I am a CyberArk engineer and am working on a connector from CyberArk that allows it to manage MongoDB accounts. I am not a DBA and know nothing about Mongo but am familiar with basic ODBC connections. On my Windows 2016 server I have the installed the ODBC drivers and am trying to do a test connection using some credentials given to me by the DBA who’s running it on another host. When connecting, the connection just hangs resulting in a “not responding”, requiring me to kill the process. I checked the port on their server using powershell and it’s open.
Any advice in troubleshooting the issue would be greatly appreciated.
Your IP/Host/port are likely wrong or it’s not getting routed there?
Check that you’ve allowed network access from your machine to MongoDB / MongoDB Atlas
I’d add wireshark to check what ports are actually in fact being used. I installed it so I could get help from my admin to ID the issue.
Also if you’re going across a private link for Cloud that’s also something to figure out, you may need to do some networking configs for that
Is the port 20020? Typically it’s 20717 I think but maybe the customer is using custom port.
Good luck!
BTW I didn’t think CyberArk could support/ manage and audit/record db sessions connecting (e.g. like staff connecting to bastion host) ?? Do you have a link to a white paper for it. Although since you’re testing, I’m guessing this is a proof of concept “NEW” for customers?
The DBA is confident about the port. If I switch the port, to say 20021, it immediately returns a failure (see pic). Only when I try to connect to that particular port does it lock up. That, along with being able to run a Test-NetConnection from powershell (see pic) tells me the port is correct. I had a working session with the DBA, but the only way he know how to connect was using MongoDBCompass so that wasn’t any help with the ODBC connector, which is what CyberArk uses typically. Even with Compass, we couldn’t get it to connect. I am going to reach back out to him to ensure he has it configured correctly per your recommendation.
Appreciate the help guys, this has me banging my head on the keyboard as I have zero control or insight of the database side.
Lastly, CyberArk can only manage the password on this via the CPM server (connects to DB, verifies or changes password), it doesn’t have the recording/audit capabilities found in a PSM connection, like you might find with other devices.
The DBA is confident about the port. If I switch the port, to say 20021, it immediately returns a failure (see pic). Only when I try to connect to that particular port does it lock up. That, along with being able to run a Test-NetConnection from powershell (see pic) tells me the port is correct. I had a working session with the DBA, but the only way he know how to connect was using MongoDBCompass so that wasn’t any help with the ODBC connector, which is what CyberArk uses typically. Even with Compass, we couldn’t get it to connect. I am going to reach back out to him to ensure he has it configured correctly per your recommendation.
Appreciate the help guys, this has me banging my head on the keyboard as I have zero control or insight of the database side.
Lastly, CyberArk can only manage the password on this via the CPM server (connects to DB, verifies or changes password), it doesn’t have the recording/audit capabilities found in a PSM connection, like you might find with other devices.
So the problem is you are trying to connect to MongoDB, but if you look at the error it mentions failure connecting to MySQL Server. I didn’t look at the screenshots in detail… but your issue is you “CANNOT” use this to connect to MongoDB. I realized, this driver is specifically for their “BI Connector” product, this is software is either in Atlas or on premise as a separate service that talks to MongoDB. You can’t run Mongo Commands through this nor would this be the right path. It’s a readonly to query database collections.
This won’t work over ODBC even if the connection is working. A native driver will be required to connect and run commands necessary for user and role management.
Jack,
Here are the answers to your question:
You have a MongoDB server running (where? what platform?) The MongoDB server is within my company’s network and being managed by another team. Not sure about the version, I can ask the DBA
You can connect to the server from Window 2016 using MongoDB Compass. We were not able to connect using Compass. We get an “Authentication failed”
You can connect via Compass? Or only the admin says they can connect with Compass? The DBA(admin) says that they use compass to connect, and had no experience with the ODBC connector. I have tried both.
Have you yourself tried Compass? Yes
If not, please install Compass and try that and see if it connects. I am going to see if we can get together and work on compass some more
You cannot connect to the server on the same port using the MongoDB ODBC Driver.
What you say makes perfect sense, and explains why the DBA had no idea on the usage of the ODBC driver I was using. I am going to reach back out to the DBA with this new knowledge. I am also going to open a case to CyberArk asking them exactly the mechanism their plugin uses so I can establish a connection outside of their plugin for troubleshooting. At that point I can actually try the connector itself. Due to my ignorance about MongoDB, I just assumed a ODBC would be used, as every other database plugin I’ve worked with has been ODBC.
Chris,
When you say “Native Driver”, I assume you mean something like Compass?
All,
A lot of my questions has been cleared up, thank you all for the help. I will let you know how it’s all going. Have a great weekend.
Then it would seem you have bad credentials, or an error in the connect string, or perhaps some issue with TLS.
If the remote MongoDB server is set up for TLS and uses a self-signed certificate, you will need to grab a copy and indicate a path to the copy of the certificate as part of the Compass connect string. Something like:
What you say makes perfect sense, and explains why the DBA had no idea on the usage of the ODBC driver I was using. I am going to reach back out to the DBA with this new knowledge. I am also going to open a case to CyberArk asking them exactly the mechanism their plugin uses so I can establish a connection outside of their plugin for troubleshooting. At that point I can actually try the connector itself. Due to my ignorance about MongoDB, I just assumed a ODBC would be used, as every other database plugin I’ve worked with has been ODBC.
Chris,
When you say “Native Driver”, I assume you mean something like Compass?
All,
A lot of my questions has been cleared up, thank you all for the help. I will let you know how it’s all going. Have a great weekend.
Adam
Adam,
Based on my experience w/CyberArk I don’t recall the company having plug-in that integrates with MongoDB. Best of luck have a good weekend as well.
@chris Could I confirm that a odbc driver doesn’t exist to do this, or does that depend? Running on prem vs cloud has some differences with running commands. From my experience even the native driver won’t allow admin level access if running on Atlas. I’ve never tried paid drivers, so wonder if they allowed it. @Adam_A Is this Atlas? There’s a difference in solution based on that.
It’s hard to see what this is about given that it’s paywalled, but browsing around I’m wondering if this plugin does anything other than credentials management?
Aha … well, this has been a long and confusing conversation
I am a CyberArk engineer and am working on a connector from CyberArk that allows it to manage MongoDB accounts.
If MongoDB Compass say “authentication failed”, either your credentials are wrong, or your URI for MongoDB doesn’t include a database that can authorize for you. It depends on how your MongoDB instance is configured and how authorization is set up. Whoever is managing the MongoDB instance will have to work with you on getting authentication to work. If no one in your organization understands MongoDB and this instance is just sitting there, well, your organization has just elected you “Person To Read The Docs And View The Tutorials And Learn MongoDB”.
If no one in your organization understands MongoDB and this instance is just sitting there, well, your organization has just elected you “Person To Read The Docs And View The Tutorials And Learn MongoDB”.
LOL, so true. That’s exactly how it works. I am luckier than that though, thankfully. I have a DBA I’m working with.
30 years ago, I was contracting for an Incredibly Big Manufacturer .
They had a house team and I was there to “cross-pollinate”.
First days on the job, I had a few questions:
“Who’s the expert on the C++ compiler?” “You are, as of now.” … “Who’s the expert on the class library?” “That’s you, going forward.” … “Who’s our GUI programming guru?” “That’d be you, Jack.”
It was a totally transformative experience and made me as a programmer. I kid you not.
