The selected method is used for all internal communication. For example, when a
client authenticates to a
mongos using one of the supported
mongos then uses the configured internal authentication method to
connect to the required
Enabling internal authentication also enables client authorization.
Keyfiles use SCRAM challenge and response authentication mechanism where the keyfiles contain the shared password for the members.
A key's length must be between 6 and 1024 characters and may only
contain characters in the base64 set. MongoDB strips whitespace
x20) for cross-platform
convenience. As a result, the following operations produce identical
echo -e "mysecretkey" > key1 echo -e "my secret key" > key1 echo -e "my secret key\n" > key2 echo -e "my secret key" > key3 echo -e "my\r\nsecret\r\nkey\r\n" > key4
Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. The YAML format accepts either:
A single key string (same as in earlier versions)
A sequence of key strings
The YAML format is compatible with the existing single-key keyfiles that use the text file format.
On UNIX systems, the keyfile must not have group or world permissions. On Windows systems, keyfile permissions are not checked.
You must store the keyfile on each server hosting the member of the replica set or sharded clusters.
|For MongoDB's encrypted storage engine, the keyfile used for local key management can only contain a single key .
To specify the keyfile, use the
security.keyFile setting or
--keyFile command line option.
For an example of keyfile internal authentication, see Update Replica Set to Keyfile Authentication.
Members of a replica set or sharded cluster can use x.509 certificates for internal authentication instead of using keyfiles. MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection.
MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
Use member certificates to verify membership to a sharded
cluster or a replica set. Member certificate file paths are
configured with the
net.tls.certificateKeyFile options. Members have the
following configuration requirements:
Cluster member configuration must specify a non-empty value for at least one of the attributes used for authentication. By default, MongoDB accepts:
the Organization (
the Organizational Unit (
the Domain Component (
You can specify alternative attributes to use for authentication by setting
Cluster member configuration must include the same
net.tls.clusterAuthX509.attributesand use matching values. Attribute order doesn't matter. The following example sets
OU, but not
net: tls: clusterAuthX509: attributes: O=MongoDB, OU=MongoDB Server
The certificates have the following requirements:
A single Certificate Authority (CA) must issue all x.509 certificates for the members of a sharded cluster or a replica set.
At least one of the Subject Alternative Name (
SAN) entries must match the server hostname used by other cluster members. When comparing
SANs, MongoDB can compare either DNS names or IP addresses.
If you don't specify
subjectAltName, MongoDB compares the Common Name (CN) instead. However, this usage of CN is deprecated per RFC2818
If the certificate used as the
extendedKeyUsage, the value must include both
clientAuth("TLS Web Client Authentication") and
serverAuth("TLS Web Server Authentication").
extendedKeyUsage = clientAuth, serverAuth
If the certificate used as the
extendedKeyUsage, the value must include
extendedKeyUsage = clientAuth
To use TLS for internal authentication, use the following settings:
mongos instances use their certificate key files to
prove their identity to clients, but certificate key files can also be used for
membership authentication. If you do not specify a cluster file,
members use their certificate key files for membership authentication.
Specify the certificate key file with
(available starting in MongoDB 4.2).
To use the certificate key file for both client authentication and membership authentication, the certificate must either:
extendedKeyUsage = serverAuth, clientAuth
For an example of x.509 internal authentication, see Use x.509 Certificate for Membership Authentication.
To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.