[SERVER-7336] SSL Password should not be in clear text in the MongoDB configuration file, i.e. after sslPEMKeyPassword Created: 12/Oct/12 Updated: 12/Feb/18 Resolved: 17/Sep/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.2.0 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Simon Harvey | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
SSL, RHEL 6.2 |
||
| Issue Links: |
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Comments |
| Comment by Andy Schwerin [ 17/Sep/13 ] |
|
I believe correct behavior is to remove the password encryption from the SSL key in these cases, rather than scrambling the password stored in the configuration file. Feel free to reopen if you disagree. |
| Comment by Mark porter [ 01/Nov/12 ] |
|
Hi Simon, I am closing this ticket as it's fixed by If you have any further questions or issues, please let us know. Thanks Mark |
| Comment by Mark porter [ 16/Oct/12 ] |
|
Simon, One possible solution here is to use the key management system provided by our partner Gazzang. With the Gazzang technology, you can protect the contents of you mongod config file. My understanding of your requirement is that you want:
At present, the password has to be stored in cleartext in the mongodb.conf file so "mongod" can read it on start-up and decrypt the pem file. Gazzang is really just a key management system on top of the open source ncryptfs (or is is ecryptfs on RHEL). You simply have to store your config file in the encrypted file system and grant mongod permission to decrypt that filesystem. Let me know if you have further questions or suggestions. Mark |