# TLS encryption database 1. **Deactivation of the app server**\ Shut down the app server before continuing with the TLS setup. 2. **Create csr.cnf in `/etc/enginsight/ssl`** ``` [req] default_bits = 4096 default_md = sha256 distinguished_name = req_dn req_extensions = v3_req [v3_req] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = IP.1 = [req_dn] countryName = DE organizationName = Enginsight commonName = ``` 3. **Generate certificate**\ Execute the following commands to generate a certificate. ``` if [ ! -f ./passwd ] then echo $(openssl rand -base64 16) > ./passwd fi passwd=$(cat ./passwd) openssl genrsa -des3 -out mongodbCA.key -passout pass:$(echo ${passwd}) 4096 openssl req -x509 -new -nodes -key mongodbCA.key -sha256 -days 3650 -subj "/C=DE/ST=CA/O=Enginsight/CN=enginsight.com" -passin pass:$(echo ${passwd}) -out mongodbCA.crt openssl genrsa -out mongodb.key -passout pass:$(echo ${passwd}) 2048 openssl req -new -sha256 -key mongodb.key -out mongodb.csr -config csr.cnf -subj "/C=DE/O=Enginsight/CN=enginsight.com" openssl x509 -sha256 -req -days 3650 -passin pass:$(echo ${passwd}) -in mongodb.csr -CA mongodbCA.crt -CAkey mongodbCA.key -CAcreateserial -out mongodb.crt -extfile csr.cnf -extensions v3_req cat mongodb.key mongodb.crt > mongodb.pem ``` 4. **Customizing MongoDB**\ Adjust your Mongo configuration as shown below. ``` sudo nano etc/mongod.conf net:   port: 27017   bindIp: 0.0.0.0  tls:    mode: requireTLS    certificateKeyFile: /etc/enginsight/ssl/mongodb.pem    CAFile: /etc/enginsight/ssl/mongodbCA.crt ``` 5. **Restart service**\ Use the following command to restart your MongoDB. ``` sudo service mongodb restart ``` 6. **Checking availability**\ Check the availability of the database and the presence of TLS encryption. To do this, open the Mongo shell with the following command and replace \ with the IP address and port of the database from which the app server can access it. ``` mongosh --tls --host --tlsCAFile /etc/enginsight/ssl/mongodbCA.crt --tlsCertificateKeyFile /etc/enginsight/ssl/mongodb.pem ``` 7. **Transfer certificates**\ Copy the certificates created in `/etc/enginsight/ssl` to the app server in `/opt/enginsight/enterprise/conf/ssl` so that they can be used by Docker. If the folder does not yet exist on the app server, please create it and then add the certificate there. 8. **Customize Docker-Compose.yml**\ Ensure that the following volume is entered and activated for each container: ``` volumes:    - "./conf/ssl/:/etc/enginsight/ssl/" ``` 9. Run `setup.sh` again\ After making the changes to `docker-compose.yml`, run `setup.sh` again on the app server. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enginsight.com/docs/manual/english/on-premises/configuration/tls-encryption-database.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.