Using a cert to connect graylog to a mongodb cluster

mlazin_omg · December 15, 2021, 5:07pm

1. Describe your incident:

https://docs.graylog.org/v1/docs/multinode-setup

This document says to put the database password. in the connections string. I would like to connect with a certificate because I think it is a better security model than connecting with a plain text password. I tried to use the Linux method of using two ` marks to interpret the cat command to call the secret inside the key file and it did not connect. I ran netstat twice after restarting the service and saw a time wait followed by a dropped connection. Is there a method to use a key file, or is this route not workable? If you can’t use a key file will it accept a salted hash for a connection string?

2. Describe your environment:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.3 LTS”

Package Version:
4.1
Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

I put a key file in place and tried to use the linux backticks solution to pull the key secret

4. How can the community help?

Is it technically possible to connect to Mongodb with a key or salted hash? If so what is the syntax?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

gsmith · December 15, 2021, 11:56pm

Hello && welcome

Are you referring to something like this?

github.com/Graylog2/graylog2-server

add certificate authentication to mongod

opened 05:59PM - 11 Jan 18 UTC

jalogisch

documentation to-verify

## Context You should be able to secure your Mongo Cluster with [SSL certificat…es and certificate validation](https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-certificate-validation). If you run a Cluster with certificate validation, activated with the following configuration: ``` net: ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem ``` The Cluster/Server expect that **every** client provide a client certificate. With the given configuration options in Graylog ( http://api.mongodb.com/java/current/com/mongodb/MongoClientURI.html ) providing this configuration is not possible. Graylog is only able to connect to a Mongo Cluster/Server that has [SSL enabled](https://docs.mongodb.com/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-ssl-certificate-and-key) with the given string. ``` mongodb_uri = mongodb://localhost/graylog?ssl=true ``` This works *only* if you have added your (internal) CA to the java keystore that is used by Graylog. ## feature request Add the configuration (and client) option to include certificates for authentication ## Additional information - https://stackoverflow.com/questions/26837113/configuring-java-mongoclient-to-use-x-509-certificate-for-the-authentication - [Add CA.der to the keystore](https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store) ## Your Environment * Graylog Version: 2.4 * Mongo Version: 3.6

mlazin_omg · December 16, 2021, 3:25pm

That is exactly what I am referring to, and I understand the technical reasons why the feature request is denied. My follow up for this is this. if you cannot use a key to authenticate, can you encrypt your password as a salted hash, or this also not technically possible? Thank you.

Sincerely,
Michael Lazin

gsmith · December 16, 2021, 11:50pm

Hello,

Good question, I don’t know right now but I’ll look into it.

gsmith · December 17, 2021, 4:50am

Hello,

You question is on point. I started researching this also because of upcoming projects I have. Since our MongoDb is on the same server which holds only the metadata is within the server, we didn’t have a need for it. which makes it more secure by configuring MongoDb with roles such as this example.

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: passwordPrompt(), // or cleartext password
    roles: [
      { role: "userAdminAnyDatabase", db: "admin" },
      { role: "readWriteAnyDatabase", db: "admin" }
    ]
  }
)

When creating a user/password for Graylog connection to MongoDb we gave that user for this connection a role and since its within the GL server meaning its not connecting outside the server, we just ensured the user name and password were very unique. Example:

use some_db
db.createUser(
  {
    user: "myNormalUser",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "some_db" },
             { role: "read", db: "some_other_db" } ]
  }
)

But never the less, these are good ideas/questions. Knowing with larger environments this may not be possible to have MongoDb/Graylog on the same node.

Perhaps posting here for a feature request would be ideal.

Feature request

Hope that helps

system · December 31, 2021, 4:50am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mongo db uri in graylog with X509 cert Graylog Central (peer support)	14	786	September 12, 2023
Client certificate authentication for the Graylog UI? Graylog Central (peer support)	2	595	June 17, 2021
Cant get HTTPS working on graylog Graylog Central (peer support)	12	4506	June 7, 2017
Problem with enabling https, using Let's Encrypt Wildcard SSL certs Graylog Central (peer support)	4	1824	January 18, 2022
Graylog https Setup Graylog Central (peer support)	20	10833	February 21, 2018

Using a cert to connect graylog to a mongodb cluster

Related Topics