificateKeyFile: <path to its TLS / SSL certificate and key file>
CAFile:
clusterFile:
bindIp: localhost, <hostname (s) | ip address (es)>

But if no check is carried out on the subject of the certificate, what verification is carried out on membership authentication? What certification obligation does clusterFile take me to?

thanks!!

Pavel_Duchovny · August 21, 2020, 5:16pm

Hi @Walter_Fortunato,

Thr clusterFile is a property to use a different certificate explicitly for internal communication of the members. The certificateKeyFile is expected to be presented as a server certificate to the application client.

If clusterFile is not provided the mongod also uses certificateKeyFile certificate as a client to other members communication. Therefore, in this case, its usage needs a client and server roles.

Let me know if you have any questions

Pavel

Walter_Fortunato · August 21, 2020, 8:35pm

Hi Pavel,

Thank you for your answer.

My doubt lies in the fact that it is not possible to start a mongod instance using only the clusterFile, as it is also necessary to specify certificateKeyFile.

Also no check is done on the ClusterFile certificate: for example I could use any valid certificate that contains anything in CN. Why produce two different certificates if what really matters is certificateKeyFile?

Furthermore, I believe it is correct to expect the ClusterFile certificate to uniquely identify a node as a member of that cluster, perhaps using the cluster name as the CN, as well as certificateKeyFile uniquely identifies the client node.

Thank you
Regards

Eduardo_HM · August 26, 2020, 11:25am

Good morning Walter_Fortunato

I am trying to configure my replica set cluster to change the internal authentication of the cluster members. Currently I have keyfile authentication established, which is the simplest, but I need to know how to configure that internal authentication using self-signed certificates. I have followed the documentation and got nothing.

I have created a thread in the mongodb community in case you want to look at it where I explain what happens to me.

Best regards.