-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:None
Description
Description:
This renames the TLS certificate file options to match the correspond to their names in the Mongo URI spec.
Engineering Ticket Description:
To unify with mongodb:// URI options, we'll rename the tlsPEMKeyFile/tlsPEMKeyPassword to tlsCertificateKeyFile/tlsCertificateKeyFilePassword.
Also, since tlsPEMKeyFile/Password were only just introduced in the 4.1 dev branch (renamed from ssl*), we'll remove the tlsPEMKeyFile/Password settings entirely, leaving only the ssl* variants as deprecated aliases.
The idl definitions in ssl_options_server.idl and ssl_options_client.idl would thus look like:
"net.tls.certificateKeyFile": # Changed from "net.tls.PEMKeyFile" description: "PEM file for TLS" short_name: tlsCertificateKeyFile # Changed from "tlsPEMKeyFile" deprecated_name: "net.ssl.PEMKeyFile" deprecated_short_name: sslPEMKeyFile arg_vartype: String "net.tls.certificateKeyFilePassword": # Changed form "net.tls.PEMKeyPassword" description: "PEM file password" short_name: tlsCertificateKeyFilePassword # Changed from: tlsPEMKeyPassword deprecated_name: "net.ssl.PEMKeyPassword" deprecated_short_name: sslPEMKeyPassword arg_vartype: String cpp_varname: sslGlobalParams.sslPEMKeyPassword implicit: ''
Scope of changes
- 4.2
- 4.2-compat (not sure if we want to explicitly call out the name change – currently, we just state tls override ssl)
- connection-string (Need to add the tls options)
- mongod options + mongod + mongos
- config file options + config file + configuration-file-settings-command-line-options-mapping
- mongo options + mongo
- Add all the tls options (note: mongo shell options are missing all the tls options, need to add all and deprecate ssl options)
- mongo ssl references
- source/core/security-internal-authentication.txt
- source/core/security-x.509.txt
- tutorials
- source/tutorial/configure-ssl-clients.txt
- source/tutorial/configure-ssl.txt
- source/tutorial/configure-fips.txt
- source/tutorial/configure-x509-client-authentication.txt
- source/tutorial/configure-x509-member-authentication.txt
- source/tutorial/upgrade-cluster-to-ssl.txt
- source/tutorial/upgrade-keyfile-to-x509.txt
- source/appendix/security/appendixB-openssl-server.txt
- source/appendix/security/appendixC-openssl-client.txt
- references
- source/reference/expansion-directives.txt - since new page for 4.2, not even going to reference old sslpem
- source/reference/parameters.txt
- add examples using tls
- add tlsMode param and link to and from sslMode param
- source/reference/command/serverStatus.txt
- source/includes/extracts-tls-facts.yaml
- source/includes/extracts-x509-certificate.yaml
- Upgrades - post upgrade, update options
- Downgrade - update the options before downgrading
note The following programs are on the old sslOptions (i.e. not even tls options – for those that take uri, will need to note that they don't support the new tls options in the uri string)
- source/reference/program/mongodump.txt
- source/reference/program/mongoexport.txt
- source/reference/program/mongofiles.txt
- source/reference/program/mongoimport.txt
- source/reference/program/mongorestore.txt
- source/reference/program/mongostat.txt
- source/reference/program/mongotop.txt
check references for mongo-shell-ssl
Impact to Other Docs
Probably if cloud products explose the tls options, including in connection strings, (but should come from those cloud product tickets)
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
- documents
-
SERVER-37962 Create tlsMode setParameter
- Closed
-
SERVER-38430 Rename tlsPEMKeyFile and tlsPEMKeyPassword in client and server
- Closed
- has to be done before
-
DOCS-12188 Docs for SERVER-37833: Make DBClient and NetworkInterface retry with multiple keys for internal auth
- Closed