文章目录
- 自定义证书
- 生成CA证书
- 生成服务器之间的证书
- 生成集群证书
- 生成用户证书
- MongoDB配置
- java使用x.509证书连接MongoDB
- MongoShell使用证书连接
8.0版本的mongodb开启复制集,配置证书认证
自定义证书
生成CA证书
生成ca私钥: openssl genrsa -out ca.key 4096 # 生成RSA 4096位私钥
生成ca证书: openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/CN=MongoDB Root CA/O=MyOrg/OU=Security"
验证ca证书: openssl x509 -in ca.crt -text -noout
生成pkcs12格式的p12文件:后续用于java代码认证
cat ca.crt ca.key > ca.pem
openssl pkcs12 -export -in ca.pem -out ca.p12 -password pass:123456
生成服务器之间的证书
生成服务器私钥: openssl genrsa -out server.key 2048
生成证书签名请求: openssl req -new -key server.key -out server.csr -subj "/CN=1.1.1.1/O=MyOrg/OU=Servers"
生成扩展配置文件(server.ext):
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=DNS:mongodb-server.example.com,DNS:localhost,IP:192.168.1.100
用ca签发证书: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
合并证书与私钥: cat server.crt server.key > server.pem
验证服务器证书: openssl verify -CAfile ca.crt server.crt # 应显示 “OK”
生成集群证书
生成集群私钥: openssl genrsa -out cluster.key 2048
生成CSR : openssl req -new -key cluster.key -out cluster.csr -subj "/CN=node1/O=MyOrg/OU=MongoDB-Cluster" 必须包含一致的 O(组织)或 OU(部门),否则集群节点无法相互认证。
生成扩展配置文件(cluster.ext):
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, keyEncipherment
extendedKeyUsage=clientAuth
ca签发集群证书: openssl x509 -req -in cluster.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cluster.crt -days 365 -sha256 -extfile cluster.ext
合并证书与私钥: cat cluster.crt cluster.key > cluster.pem
验证集群证书:
openssl x509 -in cluster.crt -text | grep "Subject:" # 确认O/OU一致性
openssl verify -CAfile ca.crt cluster.crt # 应显示 “OK”
生成用户证书
生成用户私钥: openssl genrsa -out zy1.key 2048
生成CSR : openssl req -new -key zy1.key -out zy1.csr -subj "/O=MyOrg/CN=zy1" 必须包含一致的 O(组织)或 OU(部门),否则集群节点无法相互认证。
生成扩展配置文件( zy1.ext):
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, keyEncipherment
extendedKeyUsage=clientAuth
ca签发集群证书: openssl x509 -req -in zy1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out zy1.crt -days 365 -sha256 -extfile zy1.ext
合并证书与私钥: cat zy1.crt zy1.key > zy1.pem
获取subject : openssl x509 -in /usr/local/database/mongodb8.0.5/crt/zy1.pem -inform PEM -subject -nameopt RFC2253
生成pkcs12 格式的信任库文件:
openssl pkcs12 -export -inkey zy1.pem -in zy1.pem -out zy1_pem.p12 -password pass:123456
测试PKCS12密码正确性
keytool -list -v -keystore C:\Users\Administrator\Desktop\crt\zy1_pem.p12 -storetype pkcs12
MongoDB配置
mongodb配置:
# mongod.conf
net:
tls:
mode: requireTLS
CAFile: /path/to/ca.crt
certificateKeyFile: /path/to/server.pem
clusterFile: /path/to/cluster.pem
security:
clusterAuthMode: x509
authorization: enabled
所有pem文件的权限都设为600 : chmod 600 ca.crt server.pem cluster.pem
客户端的证书由同一CA签发,并且在Mongodb中创建对应用户,如下:用户名为O=MyOrg,CN=zy,需要与证书中的Subject保持一致。可以通过名命令获取:
openssl x509 -in /usr/local/database/mongodb8.0.5/crt/zy1.pem -inform PEM -subject -nameopt RFC2253
db.getSiblingDB("$external").runCommand(
{
createUser: "O=MyOrg,CN=zy",
roles: [
{ role: "readWrite", db: "test" },
{ role: "userAdminAnyDatabase", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)
java使用x.509证书连接MongoDB
package com.zy.sslcontext;
import com.mongodb.ConnectionString;
import com.mongodb.MongoClientSettings;
import com.mongodb.MongoCredential;
import com.mongodb.ServerAddress;
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoClients;
import com.mongodb.client.MongoCollection;
import com.mongodb.client.MongoDatabase;
import org.bson.Document;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
/**
* Connect to a MongoDB cluster with TLS connection.
* Validate MongoDB server's certificate with the CA certificate. Present a Client certificate to be validated by
* the MongoDB server.
*
* Use X509 certificate to authenticate with the MongoDB server
*
* Create a custom {@link javax.net.ssl.SSLContext} with the TrustStore holding the CA certificate and
* the KeyStore holding the Client certificate and provide it to the MongoDB Driver.
*/
public class ValidateServerPresentClientCertificateX509Auth {
public static void main(String[] args) {
// System.setProperty("javax.net.debug", "ssl:handshake:verbose");
// Configure MongoDB Driver to use MONGODB-X509 as authentication mechanism
// 此处url可以不用填写用户名密码,则后续配置时采用credential(MongoCredential.createMongoX509Credential())使用证书在的用户信息进行数据操作
String connectionString = "mongodb://zy:123456@1.1.1.1:27017/?&ssl=true";
SSLContext sslContext;
try {
sslContext = getSSLContext();
} catch (Exception e) {
System.out.println("Failed to generate SSLContext. Error: " + e.getMessage());
return;
}
MongoClientSettings settings = MongoClientSettings.builder()
.applyConnectionString(new ConnectionString(connectionString))
.applyToSslSettings(builder -> {
builder.enabled(true); // 开启ssl
builder.context(sslContext);
})
// .credential(MongoCredential.createCredential("zy","admin","123456".toCharArray()))
// .credential(MongoCredential.createMongoX509Credential("O=MyOrg,CN=zy"))
// .credential(MongoCredential.createMongoX509Credential())
.applyToConnectionPoolSettings(builder -> builder
.maxSize(1) // 总最大连接数(所有实例总和)
.minSize(1) // 总最小空闲连接数
.maxWaitTime(1500, TimeUnit.MILLISECONDS)
.maxConnectionIdleTime(10, TimeUnit.MINUTES)
)
.applyToSocketSettings(b -> b
.connectTimeout(3000, TimeUnit.MILLISECONDS)
.readTimeout(5000, TimeUnit.MILLISECONDS)
)
.build();
MongoClient client = MongoClients.create(settings);
MongoDatabase test = client.getDatabase("test");
MongoCollection<Document> coll = test.getCollection("collection1");
// Retrieve the first document and print it
System.out.println(coll.getNamespace());
System.out.println(coll.find().first());
MongoCollection<Document> collection = client.getDatabase("zy").getCollection("test1");
collection.find().forEach(System.out::println);
}
/**
* Load CA certificate from the file into the Trust Store.
* Use PKCS12 keystore storing the Client certificate and read it into the {@link KeyStore}
* Generate {@link SSLContext} from the Trust Store and {@link KeyStore}
*
* @return SSLContext
*
* @throws IOException
* @throws CertificateException
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws KeyManagementException
*/
private static SSLContext getSSLContext() throws IOException, CertificateException,
NoSuchAlgorithmException, KeyStoreException, KeyManagementException, UnrecoverableKeyException {
// String certsPath = System.getProperty("cert_path");
String certsPath = "C:\\Users\\Administrator\\Desktop\\crt\\";
// Path to the CA certificate on disk
String caCertPath = certsPath + "ca.crt";
// 避坑:使用JKS认证失败
// openssl pkcs12 -export -inkey zy.key -in zy.pem -out zy.p12
// Path to the PKCS12 Key Store holding the Client certificate
String clientCertPath = certsPath + "zy1_pem.p12";
String clientCertPwd = "123456";
SSLContext sslContext;
try (
InputStream caInputStream = new FileInputStream(caCertPath);
InputStream clientInputStream = new FileInputStream(clientCertPath)
) {
// Read Client certificate from PKCS12 Key Store
KeyStore clientKS = KeyStore.getInstance("PKCS12");
clientKS.load(clientInputStream, clientCertPwd.toCharArray());
// Retrieve Key Managers from the Client certificate Key Store
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(clientKS, clientCertPwd.toCharArray());
KeyManager[] keyManagers = kmf.getKeyManagers();
// Read CA certificate from file and convert it into X509Certificate
CertificateFactory certFactory = CertificateFactory.getInstance("X509");
X509Certificate caCert = (X509Certificate)certFactory.generateCertificate(caInputStream);
KeyStore caKS = KeyStore.getInstance(KeyStore.getDefaultType());
caKS.load(null);
caKS.setCertificateEntry("caCert", caCert);
// Initialize Trust Manager
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKS);
// Create SSLContext. We need Trust Manager only in this use case
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, tmf.getTrustManagers(), null);
}
return sslContext;
}
}
MongoShell使用证书连接
./mongosh --host 1.1.1.1 --tls --tlsCAFile /usr/local/database/mongodb8.0.5/crt/ca.crt --tlsCertificateKeyFile /usr/local/database/mongodb8.0.5/crt/zy.pem --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
![[docker基础二]NameSpace隔离实战](https://i-blog.csdnimg.cn/direct/78aed6bf677a43f088619622f4bf0a17.png)
