Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7455

Replace the keyfile used for replica sets with x.509 authentication

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.5.3
    • Component/s: Replication, Security
    • Labels:
      None
    • Environment:
      RHEL 6

      Description

      The current cluster authentication keyfile solution has some room for improvement including

      • It is difficult/impossible to change the keyfile in a running system
      • All cluster members use the same keyfile
      • The password contained in the keyfile is in cleartext as described in the original ticket.

      As part of implementing x.509 authentication for clients, introduce the possibility to use x.509 for internal cluster authentication. The keyfile solution will be kept on (for now).

      Original ticket: "The keyfile used for replica sets (defined by the keyFile entry in the coinfiguartion file) should not contain a simple clear text entry. This should be encrypted or stored by some other method as at present this means it would be possible for someone to access data by setting up a new replica set member using this key. It is also a general compliance issue for any password or key to be stored in a file in clear text."

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: