Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-16006

[Server] Investigate changes in SERVER-74989: Create configuration file option for custom X.509 subject name matching

    XMLWordPrintableJSON

Details

    Description

      Original Downstream Change Summary

      This change adds a new mechanism by which cluster members may identify each other whilst using X.509 based authentication. Specifically, it introduces a new config file option, net.tls.clusterAuthX509.attributes, that allows customers to specify X.509 subject DN attribute name/value pairs that connecting certificates must contain in order to be considered as peer cluster members. It can be used to customize the default behavior, which checks that the DC, O, and OU attributes between the connecting certificate and the server's member certificate are the same.

      Description of Linked Ticket

      Today, servers determine whether a connecting client is a peer server node either via keyfile authentication or X.509. If X.509 authentication is enabled on the server and the connecting client's certificate has a subject name DN sharing the same O, OU, and DC attributes as the server's certificate, then the connecting client is considered as a peer server node.

      In an effort to make this more customizable, we will add a configuration file option that will take priority over this default policy. The option will specify a set of subject name DN attributes and values that the server will check for in the connecting client's certificate. If they match, then the client will be treated as a peer server node.

      Attachments

        Activity

          People

            kenneth.dyer@mongodb.com Kenneth Dyer
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              31 weeks, 6 days ago