WebsiteLoginKostenloser TestzugangCommunity

TLS encryption database

To ensure that communication from the APP server to the database is encrypted, the following steps must be taken:

  1. Deactivation of the app server Shut down the app server before continuing with the TLS setup.

  2. Create csr.cnf in /etc/enginsight/ssl

    [req]
default_bits = 4096
default_md = sha256
distinguished_name = req_dn
req_extensions = v3_req
 
[v3_req]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = <SERVER_NAME>
IP.1 = <SERVER-IP>
 
[req_dn]
countryName = DE
organizationName = Enginsight
commonName = <DOMAIN_NAME>

  3. Generate certificate Execute the following commands to generate a certificate.

    if [ ! -f ./passwd ]
then
echo $(openssl rand -base64 16) > ./passwd
fi

passwd=$(cat ./passwd)

openssl genrsa -des3 -out mongodbCA.key -passout pass:$(echo ${passwd}) 4096

openssl req -x509 -new -nodes -key mongodbCA.key -sha256 -days 3650 -subj "/C=DE/ST=CA/O=Enginsight/CN=enginsight.com" -passin pass:$(echo ${passwd}) -out mongodbCA.crt

openssl genrsa -out mongodb.key -passout pass:$(echo ${passwd}) 2048

openssl req -new -sha256 -key mongodb.key -out mongodb.csr -config csr.cnf -subj "/C=DE/O=Enginsight/CN=enginsight.com"

openssl x509 -sha256 -req -days 3650 -passin pass:$(echo ${passwd}) -in mongodb.csr -CA mongodbCA.crt -CAkey mongodbCA.key -CAcreateserial -out mongodb.crt -extfile csr.cnf -extensions v3_req

cat mongodb.key mongodb.crt > mongodb.pem

  4. Customizing MongoDB Adjust your Mongo configuration as shown below.

    sudo nano etc/mongod.conf

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/enginsight/ssl/mongodb.pem
    CAFile: /etc/enginsight/ssl/mongodbCA.crt

  5. Restart service Use the following command to restart your MongoDB.

    sudo service mongodb restart

  6. Checking availability Check the availability of the database and the presence of TLS encryption. To do this, open the Mongo shell with the following command and replace <DB-HOST:PORT> with the IP address and port of the database from which the app server can access it.

    mongosh --tls --host <DB-HOST:PORT>  --tlsCAFile /etc/enginsight/ssl/mongodbCA.crt --tlsCertificateKeyFile /etc/enginsight/ssl/mongodb.pem

  7. Transfer certificates Copy the certificates created in /etc/enginsight/ssl to the app server in /etc/enginsight/ssl so that they can be used by Docker. If the folder does not yet exist on the app server, please create it and then add the certificate there.

  8. Customize Docker-Compose.yml Ensure that the following volume is entered and activated for each container:

    volumes:
    - "./conf/ssl/:/etc/enginsight/ssl/"

  9. Run setup.sh again After making the changes to docker-compose.yml, run setup.sh again on the app server.

PreviousLoggernaut-ConfigurationsNextSystem Requirements

Last updated

Was this helpful?