[DOCS-16006] [Server] Investigate changes in SERVER-74989: Create configuration file option for custom X.509 subject name matching Created: 04/Apr/23  Updated: 13/Nov/23  Resolved: 29/Jun/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 7.0.0-rc0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Kenneth Dyer
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-74989 Create configuration file option for ... Closed
Participants:
Days since reply: 31 weeks, 6 days ago

 Description   
Original Downstream Change Summary

This change adds a new mechanism by which cluster members may identify each other whilst using X.509 based authentication. Specifically, it introduces a new config file option, net.tls.clusterAuthX509.attributes, that allows customers to specify X.509 subject DN attribute name/value pairs that connecting certificates must contain in order to be considered as peer cluster members. It can be used to customize the default behavior, which checks that the DC, O, and OU attributes between the connecting certificate and the server's member certificate are the same.

Description of Linked Ticket

Today, servers determine whether a connecting client is a peer server node either via keyfile authentication or X.509. If X.509 authentication is enabled on the server and the connecting client's certificate has a subject name DN sharing the same O, OU, and DC attributes as the server's certificate, then the connecting client is considered as a peer server node.

In an effort to make this more customizable, we will add a configuration file option that will take priority over this default policy. The option will specify a set of subject name DN attributes and values that the server will check for in the connecting client's certificate. If they match, then the client will be treated as a peer server node.



 Comments   
Comment by Kenneth Dyer [ 29/Jun/23 ]

DOCSP-28315

Comment by Sarah Olson [ 04/Apr/23 ]

kenneth.dyer@mongodb.com, this is part of one of the tickets you picked up during quarterly plannning. I will triage this to backlog but feel free to assign it to yourself if you like. 

Generated at Thu Feb 08 08:14:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.