-
标题
Configuring a SSL Connection for the MongoDB agent -
说明
How to configure a SSL connection for the MongoDB agent -
解决办法
The below instructions cover common steps used to configure a TLS/SSL connection from the MongoDB Agent client. For full information on secure connections and server-side configuration, refer to the TLS/SSL Configuration for Clients section of the MongoDB documentation for your database version.
A full treatment of TLS/SSL keys, certificates, and certificate authorities (CA) is beyond the scope of this document. The following instructions assume familiarity with TLS/SSL concepts and tools. Client and certificate authority certificates must be available prior to proceeding.
In order to use SSL, your MongoDB server must include SSL support and allow SSL connections. There are various configurations options for client connections. Refer to the MongoDB documentation and verify that the current MongoDB server configuration parameters support the desired authentication.
The Foglight agent, in its capacity as a database client, requires access to a private key, its signed certificate, and the signing CA’s certificate. The client key and certificate must be imported into a keystore, and the CA certificate must be imported into a separate truststore.
One example method for generating a JKS keystore for use with Foglight utilizes openssl and keytool. Set the key and certificate filenames, alias name, and keystore password as appropriate.
openssl pkcs12 \
-export \
-in ${CERT_NAME}.crt \
-inkey ${CERT_NAME}.key \
-name $CERT_NAME \
-out temp-keystore.p12 \
-passout pass:${KEYPASS}
keytool -importkeystore \
-srckeystore temp-keystore.p12 \
-srcstoretype PKCS12 \
-srcstorepass $KEYPASS \
-destkeystore keystore \
-deststoretype JKS \
-deststorepass $KEYPASSRegardless of how the keystore is constructed, it must list the client certificate as a 'PrivateKeyEntry', indicating that it also contains the private key, not just the signed certificate.
Separately, import the CA certificate into a truststore:
keytool -importcert \
-keystore truststore \
-alias $CA_NAME \
-file ${CA_NAME}.crt \
-keypass $TRUSTPASS \
-storepass $TRUSTPASS \
-storetype JKS \ -noprompt
In order to use SSL, your MongoDB server must include SSL support and allow SSL connections.Next, edit the baseline.jvmargs.config file in the /state/default/config directory and add the following parameters with file paths and passwords appropriate for your system.
vmparameter.0 = "-Djavax.net.ssl.keyStore=/path/to/keystore";
vmparameter.1 = "-Djavax.net.ssl.keyStorePassword=changeit";
vmparameter.2 = "-Djavax.net.ssl.trustStore=/path/to/truststore";
vmparameter.3 = "-Djavax.net.ssl.trustStorePassword=changeit";
for example (the path should be changed to reflect the correct location)vmparameter.0 = "-Djavax.net.ssl.keyStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/keystore\"";
vmparameter.1 = "-Djavax.net.ssl.keyStorePassword=changeit";
vmparameter.2 = "-Djavax.net.ssl.trustStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/truststore\"";
vmparameter.3 = "-Djavax.net.ssl.trustStorePassword=changeit";
Escape any quotes with a backslash (‘\’). On an Agent Manager installed on Windows, use forward slashes in the file paths, like so:
vmparameter.0 = "-Djavax.net.ssl.keyStore=\"C:/path/to/keystore\"";
Then, restart the FglAM and continue with the agent configuration, setting the “Use TLS/SSL?” option in the Agent Properties to true. If the client certificate is not configured specifically for the FglAM host, you can also set the “Allow Invalid Cert Hostname?” option to true to allow the certificate to be used anyway.