[SERVER-7336] SSL Password should not be in clear text in the MongoDB configuration file, i.e. after sslPEMKeyPassword Created: 12/Oct/12  Updated: 12/Feb/18  Resolved: 17/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.2.0
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Simon Harvey Assignee: Andy Schwerin
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

SSL, RHEL 6.2


Issue Links:
Depends
depends on SERVER-7332 Separate command line processing from... Closed
is depended on by DOCS-1943 Document: SSL Password should not be ... Closed
Related
Participants:
Case:

 Comments   
Comment by Andy Schwerin [ 17/Sep/13 ]

I believe correct behavior is to remove the password encryption from the SSL key in these cases, rather than scrambling the password stored in the configuration file. Feel free to reopen if you disagree.

Comment by Mark porter [ 01/Nov/12 ]

Hi Simon,

I am closing this ticket as it's fixed by SERVER-7332.

If you have any further questions or issues, please let us know.

Thanks

Mark

Comment by Mark porter [ 16/Oct/12 ]

Simon,

One possible solution here is to use the key management system provided by our partner Gazzang. With the Gazzang technology, you can protect the contents of you mongod config file.

My understanding of your requirement is that you want:

  • to protect your private key with a password (i.e. encryption). This password is essentially the key to private key and so it in turn needs to be protected.
  • to start "mongod" in an automated fashion.

At present, the password has to be stored in cleartext in the mongodb.conf file so "mongod" can read it on start-up and decrypt the pem file.

Gazzang is really just a key management system on top of the open source ncryptfs (or is is ecryptfs on RHEL). You simply have to store your config file in the encrypted file system and grant mongod permission to decrypt that filesystem.

Let me know if you have further questions or suggestions.

Mark

Generated at Thu Feb 08 03:14:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.