[SERVER-74996] Add override server parameter for X.509 subject name matching and extension value Created: 17/Mar/23  Updated: 29/Oct/23  Resolved: 10/Apr/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-16024 Investigate changes in SERVER-74996: ... Closed
Related
related to SERVER-74791 Add override server parameter for X.5... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2023-04-03, Security 2023-04-17
Participants:

 Description   

SERVER-74989 introduces a new configuration option that can be used for X.509 subject name DN matching. However, if customers decide to rotate to new certificates that have different values, then the old configuration option value will cause intracluster auth issues with the new certificates.

In order to provide a mechanism of resolving this via rolling restarts, this ticket will introduce a new server parameter that can be used to override the configuration option. When the override is set, both the old and new subject name criteria will be accepted, allowing for certificate rotation via a rolling restart. The full sequence of steps is described below:

  1. Start with some custom attributes/values for the subject name in the config option
  2. Change config to a new set of attributes and values and the override server parameter to the old set of attributes and values.
  3. Rolling restart. The servers are now able to accept nodes as peers matching either set of subject name attribute+value pairs.
  4. Change certificates, which should match the new criteria specified in the config.
  5. Rolling restart. Once complete, all servers will present certificates matching the new criteria in the config.
  6. Remove override - all server nodes now have the new certificate and don't need to accept certificates matching the initial criteria.

This ticket will also add a test that mocks the above procedure to validate its usability.



 Comments   
Comment by Githook User [ 07/Apr/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-74996: Add tlsClusterAuthX509Override server parameter, rolling restart testing, and enable featureFlagConfigurableX509ClusterAuthn
Branch: master
https://github.com/mongodb/mongo/commit/eb60f6c497e3ca0699c053ba34a650173e2bae20

Generated at Thu Feb 08 06:29:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.