Sitecore – How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception

Posted on Updated on

In this post, we will tackle how to enable internal authentication for your MongoDB replica set and also we will disable the authentication bypass via localhost exception as part of the MongoDB Hardening series. If you are looking at just enabling the authentication on a standalone replica set, check the Sitecore – How to create and configure authentication to a MongoDB standalone replica set. 

Enable Internatinal Authentication

To enable authentication on a replica set or a sharded cluster, you must enable authentication individually for each member.  The instructions below use a keyfile to enable the internal authentication. Official document here.

Considerations

Enabling internal authentication enables access control. The following guide assumes no users have been created in the system before enabling internal authentication, and uses Localhost Exception to add a user administrator after access control has been enabled.

This article is patterned on the official MongoDB documentations, but designed to be easy to follow so that you don’t have to read a ton of information to get this working.

  • Download the latest portable openssl shell here or use my attached zip file.
  • Extract and Deploy to Drive Y or any drive you have.

  • Create a keyfile. In the command prompt, run the scripts below

Y:

cd mongodb

Y:\openssl-0.9.8k_X64\bin\openssl.exe rand -base64 741 > mongodb-keyfile

  • You may delete the portable openssl after you finished the generation of the mongodb-keyfile as this is not needed anymore.
  • Copy the key file on the same location to each of the replica set members. Primary, Secondary and Arbiter servers.

Note: The contents of the keyfile serves as the shared password for the members of the replica set. The content of the keyfile must be the same for all members of the replica set.

  • Update the Y:\mongodb\mongod.cfg, add the following on the bottom section of the file. Repeat the process on each of the members of the replica set. Primary, Secondary and Arbiter.
security:

   keyFile: y:\mongoDB\mongodb-keyfile
  • Test by connecting to a mongo shell to the primary. Run the mongo shell from the same host as the primary.

Create Authentication

Important: This post almost pretty much the same with how to enable the authentication for a standalone replica set. However, there are also some steps here that are meant for replica set with dedicated server of its members. Hence, I would suggest to follow these steps.

  • Validate if the MongoDB service is running. You can check it by opening the service.msc from the run window (ctrl+r), we will not cover how to setup mongoDB as a windows service in this article.
  • Open the windows command prompt (ctrl+r, cmd) as administrator
  • Run the Mongo shell, in my case, it’s located under Y:\mongodb\bin\mongo.exe
  • Create the administrative user. Again, we are running this in a standalone replica set.
    • Note: You would receive “Successfully added user…”, and will not be used by your Sitecore application. This is only meant to be used by your system admintrators

UserAdminAnyDatabase role

Provides the same access to user administration operations as userAdmin, except it applies to all but the local and config databases in the cluster. The role also provides the following actions on the cluster.

Root role

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin roles, restore, and backup roles combined.

  • To check the newly created admin user, in the command prompt type:

use admin

db.auth('wcmadmin','Pass123#')

db.getUsers()

Note: The admin database is unique in MongoDB. Users with normal access to the admin have read and write access to all databases.

  • Update the Y:\mongodb\mongod.cfg, add the following on the bottom section of the file. Repeat the process on each of the members of the replica set. Firstly, on the Primary then secondary not including arbiter.
setParameter:

   enableLocalhostAuthBypass: false
  • Authenticate as admin, open the MongoDB shell (Y:\mongodb\bin\mongo.exe) again.

use admin

db.auth('wcmadmin','Pass123#')

Note: You’ll receive value 1 when successful.

  • Open a mongo shell again, ensure that you’re in the right replica set, db admin and authenticated with your admin login. See step#10. Sitecore have four (4) collection databases in Mongo; Analytics, tracking_live, tracking_history, and tracking_contact. We need to create user in each of them.

use analytics

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"analytics" } ] })

use tracking_live

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_live" } ]  })

use tracking_history

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_history" } ]  })

use tracking_contact

db.createUser({user: "scdbreadwrite",pwd: "abcd4321",roles: [ { role: "readWrite", db:"tracking_contact" } ]  })

Important: Change the username and the password.

Note: Upon completion of the above user creations. You will receive a message ‘Successfully added user…’ similar on the screenshot below.

  • To check the created users in the replica set, please use the following.

use analytics

db.getUsers()

use tracking_live

db.getUsers()

use tracking_history

db.getUsers()

use tracking_contact

db.getUsers()

Note: You would see like this.

Important: Arbiters are mongod instances that are part of a replica set but do not hold data. Arbiters participate in elections in order to break ties. If a replica set has an even number of members, add an arbiter. Official document here.

  • Open RoboMongo If not yet installed, you can download the software here. (optional)
  • Once the RoboMongo is opened, file > connect (ctrl + n), then create a connection. (optional)
    • In the connection tab:
      1. Specify the name that will help you to identify this connection.
      2. Specify the host and port of the MongoDB server, port is 27017.
    • In the authentication tab:
      1. Check the Perform Authentication checkbox
      2. Database: <collection database>
      3. Username: <scdbreadwrte> or the username you used for MongoDB for your Sitecore application. See steps# 10 & 12.
      4. Password: The password
      5. Auth Mechanism: SCRAM-SHA-1 (default in v3.0>)
      6. Click test, click save.
  • Repeat for the four (4) collection databases
    1. analytics
    2. tracking_live
    3. tracking_contact
    4. tracking_history

In the next sections of the MongoDB series, we would cover the the

Or if you are working on a stand alone replica set only, chech how to enable standalone authentication.

Advertisements

3 thoughts on “Sitecore – How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception

    […] How to enable internal authentication for your replica set and disable bypass authentication via loc… […]

    Liked by 1 person

    […] How to enable internal authentication for your MongoDB replica set and disable bypass authentication… […]

    Like

    […] How to enable internal authentication for your replica set and disable bypass authentication via loc… […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s