<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:47:09 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-59402] Avoid silent failure if Replica Set member&apos;s X.509 certificate does not contain `O` / `OU` or `DC` attributes</title>
                <link>https://jira.mongodb.org/browse/SERVER-59402</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;&lt;b&gt;Issue,&lt;/b&gt;&lt;br/&gt;
Replica Set members are disconnected from each other as soon as all members of a Replica Set are restarted with &lt;tt&gt;`clusterAuthMode: sendX509`&lt;/tt&gt; or &lt;tt&gt;`clusterAuthMode: X509`&lt;/tt&gt; parameters and member&apos;s X.509 certificate does not contain &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes.&lt;/p&gt;

&lt;p&gt;All Replica Set members report &lt;tt&gt;`&quot;stateStr&quot; : &quot;(not reachable/healthy)&quot;`&lt;/tt&gt; and &lt;tt&gt;`&quot;lastHeartbeatMessage&quot; : &quot;x.509 authentication is disabled.&quot;`&lt;/tt&gt; messages in &lt;tt&gt;`rs.status()`&lt;/tt&gt;.&lt;/p&gt;

&lt;p&gt;For Ops Manager Automation this will mean that it can&apos;t continue managing such MongoDB Server deployment (as it can&apos;t connect to that MongoDB Server deployment, same as all Replica Set members can&apos;t connect to each other).&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Troubleshooting / Findings,&lt;/b&gt;&lt;br/&gt;
We have very specific requirements for member&apos;s X.509 certificate, it should contain &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes in it,&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;&lt;a href=&quot;https://docs.mongodb.com/v4.4/tutorial/configure-x509-member-authentication/#:~:text=the%20distinguished%20name%20(dn)%2C%20found%20in%20the%20member%20certificate&amp;#39;s%20subject%2C%20must%20specify%20a%20non-empty%20value%20for%20at%20least%20one%20of%20the%20following%20attributes%3A%20organization%20(o)%2C%20the%20organizational%20unit%20(ou)%20or%20the%20domain%20component%20(dc)&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;The Distinguished Name (DN), found in the member certificate&apos;s subject, must specify a non-empty value for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC)&lt;/a&gt;&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;However, if member&apos;s X.509 certificate is not correct (doesn&apos;t have &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes in it) then such MongoDB Server process will fail silently and will NOT produce any log saying that Replica Set member&apos;s X.509 certificate is not correct.&lt;/p&gt;

&lt;p&gt;MongoDB Server process will also produce misleading &lt;tt&gt;`x.509 authentication is disabled`&lt;/tt&gt; error once Replica Set member will try to connect to it (X.509 authentication is actually enabled, it is just member&apos;s X.509 certificate is incorrect).&lt;/p&gt;

&lt;p&gt;&lt;b&gt;What we need from this SERVER ticket,&lt;/b&gt;&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Let&apos;s raise a clear error about missing &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes on MongoDB Server process startup if it is started with &lt;tt&gt;`clusterAuthMode: sendX509`&lt;/tt&gt; or &lt;tt&gt;`clusterAuthMode: X509`&lt;/tt&gt; parameters.&lt;/li&gt;
	&lt;li&gt;Or, perhaps it would be even better to log a clear error AND NOT start MongoDB Server process configured with &lt;tt&gt;`clusterAuthMode: sendX509`&lt;/tt&gt; or &lt;tt&gt;`clusterAuthMode: X509`&lt;/tt&gt; parameters if member&apos;s X.509 certificate does not contain &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes?
	&lt;ul&gt;
		&lt;li&gt;The idea is to indicate to the user/automation that this MongoDB Server process is not functional for a Replica Set (as it will be disconnected from each Replica Set member), so the user/automation can see the issue quicker and hence will act on it quicker (as of now it is very hard to spot the issue with missing &lt;tt&gt;`O`&lt;/tt&gt; / &lt;tt&gt;`OU`&lt;/tt&gt; or &lt;tt&gt;`DC`&lt;/tt&gt; attributes in member&apos;s X.509 certificate).&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Thanks in advance,&lt;br/&gt;
Alexey&lt;/p&gt;</description>
                <environment></environment>
        <key id="1852982">SERVER-59402</key>
            <summary>Avoid silent failure if Replica Set member&apos;s X.509 certificate does not contain `O` / `OU` or `DC` attributes</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10033" iconUrl="https://jira.mongodb.org/images/icons/statuses/information.png" description="Status for tickets that need to be escalated and unblocked on our team.">Blocked</status>
                    <statusCategory id="4" key="indeterminate" colorName="inprogress"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="backlog-server-security">Backlog - Security Team</assignee>
                                    <reporter username="alexey.matyushin@mongodb.com">Alexey Matyushin</reporter>
                        <labels>
                    </labels>
                <created>Tue, 17 Aug 2021 08:52:46 +0000</created>
                <updated>Tue, 6 Dec 2022 01:00:26 +0000</updated>
                                                                                                <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                    <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000xkWRXQA2]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 29 Apr 2022 19:16:54 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 25 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<a href='https://jira.mongodb.org/browse/PM-2718'>PM-2718</a>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>alexander.golin@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 25 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>alexey.matyushin@mongodb.com</customfieldvalue>
            <customfieldvalue>backlog-server-security</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hzy0pj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i0c1ri:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="5990">Security 2022-05-02</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hzxmyf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>