X.509 証明書を使用した自己管理型配置でのクライアントの認証

項目一覧

前提条件
手順
次のステップ

The following procedure sets up X.509 certificate authentication for client authentication on a standalone mongod instance. This is also known as Mutual TLS or mTLS.

To use X.509 authentication for replica sets or sharded clusters, see 自己管理型MongoDBでのメンバーシップ認証に X.509 証明書を使用.

前提条件

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular X.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid X.509 certificates.

Certificate Authority

実稼働環境で使用する場合、MongoDB の配置には、認証局によって生成および署名された有効な証明書を使用する必要があります。ユーザーまたは組織は、独立した認証局を作成して維持することも、サードパーティの TLS ベンダーによって生成された証明書を使用することもできます。証明書の取得と管理については、このドキュメントの範囲外です。

To use X.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.

Client X.509 Certificate

You must have valid X.509 certificates. The client X.509 certificates must meet the client certificate requirements.

If you specify --tlsAllowInvalidCertificates or net.tls.allowInvalidCertificates: true, an invalid certificate is sufficient only to establish a TLS connection but it is insufficient for authentication.

手順

Deploy with X.509 Authentication

You can configure a mongod instance for X.509 authentication from the command-line.

To configure a standalone mongod instance, run the following command:

mongod --tlsMode requireTLS \
    --tlsCertificateKeyFile <path to TLS/SSL certificate and key PEM file> \
    --tlsCAFile <path to root CA PEM file> --bind_ip <hostnames>

Include additional options as required for your configuration.

The X.509 configuration requires:

オプション	ノート
`--tlsMode`	Specify `requireTLS`.
`--tlsCertificateKeyFile`	Specify the instance's X.509 certificate to present to clients.
`--tlsCAFile`	Specify the Certificate Authority file to verify the certificates presented to the instance.

You can configure a mongod for X.509 authentication in the 構成ファイル.

To configure a standalone mongod instance, add the following configuration options to your configuration file:

net:
   tls:
      mode: requireTLS
      certificateKeyFile: <path to TLS/SSL certificate and key PEM file>
      CAFile: <path to root CA PEM file>

Include additional options as required for your configuration.

The X.509 configuration requires:

オプション	ノート
`net.tls.mode`	Specify `requireTLS`.
`net.tls.certificateKeyFile`	Specify the instance's X.509 certificate to present to clients.
`net.tls.CAFile`	Specify the Certificate Authority file to verify the certificates presented to the instance.

To set up X.509 authentication for replica sets or sharded clusters, see 自己管理型MongoDBでのメンバーシップ認証に X.509 証明書を使用.

Add X.509 Certificate `subject` as a User

To authenticate with a client certificate, you must first add the value of the subject from the client certificate as a MongoDB user to the $external database. Each unique X.509 client certificate corresponds to a single MongoDB user. You cannot use a single client certificate to authenticate more than one MongoDB user.

注意

Username Requirements

To use クライアントセッションと因果整合性の保証 with $external authentication users (Kerberos, LDAP, or X.509 users), usernames cannot be greater than 10k bytes.
The RDNs in the subject string must be compatible with the RFC2253 standard.

You can retrieve the RFC2253 formatted subject from the client certificate with the following command:
```
openssl x509 -in <pathToClientPEM> -inform PEM -subject -nameopt RFC2253
```
The command returns the subject string and the certificate:
```
subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
```

Add the RFC2253 compliant value of the subject as a user. Omit spaces as needed.

The following example adds a user and grants the user readWrite role in the test database and the userAdminAnyDatabase role:

db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
    roles: [
         { role: "readWrite", db: "test" },
         { role: "userAdminAnyDatabase", db: "admin" }
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)

See 自己管理型配置でユーザーとロールを管理 for details on adding a user with roles.

Authenticate with a X.509 Certificate

After you have added the X.509 client certificate subject as a corresponding MongoDB user, you can authenticate with the client certificate:

To authenticate during connection, run the following command:

mongosh --tls --tlsCertificateKeyFile <path to client PEM file> \
    --tlsCAFile <path to root CA PEM file> \
    --authenticationDatabase '$external' \
    --authenticationMechanism MONGODB-X509

オプション	ノート
`--tls`
`--tlsCertificateKeyFile`	Specify the client's X.509 file.
`--tlsCAFile`	Specify the Certificate Authority file to verify the certificate presented by the `mongod` instance.
`--authenticationDatabase`	Specify `'$external'`.
`--authenticationMechanism`	Specify `MONGODB-X509`.

You can connect without authentication and use the db.auth() method to authenticate after connection.

For example, if using mongosh,

接続 mongosh to the mongod:

mongosh --tls --tlsCertificateKeyFile <path to client PEM file> \
    --tlsCAFile <path to root CA PEM file>

オプション	ノート
`--tls`
`--tlsCertificateKeyFile`	Specify the client's X.509 file.
`--tlsCAFile`	Specify the Certificate Authority file to verify the certificate presented by the `mongod` or `mongos` instance.

To authenticate, use the db.auth() method in the $external database. For the mechanism field, specify "MONGODB-X509".
```
db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509"
  }
)
```

次のステップ