How to configure keyfile based authentication to existing MongoDB Replica sets ?

In this article , we will see how we can configure keyfile based internode authentication to existing Mongodb replica sets using Mongodb 5.0 Enterprise server on CentOS 7 . 

OS Platform       : REDHAT/CENTOS 7 Linux

Software             : Mongodb 5.0 Enterprise Server

NOTE:

• This article is continuation of previous article How to deploy Mongodb replica set on Linux ?. If you have not deployed replica set. Kindly deploy it.

• Please note this configuration method requires downtime to deploy. In upcoming article we will see how we can achieve the same without downtime.

• As part of this demo, we are assuming that you have already installed Mongodb 5.0 Enterprise server, if not kindly check How to install Mongodb on Redhat\Centos Linux using Tarball .tgz?  to get it installed.

• Be aware the steps which is articulated in theis article is intended to demonstrate how to configure keyfile based authentication in existing mongodb replica set which requires downtime .   It's not intended to use it in Production environment.

Prerequisites:

 To complete this demo, we need 3 centos servers as we are going to configure 3 member replica sets 1 will be primary and other 2 servers will act as a secondary servers which was deployed already in the article How to deploy Mongodb replica set on Linux ?. 

Server name	IP Address	Role
mongodb1	192.168.1.200	Primary
mongodb2	192.168.1.201	Secondary
mongodb3	192.168.1.202	Secondary

Step 1: Generate Key File

•  With Key file based authentication, each member mongod instances use the contents of key file as a shared password and authenticates with other members which are part of the replica sets.

• Only members which have the same keyfile can authenticate and be part of the replica sets. 

• We are going to generate a keyfile from mongodb1 server using openssl utility. 

openssl rand -base64 756 > <path-to-keyfile>

chmod 400 <path-to-keyfile>

Step 2: Copy keyfile to each member of the replica sets

scp mongod.key mongod@mongodb2:/home/mongod
scp mongod.key mongod@mongodb3:/home/mongod

Step 3: Shutdown each member of the replica sets

• Connect to each member of the replica set starting from the secondary nodes till primary and shutdown the mongod server.

use admin
db.shutdownServer()

Node 3: Secondary mongodb3

Node 2: Secondary mongodb2

Node 1: Primary mongodb1

Step 4: Restart each member of the replica set with keyfile and authentication enforced.

• Update the mongod.conf file with authentication enabled and keyfile location

Node 1 ::  mongodb1

vi /etc/mongod.conf

systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true
storage:
   dbPath: /var/lib/mongo
processManagement:
   fork: true
net:
   bindIp: 127.0.0.1,mongodb1
   port: 27017
security:
   authorization: enabled  #enable authentication
   keyFile: /home/mongod/mongod.key #key file location
replication:
  replSetName: "myreplica"

Node 2 ::  mongodb2

vi /etc/mongod.conf

systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true
storage:
   dbPath: /var/lib/mongo
processManagement:
   fork: true
net:
   bindIp: 127.0.0.1,mongodb2
   port: 27017
security:
   authorization: enabled  #enable authentication
   keyFile: /home/mongod/mongod.key #key file location
replication:
  replSetName: "myreplica"

Node 3 ::  mongodb3

vi /etc/mongod.conf

systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   journal:
      enabled: true
storage:
   dbPath: /var/lib/mongo
processManagement:
   fork: true
net:
   bindIp: 127.0.0.1,mongodb3
   port: 27017
security:
   authorization: enabled  #enable authentication
   keyFile: /home/mongod/mongod.key #key file location
replication:
  replSetName: "myreplica"

• Start the mongod instance on all 3 nodes with  the changes in place

[mongod@mongodb1 ~]$ mongod -f /etc/mongod.conf

[mongod@mongodb2 ~]$ mongod -f /etc/mongod.conf

[mongod@mongodb3 ~]$ mongod -f /etc/mongod.conf

Step 5: Connect to the primary node and create User Administrator

• Next step is to create an user administrator or a user which contain minimum user admin role. This is because we have enabled the authentication and as per local host exception, mongodb allows you to create first user with user admin role without authentication. 
• After that you won't be allowed to perform any operation without authentication.

admin = db.getSiblingDB("admin")
admin.createUser(
  {
    user: "userdba",
    pwd: passwordPrompt(),
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Step 6: Connect to the primary and secondary nodes as user admin and validate

mongosh --host mongodb1 -u "userdba" -p  --authenticationDatabase "admin"

Wrapping Up:

• Thus we have reached the end of this article. Please be noted configuring keyfile based authentication is a bare minimum form of security.

• In kind of production deployments, MongoDB recommends to use x.509 certificates for internal member authentication. In our coming series of article we will see how we can achieve the mongodb keyfile based internode authentication and x.509 based authentication.

• As highlighted from the beginning of this article. This method of configuring keyfile based authentication requires downtime. In case of no minimal downtime system, Kindly refer this article How to configure keyfile based authentication to existing MongoDB Replica sets without Downtime?

Hope you liked the content 😄

Please provide your collaborative ideas, suggestions and valuable feedback’s.

Keep Learning ! Keep Sharing!