encryption

Sitecore – MongoDB Enable Secure Configuration Options “logAppend”

Posted on

This is very short post that covers how to enable logAppend for your MongoDB replica set as part of the MongoDB Hardening series.

To enable logAppend:

  • Open the Y:\mongodb\mongod.cfg  file
  • Add ‘logAppend: true’ after the ‘path’
    • By default if this is not included on your configuration, the value is false. When true, mongos or mongod appends new entries to the end of the existing log file when the mongos or mongod instance restarts. Without this option, mongod will back up the existing log and create a new file.

  • Restart the MongoDB service

net stop MongoDB

  • Repeat the steps for Secondary & Arbiter servers.

To enable authentication options, please see below links. 

 

MongoDB – Sitecore Configuration Encryption (Connectionstrings.config)

Posted on

This post aims to help you on how to harden your configuration mainly your connectstrings.config, but this post is also applicable if you are trying to secure other configuration that has a application credentials, username, password, secret keys and other confidential information in it.

Before proceeding, ensure that you have finished one of the following posts on the MongoDB hardening series.

  1. How to create and configure authentication to a MongoDB standalone replica set.
  2. How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception.

We will use the MongoDb user account we have created from the previous post as our way to authenticate to the collection databases such as analytics, tracking_live, tracking_history, tracking_contact.

Moreover, to cover both standalone and replica set with dedicated servers:

  • For SIT, standlone replica set (1 server)
  • For UAT & PROD, replicaset with dedicates servers for its members. (3 servers)

Update Connectionstrings.config

Let’s get started. Open your connectionstrings.config, in this case, it’s located under D:\Instances\mongodb-series\Website\App_Config folder

For SIT:

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

Note: Please ensure update the host name, username (scdbreadwrite), and password (abcd4321) for every environment.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstrings.config

For UAT & PROD

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/analytics?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.live" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_live?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.history" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_history?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.contact" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_contact?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

 

Note: If your MongoDB has alias, you can use that instead. Please ensure update the host name, USERNAME (scdbreadwrite), and PASSWORD (abcd4321) for every environment.

  • Replace MONGODB_PRIMARY_SERVER_IP_ADDRESS with your MongoDB primary server.
  • Replace MONGODB_SECONDARY_SERVER_IP_ADDRESS with your MongoDB secondary server.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstring.config

Warning: In XML, & is not accetable character, hence we will use its encoded value as a replacement &amp;. The readPreferrence parameter is to read from the primary under normal circumstances, but to allow stale reads from secondaries when the primary is unavailable. This provides a “read-only mode” for your application during a failover. Find more from  MongoDB official documentation.

Encryption

  • Create a file named var.aspx, open it and paste this code inside.

<%@ Page Language="C#" %> <% foreach (string var in Request.ServerVariables) { Response.Write(var + " " + Request[var] + "
"); } %>

  • Drop the var.aspx in your website root so it can be accessed like this http://YOUR_WEBSITE/var.aspx
  • Once the page is rendered, look for ‘INSTANCE_META_PATH/LM/W3SVC/2‘.
    • Remember the integer, in this case 2. This integerer represents the IIS website id.
  • Open the windows command prompt as administrator.
  • Modify the site “2” to your application IIS metabase, then paste it to the command prompt, and hit enter.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pe "connectionStrings" -site "2" -app "/"  -prov "RsaProtectedConfigurationProvider"

Note: You would get this message upon successful encryption..

  • To verify, check the connectionstring.config. You’ll get a similar result.

  • For testing purpose, you can descrypt it with this script.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pd "connectionStrings" -site "2" -app "/"

To knowe more about encryption.

Marvin