MongoDB testing Java Driver with SSL & Kerberos Enabled
[root@myhostname srini]# cat SSLKerb.java
import com.mongodb.*;
import javax.net.ssl.SSLSocketFactory;
import java.net.UnknownHostException;
import java.security.Security;
import static java.util.Arrays.asList;
public class SSLKerb {
public static void main(String[] args) throws UnknownHostException, InterruptedException {
System.setProperty(“javax.net.ssl.trustStore”,”/usr/java/jdk1.8.0_05/jre/lib/security/cacerts”);
System.setProperty(“javax.net.ssl.trustStorePassword”,”changeit”);
System.setProperty(“javax.net.ssl.trustStoreType”,”jks”);
System.setProperty(“javax.security.auth.useSubjectCredsOnly”, “false”);
System.setProperty(“java.security.krb5.realm”, “ASIA.NSTSRIN.NET”);
System.setProperty(“java.security.krb5.kdc”, “myhostname.ASIA.NSTSRIN.NET”);
String user = “mongodb/admin@ASIA.NSTSRIN.NET”;
String databaseName = “admin”;
System.out.println(“javax.security.auth.useSubjectCredsOnly: ” + System.getProperty(“javax.security.auth.useSubjectCredsOnly”));
System.out.println(“java.security.krb5.realm: ” + System.getProperty(“java.security.krb5.realm”));
System.out.println(“java.security.krb5.kdc: ” + System.getProperty(“java.security.krb5.kdc”));
System.out.println(“auth.login.defaultCallbackHandler: ” + Security.getProperty(“auth.login.defaultCallbackHandler”));
System.out.println(“login.configuration.provider: ” + Security.getProperty(“login.configuration.provider”));
System.out.println(“java.security.auth.login.config: ” + Security.getProperty(“java.security.auth.login.config”));
System.out.println(“login.config.url.1: ” + Security.getProperty(“login.config.url.1”));
System.out.println(“login.config.url.2: ” + Security.getProperty(“login.config.url.2”));
System.out.println(“login.config.url.3: ” + Security.getProperty(“login.config.url.3”));
System.out.println(“user: ” + user);
System.out.println();
// MongoClient mongoClient = new MongoClient(new ServerAddress(“myhostname.ASIA.NSTSRIN.NET”, 37017),
// asList(MongoCredential.createGSSAPICredential(user) // .withMechanismProperty(“SERVICE_NAME”, “mongodb”)),
// new MongoClientOptions.Builder().socketKeepAlive(true).socketTimeout(30000).build());
MongoClient mongoClient = new MongoClient(new ServerAddress(“myhostname.ASIA.NSTSRIN.NET”, 37017), asList(MongoCredential.createGSSAPICredential(user).withMechanismProperty(“SERVICE_NAME”, “mongodb”)), new MongoClientOptions.Builder().socketKeepAlive(true).socketTimeout(30000).socketFactory(SSLSocketFactory.getDefault()).build());
//MongoCredential credential = MongoCredential.createMongoCRCredential( “mongodb”, “admin”, “pwd”.toCharArray() );
//MongoClientOptions options = MongoClientOptions.builder().socketFactory(SSLSocketFactory.getDefault()).build();
//MongoClient m = new MongoClient( new ServerAddress( “myhostname”, 37017 ), Arrays.asList( credential ) , options);
DB testDB = mongoClient.getDB(databaseName);
System.out.println(“Count: ” + testDB.getCollection(“foo”).count());
}
}
[root@myhostname srini]# cat /etc/mongod.conf_new
# MongoDB Configuration File
#
# General Settings
dbpath = /opt/mongodb/new
journal = true
fork = true
port = 37017
directoryperdb = true
#smallFiles = true
#noprealloc = true
# Logging
verbose = true
logappend = true
logpath = /opt/mongodb/logs/mongod_new.log
# Security
auth = true
setParameter = supportCompatibilityFormPrivilegeDocuments=0
setParameter = authenticationMechanisms=GSSAPI,MONGODB-CR
setParameter = logUserIds=1
sslOnNormalPorts = true
sslPEMKeyFile = /etc/ssl/mongodb.pem
sslPEMKeyPassword = DBversity$123
nohttpinterface = true
bind_ip = 10.40.87.36
noscripting = true
# Replication
#replSet = rs0
#keyFile = /srv/mongodb/keyfile
[root@myhostname srini]# /opt/mongodb/bin/mongo –authenticationMechanism=GSSAPI –authenticationDatabase=’$external’ –username mongodb/admin@ASIA.NSTSRIN.NET myhostname:37017/admin -ssl
MongoDB shell version: 2.4.5
connecting to: myhostname:37017/admin
Server has startup warnings:
Tue Jul 1 07:56:20.267 [initandlisten]
Tue Jul 1 07:56:20.267 [initandlisten] ** WARNING: You are running on a NUMA machine.
Tue Jul 1 07:56:20.267 [initandlisten] ** We suggest launching mongod like this to avoid performance problems:
Tue Jul 1 07:56:20.267 [initandlisten] ** numactl –interleave=all mongod [other options]
Tue Jul 1 07:56:20.267 [initandlisten]
> show collections
foo
system.indexes
system.users
> db.foo.find()
{ “_id” : ObjectId(“53b28e18940e5bf86f39efe9”), “x” : 1 }
{ “_id” : ObjectId(“53b28e1c940e5bf86f39efea”), “x” : 11 }
{ “_id” : ObjectId(“53b28e1e940e5bf86f39efeb”), “x” : 111 }
{ “_id” : ObjectId(“53b28e1f940e5bf86f39efec”), “x” : 1111 }
{ “_id” : ObjectId(“53b29daee4b0083ccefea4b8”) }
{ “_id” : ObjectId(“53b29e06b44f835c743cc313”), “x” : 12345 }
{ “_id” : ObjectId(“53b29e09b44f835c743cc314”), “x” : 123456 }
{ “_id” : ObjectId(“53b29e0cb44f835c743cc315”), “x” : 1234567 }
{ “_id” : ObjectId(“53b29e18e4b0076fb74588cf”) }
{ “_id” : ObjectId(“53b29fbae4b08192a01d0a9a”) }
it is very important to check if crt is added to javastore –
[root@myhostname srini]# keytool -list -keystore /usr/java/jdk1.8.0_05/jre/lib/security/cacerts|grep srini
Enter keystore password: changeit
srini, Jul 1, 2014, trustedCertEntry,
[root@myhostname srini]# keytool -import -trustcacerts -keystore /usr/java/jdk1.8.0_05/jre/lib/security/cacerts -storepass changeit -alias srini -file /etc/ssl/mongodb-cert.crt
mongodb testing java driver with ssl & kerberos enabled