Build an Open Source PaaS with Red Hat's OpenShift and OpenStack
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux
-
Upload
mongodb -
Category
Technology
-
view
1.699 -
download
8
description
Transcript of Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux
![Page 1: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/1.jpg)
1
Securing MongoDB withRed Hat Enterprise Linux
Identity ManagementJim Wildman, Solutions Architect, Red Hat
Sandeep Parikh, Solutions Architect, MongoDB
![Page 2: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/2.jpg)
2
MongoDB
The leading NoSQL database
Document Database
Open-Source
General Purpose
![Page 3: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/3.jpg)
3
MongoDB Features
• JSON Document Model with Dynamic Schemas
• Auto-Sharding for Horizontal Scalability
• Text Search
• Aggregation Framework and MapReduce
• Full, Flexible Index Support and Rich Queries
• Built-In Replication for High Availability
• Advanced Security
• Large Media Storage with GridFS
![Page 4: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/4.jpg)
4
• Enterprise authentication using Kerberos
• In-flight encryption using SSL
• On-premise management tools for monitoring
• On-demand private training
• Integration with SNMP
• Certified for Red Hat Enterprise Linux
MongoDB Enterprise Features
![Page 5: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/5.jpg)
5
• Identity, Policy, and Audit services
• Integrated security management solution– Authentication– Directory Services– Encryption– Client/Server Discovery– Systems Management
• Available via– Red Hat Enterprise Linux 6.4– FreeIPA
Red Hat Identity Management
![Page 6: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/6.jpg)
6
Red Hat Identity Management
![Page 7: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/7.jpg)
7
Security Considerations
Authentication
• Identity assurance
• SSO
Authorization
• Role-based• Privileges• Permissions
Auditing
• Identity logging• Governance
reporting
Administration
• Identity provisioning
• Change control
Encryption
• Data at rest• Data in motion
![Page 8: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/8.jpg)
8
Security Implications
Authentication
• Apps accessing DB
• Nodes joining cluster
• Admins accessing DB
Authorization
• Apps DB permissions
• Admins DB permissions
Auditing
• Who logged in
Administration
• Create users• Manage user
policies
Encryption
• Encrypting data in-flight
![Page 9: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/9.jpg)
9
Security Architecture
Identity• AD• LDAP• Etc.
Clients• MongoDB• App
Servers• Web
Servers
![Page 10: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/10.jpg)
10
RHEL IdM Architecture
• Accounts, credentials, policies are centrally located
• Clients authenticate users and services via server as-needed
![Page 11: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/11.jpg)
11
RHEL IdM Replication
• RHEL IdM natively supports multi-master replication
• One user name space across all data centers and replicas
![Page 12: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/12.jpg)
12
• Lack of centrally managed identities creates security and compliance problems
• More secure host connections (no passwords in text files)
• Host-based access control provides centralized, fine-grained access
• Centralized “sudo” management
• Private user groups allow for better security at the file level
• Kerberos authentication has strong security characteristics– Password never leaves the client, hashes are strong
Security & Compliance Enhancements
![Page 13: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/13.jpg)
13
IdM Server Setup
# install IdM packages
$ yum install ipa-server bind bind-dyndb-ldap
# set hostname
$ nano /etc/sysconfig/network
HOSTNAME=idmserver.example.com
$ hostname -v idmserver.example.com
![Page 14: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/14.jpg)
14
IdM Server Setup
# run IdM installation
$ ipa-server-install --setup-dns
# add IdM server DNS
$ nano /etc/resolv.conf
nameserver [IdM server IP address]
# authenticate as admin via Kerberos
$ kinit admin
# list active authentications
$ klist
![Page 15: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/15.jpg)
15
IdM Client Setup
# install IdM client and tools
$ yum install ipa-client ipa-admintools
# update hostname
$ nano /etc/sysconfig/network
HOSTNAME=idmclient.example.com
$ hostname –v idmclient.example.com
![Page 16: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/16.jpg)
16
IdM Client Setup
# point DNS to IdM server
$ nano /etc/resolv.conf
search example.com nameserver [IdM server IP address]
# automatically enroll this machine into IdM
$ ipa-client-install --enable-dns-updates
Discovery was successful! Hostname: idmclient.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: idmhost.example.com BaseDN: dc=example,dc=com
![Page 17: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/17.jpg)
17
IdM Client Setup
# ex. reverse addr: 243-16-164-10.in-addr.arpa.
# add a reverse-DNS zone
$ ipa dnszone-add [idmclient-reverse-addr] \
--name-server idmserver.example.com. --force
# add a reverse-DNS record
$ ipa dnsrecord-add [idmclient-reverse-addr] \
[record-name] --ptr-hostname idmclient.example.com.
![Page 18: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/18.jpg)
18
• MongoDB deployed on RHEL IdM clients
• Leverages authentication and encryption services– Kerberos– SSL
• Map MongoDB users/roles to Kerberos principals
• Encrypt connections– Amongst MongoDB nodes– Between MongoDB and clients
Deploying MongoDB with RHEL IdM
![Page 19: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/19.jpg)
19
MongoDB Kerberos Setup
# add a service principal to IdM
$ ipa service-add mongodb/[email protected]
# retrieve the MongoDB keytab file
$ ipa-getkeytab –s idmserver.example.com \
-p mongodb/idmclient.example.com \
-k /etc/mongodb.keytab
# verify keytab
$ klist –k /etc/mongodb.keytab
![Page 20: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/20.jpg)
20
MongoDB Kerberos Setup
$ env KRB5_KTNAME=/etc/mongodb.keytab \
mongod --fork --auth \
--dbpath /data --logpath /log/mongod.log \
--setParameter authenticationMechanism=GSSAPI
![Page 21: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/21.jpg)
21
MongoDB SSL Setup
# issue server certificate request
$ ipa-getcert request -r \
-f /etc/cert/mongodb-server.crt \
-k /etc/cert/mongodb-server.key \
-N CN=idmclient.example.com \
-D idmclient.example.com \
-K mongodb/idmclient.example.com
# Note: -D and CN must match MongoDB hostname and –K must match service principal
![Page 22: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/22.jpg)
22
MongoDB SSL Setup
# cat key and cert into pem
$ cat /etc/cert/mongodb-server.key \
/etc/cert/mongodb-server.crt > \
/etc/cert/mongodb-server.pem
# start mongod with PEM and IdM CA
$ mongod --sslOnNormalPorts \
--sslPEMKeyFile=/etc/cert/mongodb-server.pem \
--sslCAFile=/etc/ipa/ca.crt
![Page 23: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/23.jpg)
23
MongoDB Client SSL Setup
# issue client certificate request
$ ipa-getcert request \
-f /etc/cert/mongodb-client.crt \
-k /etc/cert/mongodb-client.key
# cat key and crt into pem
$ cat /etc/cert/mongodb-client.key \
/etc/cert/mongodb-client.crt > \
/etc/cert/mongodb-client.pem
![Page 24: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/24.jpg)
24
MongoDB Client SSL Setup
$ mongo --ssl \
--sslPEMKeyFile=/etc/cert/mongodb-client.pem
--sslCAFile=/etc/ipa/ca.crt
![Page 25: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/25.jpg)
25
• Each component will need a service entry and keytab– In a replica set, each mongod– In a sharded cluster, each mongod and mongos
• Verify Kerberos settings using built-in k-command– E.g. “klist”
• Network configuration impacts authentication– Hostnames must be set and should be consistent– DNS/reverse-DNS and routing must be correctly set up
MongoDB and Kerberos
![Page 26: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/26.jpg)
26
• IdM Certificate Authority provided as part of certificate requests
• IdM Certificate Authority can be root or act as subordinate to external CA
• Certificate management daemon monitors expirations and can auto-renew certificates
MongoDB and SSL
![Page 27: Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux](https://reader036.fdocuments.in/reader036/viewer/2022062513/554f7be8b4c9052a518b4aac/html5/thumbnails/27.jpg)
27
• RHEL IdM Docs: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
• Setup RHEL IdM for MongoDB Enterprise: http://docs.mongodb.org/ecosystem/tutorial/configure-red-hat-enterprise-linux-identity-management/
• Operational RHEL IdM Procedures: http://docs.mongodb.org/ecosystem/tutorial/manage-red-hat-enterprise-linux-identity-management/
Questions?