[DOCS-12022] Docs for SERVER-35418: Allow specifying CAs for incoming and outgoing connections separately Created: 04/Sep/18  Updated: 13/Nov/23  Resolved: 12/Oct/18

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.0.3, 4.1.3, 3.6.9, 3.4.18, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Isabella Siu (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-35418 Allow specifying CAs for incoming and... Closed
Duplicate
Participants:
Days since reply: 5 years, 12 weeks, 5 days ago
Epic Link: DOCS: 4.2 Server/Tools

 Description   

Description

Description:

See PM-1188 for details.

This change adds a new (server only) configuration setting:
On CLI: --tlsClusterCAFile (aliased as --sslClusterCAFile )
In a YAML Config: net.tls.clusterCAFile (aliased as net.ssl.clusterCAFile )

When provided, the certificate pointed to by this setting will be used to validate INBOUND connections to a MongoDB instance. Remotes during outbound connections will continue to be validated using --tlsCAFile . If the setting is not present, then both inbound and outbound connections will be validated using --tlsCAfile (as they currently are).

Engineering Ticket Description:

The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

Scope of changes

For 4.2 and later:

  • Add --tlsClusterCAFile as a command line option and {{net.tls.clusterCAFile }} as a configuration file option
  • Mark --sslClusterCAFile as a deprecated command line option and net.ssl.clusterCAFile as a deprecated configuration file option

For 4.0.3, 3.4.18, 3.6.9:

  • Add --sslClusterCAFile as a command line option and net.ssl.clusterCAFile as a configuration file option


 Comments   
Comment by Githook User [ 16/Nov/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 backport sslClusterCAFile option to 3.6.9
Branch: v3.6
https://github.com/mongodb/docs/commit/705605333ff909a646ceb28eb74150862852c5a5

Comment by Githook User [ 07/Nov/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 backport sslClusterCAFile option to 3.4.18
Branch: v3.4
https://github.com/mongodb/docs/commit/0121e3e0ca68f4c513aca7ac1cf3a0c9a724d1a8

Comment by Githook User [ 15/Oct/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 backport sslClusterCAFile option to 3.4.18
Branch: v3.4.18
https://github.com/mongodb/docs/commit/6117d1eb6ef04d59e8cdc2fac78b05ac4f33cd19

Comment by Githook User [ 15/Oct/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 backport sslClusterCAFile option to 3.6.9
Branch: v3.6.9
https://github.com/mongodb/docs/commit/22a4d333eb31cbb853ed9753bd4cfa897ec68f9a

Comment by Githook User [ 15/Oct/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 add tlsClusterCAFile option
Branch: v4.0
https://github.com/mongodb/docs/commit/479185a15d9586964b41fcae650323c40f5c0aa7

Comment by Githook User [ 15/Oct/18 ]

Author:

{'name': 'Isabella Siu', 'email': 'isabellasiu@Isabellas-MacBook.local'}

Message: DOCS-12022 add tlsClusterCAFile option
Branch: master
https://github.com/mongodb/docs/commit/4d97ee5be233b1eba16f473beef749e8b7918163

Generated at Thu Feb 08 08:04:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.