Month: April 2017

Sitecore – MongoDB Enable Secure Configuration Options “logAppend”

Posted on

This is very short post that covers how to enable logAppend for your MongoDB replica set as part of the MongoDB Hardening series.

To enable logAppend:

  • Open the Y:\mongodb\mongod.cfg  file
  • Add ‘logAppend: true’ after the ‘path’
    • By default if this is not included on your configuration, the value is false. When true, mongos or mongod appends new entries to the end of the existing log file when the mongos or mongod instance restarts. Without this option, mongod will back up the existing log and create a new file.

  • Restart the MongoDB service

net stop MongoDB

  • Repeat the steps for Secondary & Arbiter servers.

To enable authentication options, please see below links. 

 

MongoDB – Sitecore Configuration Encryption (Connectionstrings.config)

Posted on

This post aims to help you on how to harden your configuration mainly your connectstrings.config, but this post is also applicable if you are trying to secure other configuration that has a application credentials, username, password, secret keys and other confidential information in it.

Before proceeding, ensure that you have finished one of the following posts on the MongoDB hardening series.

  1. How to create and configure authentication to a MongoDB standalone replica set.
  2. How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception.

We will use the MongoDb user account we have created from the previous post as our way to authenticate to the collection databases such as analytics, tracking_live, tracking_history, tracking_contact.

Moreover, to cover both standalone and replica set with dedicated servers:

  • For SIT, standlone replica set (1 server)
  • For UAT & PROD, replicaset with dedicates servers for its members. (3 servers)

Update Connectionstrings.config

Let’s get started. Open your connectionstrings.config, in this case, it’s located under D:\Instances\mongodb-series\Website\App_Config folder

For SIT:

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

Note: Please ensure update the host name, username (scdbreadwrite), and password (abcd4321) for every environment.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstrings.config

For UAT & PROD

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/analytics?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.live" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_live?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.history" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_history?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.contact" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_contact?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

 

Note: If your MongoDB has alias, you can use that instead. Please ensure update the host name, USERNAME (scdbreadwrite), and PASSWORD (abcd4321) for every environment.

  • Replace MONGODB_PRIMARY_SERVER_IP_ADDRESS with your MongoDB primary server.
  • Replace MONGODB_SECONDARY_SERVER_IP_ADDRESS with your MongoDB secondary server.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstring.config

Warning: In XML, & is not accetable character, hence we will use its encoded value as a replacement &amp;. The readPreferrence parameter is to read from the primary under normal circumstances, but to allow stale reads from secondaries when the primary is unavailable. This provides a “read-only mode” for your application during a failover. Find more from  MongoDB official documentation.

Encryption

  • Create a file named var.aspx, open it and paste this code inside.

<%@ Page Language="C#" %> <% foreach (string var in Request.ServerVariables) { Response.Write(var + " " + Request[var] + "
"); } %>

  • Drop the var.aspx in your website root so it can be accessed like this http://YOUR_WEBSITE/var.aspx
  • Once the page is rendered, look for ‘INSTANCE_META_PATH/LM/W3SVC/2‘.
    • Remember the integer, in this case 2. This integerer represents the IIS website id.
  • Open the windows command prompt as administrator.
  • Modify the site “2” to your application IIS metabase, then paste it to the command prompt, and hit enter.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pe "connectionStrings" -site "2" -app "/"  -prov "RsaProtectedConfigurationProvider"

Note: You would get this message upon successful encryption..

  • To verify, check the connectionstring.config. You’ll get a similar result.

  • For testing purpose, you can descrypt it with this script.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pd "connectionStrings" -site "2" -app "/"

To knowe more about encryption.

Marvin

Sitecore – How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception

Posted on Updated on

In this post, we will tackle how to enable internal authentication for your MongoDB replica set and also we will disable the authentication bypass via localhost exception as part of the MongoDB Hardening series. If you are looking at just enabling the authentication on a standalone replica set, check the Sitecore – How to create and configure authentication to a MongoDB standalone replica set. 

Enable Internatinal Authentication

To enable authentication on a replica set or a sharded cluster, you must enable authentication individually for each member.  The instructions below use a keyfile to enable the internal authentication. Official document here.

Considerations

Enabling internal authentication enables access control. The following guide assumes no users have been created in the system before enabling internal authentication, and uses Localhost Exception to add a user administrator after access control has been enabled.

This article is patterned on the official MongoDB documentations, but designed to be easy to follow so that you don’t have to read a ton of information to get this working.

  • Download the latest portable openssl shell here or use my attached zip file.
  • Extract and Deploy to Drive Y or any drive you have.

  • Create a keyfile. In the command prompt, run the scripts below

Y:

cd mongodb

Y:\openssl-0.9.8k_X64\bin\openssl.exe rand -base64 741 > mongodb-keyfile

  • You may delete the portable openssl after you finished the generation of the mongodb-keyfile as this is not needed anymore.
  • Copy the key file on the same location to each of the replica set members. Primary, Secondary and Arbiter servers.

Note: The contents of the keyfile serves as the shared password for the members of the replica set. The content of the keyfile must be the same for all members of the replica set.

  • Update the Y:\mongodb\mongod.cfg, add the following on the bottom section of the file. Repeat the process on each of the members of the replica set. Primary, Secondary and Arbiter.
security:

   keyFile: y:\mongoDB\mongodb-keyfile
  • Test by connecting to a mongo shell to the primary. Run the mongo shell from the same host as the primary.

Create Authentication

Important: This post almost pretty much the same with how to enable the authentication for a standalone replica set. However, there are also some steps here that are meant for replica set with dedicated server of its members. Hence, I would suggest to follow these steps.

  • Validate if the MongoDB service is running. You can check it by opening the service.msc from the run window (ctrl+r), we will not cover how to setup mongoDB as a windows service in this article.
  • Open the windows command prompt (ctrl+r, cmd) as administrator
  • Run the Mongo shell, in my case, it’s located under Y:\mongodb\bin\mongo.exe
  • Create the administrative user. Again, we are running this in a standalone replica set.
    • Note: You would receive “Successfully added user…”, and will not be used by your Sitecore application. This is only meant to be used by your system admintrators

UserAdminAnyDatabase role

Provides the same access to user administration operations as userAdmin, except it applies to all but the local and config databases in the cluster. The role also provides the following actions on the cluster.

Root role

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin roles, restore, and backup roles combined.

  • To check the newly created admin user, in the command prompt type:

use admin

db.auth('wcmadmin','Pass123#')

db.getUsers()

Note: The admin database is unique in MongoDB. Users with normal access to the admin have read and write access to all databases.

  • Update the Y:\mongodb\mongod.cfg, add the following on the bottom section of the file. Repeat the process on each of the members of the replica set. Firstly, on the Primary then secondary not including arbiter.
setParameter:

   enableLocalhostAuthBypass: false
  • Authenticate as admin, open the MongoDB shell (Y:\mongodb\bin\mongo.exe) again.

use admin

db.auth('wcmadmin','Pass123#')

Note: You’ll receive value 1 when successful.

  • Open a mongo shell again, ensure that you’re in the right replica set, db admin and authenticated with your admin login. See step#10. Sitecore have four (4) collection databases in Mongo; Analytics, tracking_live, tracking_history, and tracking_contact. We need to create user in each of them.

use analytics

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"analytics" } ] })

use tracking_live

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_live" } ]  })

use tracking_history

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_history" } ]  })

use tracking_contact

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_contact" } ]  })

Important: Change the username and the password.

Note: Upon completion of the above user creations. You will receive a message ‘Successfully added user…’ similar on the screenshot below.

  • To check the created users in the replica set, please use the following.

use analytics

db.getUsers()

use tracking_live

db.getUsers()

use tracking_history

db.getUsers()

use tracking_contact

db.getUsers()

Note: You would see like this.

Important: Arbiters are mongod instances that are part of a replica set but do not hold data. Arbiters participate in elections in order to break ties. If a replica set has an even number of members, add an arbiter. Official document here.

  • Open RoboMongo If not yet installed, you can download the software here. (optional)
  • Once the RoboMongo is opened, file > connect (ctrl + n), then create a connection. (optional)
    • In the connection tab:
      1. Specify the name that will help you to identify this connection.
      2. Specify the host and port of the MongoDB server, port is 27017.
    • In the authentication tab:
      1. Check the Perform Authentication checkbox
      2. Database: <collection database>
      3. Username: <scdbreadwrte> or the username you used for MongoDB for your Sitecore application. See steps# 10 & 12.
      4. Password: The password
      5. Auth Mechanism: SCRAM-SHA-1 (default in v3.0>)
      6. Click test, click save.
  • Repeat for the four (4) collection databases
    1. analytics
    2. tracking_live
    3. tracking_contact
    4. tracking_history

In the next sections of the MongoDB series, we would cover the the

Or if you are working on a stand alone replica set only, chech how to enable standalone authentication.

Sitecore – How to create and configure authentication to a MongoDB standalone replica set

Posted on Updated on

In this post, I would focus on providing steps on how to create and configure authentication to a MongoDB standalone replica set.

Before we get started, my assumptions are you have the at least a basic and a good understanding with the following:

  1. Basic understanding of MongoDB and how it works with Sitecore
  2. Windows Command Prompt commands literate
  3. Access to the MongoDB
  4. Knowledge the MongoDB shell is located inside the server
  5. MongoDB version 3.0.0 or higher (tested against 3.20)
  6. Willingness to learn

To give a background on the topic, here’s a piece of information about replication from the MongoDB official site.

A replica set in MongoDB is a group of mongod processes that maintain the same data set. Replica sets provide redundancy and high availability, and are the basis for all production deployments. This section introduces replication in MongoDB as well as the components and architecture of replica sets. The section also provides tutorials for common tasks related to replica sets.

Create Authentication

  • Validate if the MongoDB service is running. You can check it by opening the service.msc from the run window (ctrl+r), we will not cover how to setup mongoDB as a windows service in this article.
  • Open the windows command prompt (ctrl+r, cmd) as administrator
  • Run the Mongo shell, in my case, it’s located under Y:\mongodb\bin\mongo.exe
  • Create the administrative user. Again, we are running this in a standalone replica set.
    • Note: You would receive “Successfully added user…”, and will not be used by your Sitecore application. This is only meant to be used by your system admintrators

UserAdminAnyDatabase role

Provides the same access to user administration operations as userAdmin, except it applies to all but the local and config databases in the cluster. The role also provides the following actions on the cluster.

Root role

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin roles, restore, and backup roles combined.

  • To check the newly created admin user, in the command prompt type:

use admin

db.auth('wcmadmin','Pass123#')

db.getUsers()

Note: The admin database is unique in MongoDB. Users with normal access to the admin have read and write access to all databases.

  • Exit on the Mongo shell. Delete the Mongodb service. In the command prompt paste:

net stop MongoDB

sc.exe delete MongoDB

Note: If you encountered failed deletion. Make sure you run the command prompt in an administrator mode.

  • Recreate the MongoDB service with –Auth

sc.exe create MongoDB binPath= "Y:\mongodb\bin\mongod.exe –service --auth --config=\"Y:\mongodb\mongod.cfg\" --replSet=\"rs0\"" DisplayName= "MongoDB" start= "auto"

Note: This assumes you know the location of your mongodb configuration, the mongodb shell and your replica set name. MongoDB will start automatically even after you restart the server. At this moment, collection databases analytics, tracking_contact, tracking_history and tracking_live are not available to be read and write by Sitecore application.

Also, if the services (services.msc) is opened, please ensure you close it otherwise you would encounter ‘[SC] CreateService FAILED 1073: The specified service has been marked for deletion.’. If it still fails, stop the MongoDB directly in services.msc.

  • The return status should be ‘[SC] CreateService SUCCESS” before proceeding. After that, in the command prompt paste:net start MongoDB

net start MongoDB

Note: You should see the MongoDB is running in services (services.msc)

  • Authenticate as admin, open the MongoDB shell (Y:\mongodb\bin\mongo.exe) again.

use admin

db.auth('wcmadmin','Pass123#')

Note: You’ll receive value 1 when successful.

  • Open a mongo shell again, ensure that you’re in the right replica set, db admin and authenticated with your admin login. See step#10. Sitecore have four (4) collection databases in Mongo; Analytics, tracking_live, tracking_history, and tracking_contact. We need to create user in each of them.

use analytics

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"analytics" } ] })

use tracking_live

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_live" } ]  })

use tracking_history

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_history" } ]  })

use tracking_contact

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_contact" } ]  })

Important: Change the username and the password.

Note: Upon completion of the above user creations. You will receive a message ‘Successfully added user…’ similar on the screenshot below.

  • To check the created users in the replica set, please use the following.

use analytics

db.getUsers()

use tracking_live

db.getUsers()

use tracking_history

db.getUsers()

use tracking_contact

db.getUsers()

Note: You would see like this.

Important: Arbiters are mongod instances that are part of a replica set but do not hold data. Arbiters participate in elections in order to break ties. If a replica set has an even number of members, add an arbiter. Official document here.

  • Open RoboMongo If not yet installed, you can download the software here. (optional)
  • Once the RoboMongo is opened, file > connect (ctrl + n), then create a connection. (optional)
    • In the connection tab:
      1. Specify the name that will help you to identify this connection.
      2. Specify the host and port of the MongoDB server, port is 27017.
    • In the authentication tab:
      1. Check the Perform Authentication checkbox
      2. Database: <collection database>
      3. Username: <scdbreadwrte> or the username you used for MongoDB for your Sitecore application. See steps# 10 & 12.
      4. Password: The password
      5. Auth Mechanism: SCRAM-SHA-1 (default in v3.0>)
      6. Click test, click save.
  • Repeat for the four (4) collection databases
    1. analytics
    2. tracking_live
    3. tracking_contact
    4. tracking_history

In the next sections of the MongoDB series, we would cover the the

Or if you are working on enabling internal authentication and disabling the bypass of the authentication, check this out.

Sitecore – MongoDB Hardening Series

Posted on Updated on

Last week, I was working on the MongoDB hardening for one of our clients. The client is using a hybrid setup of the MongoDB wherein the SIT uses a standalone replica set, but both UAT and PROD uses a typical replication setup where they have dedicated servers for the primary, secondary and the arbiter members.

Firstly, I look at the official documentations of Sitecore to look for approach on how to do this but no luck, second I look at articles I could find over the internet and thankfully found this article to get me started with the authentication and to validate my approach, the article only describe how to create authentication so note that this is not the case for the replica setup which I would describe a little bit further in this series.

In summary, this series would cover the following topics: