# TLS encryption database

1. **Deactivation of the app server**\
   Shut down the app server before continuing with the TLS setup.

2. **Create csr.cnf in `/etc/enginsight/ssl`**

   ```
   [req]
   default_bits = 4096
   default_md = sha256
   distinguished_name = req_dn
   req_extensions = v3_req
    
   [v3_req]
   subjectKeyIdentifier = hash
   basicConstraints = CA:FALSE
   keyUsage = critical, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = @alt_names
    
   [alt_names]
   DNS.1 = <SERVER_NAME>
   IP.1 = <SERVER-IP>
    
   [req_dn]
   countryName = DE
   organizationName = Enginsight
   commonName = <DOMAIN_NAME>
   ```

3. **Generate certificate**\
   Execute the following commands to generate a certificate.

   ```
   if [ ! -f ./passwd ]
   then
   echo $(openssl rand -base64 16) > ./passwd
   fi

   passwd=$(cat ./passwd)

   openssl genrsa -des3 -out mongodbCA.key -passout pass:$(echo ${passwd}) 4096

   openssl req -x509 -new -nodes -key mongodbCA.key -sha256 -days 3650 -subj "/C=DE/ST=CA/O=Enginsight/CN=enginsight.com" -passin pass:$(echo ${passwd}) -out mongodbCA.crt

   openssl genrsa -out mongodb.key -passout pass:$(echo ${passwd}) 2048

   openssl req -new -sha256 -key mongodb.key -out mongodb.csr -config csr.cnf -subj "/C=DE/O=Enginsight/CN=enginsight.com"

   openssl x509 -sha256 -req -days 3650 -passin pass:$(echo ${passwd}) -in mongodb.csr -CA mongodbCA.crt -CAkey mongodbCA.key -CAcreateserial -out mongodb.crt -extfile csr.cnf -extensions v3_req

   cat mongodb.key mongodb.crt > mongodb.pem
   ```

4. **Customizing MongoDB**\
   Adjust your Mongo configuration as shown below.

   ```
   sudo nano etc/mongod.conf

   net:
     port: 27017
     bindIp: 0.0.0.0
     tls:
       mode: requireTLS
       certificateKeyFile: /etc/enginsight/ssl/mongodb.pem
       CAFile: /etc/enginsight/ssl/mongodbCA.crt
   ```

5. **Restart service**\
   Use the following command to restart your MongoDB.

   ```
   sudo service mongodb restart
   ```

6. **Checking availability**\
   Check the availability of the database and the presence of TLS encryption. To do this, open the Mongo shell with the following command and replace \<DB-HOST:PORT> with the IP address and port of the database from which the app server can access it.

   ```
   mongosh --tls --host <DB-HOST:PORT>  --tlsCAFile /etc/enginsight/ssl/mongodbCA.crt --tlsCertificateKeyFile /etc/enginsight/ssl/mongodb.pem
   ```

7. **Transfer certificates**\
   Copy the certificates created in `/etc/enginsight/ssl` to the app server in `/opt/enginsight/enterprise/conf/ssl` so that they can be used by Docker. If the folder does not yet exist on the app server, please create it and then add the certificate there.

8. **Customize Docker-Compose.yml**\
   Ensure that the following volume is entered and activated for each container:

   ```
   volumes:
       - "./conf/ssl/:/etc/enginsight/ssl/"
   ```

9. Run `setup.sh` again\
   After making the changes to `docker-compose.yml`, run `setup.sh` again on the app server.