Homework 1.3 x509 authentication

I got to the correct result but I fell like I cheated to make it work as I am not sure in which order we have to do the different steps.

I write I cheated because I could not create the x509 user when the replica set was configured to use x509. So I started the replica set without authentication, this way I could do rs.initiate() and then I was able to create the user. I then shutdown the 3 mongod instances and restarted with the configuration that specifies x509.
Then and only then I could do anything when I connected with:

mongo --host database.m310.mongodb.university --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile ~/shared/certs/ca.pem --port 31130

So my question is: Is there a way to do the rs.initiate() and db.createUser() when the mongod are configured for x509?

I feel like I did not understand a step somewhere.

As a side question, is there a way to specify the user name on the command line when using x509 in order to avoid doing use $external; db.auth( { mechanism : … , user : … } );? If I remember -u is not possible for x509 or is it for LDAP?

2 Likes

I’m getting this error.

vagrant@database:~/shared$ ./validate-hw-1.3.sh
{ unauthorizedStatus: {“ok”:0,“errmsg”:“not authorized on admin to execute command { replSetGetStatus: 1.0 }”,“code”:13}, memberStatuses: Error: Could not find user C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client@$external 2019-02-14T02:56:32.292+0000 E QUERY [thread1] TypeError: status.members is undefined : @(shell eval):7:16 }

There’s an important step that needs attention:
If the replication set is running, then you add the certs to the ~/shared/certs directory, you need to restart each member of the set with > db.shutdownServer() .

Then restart each member. That’s the only way I was able to get the members to recognize the X.509 I had added.

Don’t hold me to this, but I think internal authentication can only be done with keyfile or X.509.

LDAP and Kerberos are for user/app authentication on MongoDB Enterprise.

@ trungEdm

Umm… well, basically you’re correct. However, I would point out that this post – well, the revised post that you responded to – appears to be about x.509 auth, which would work on both, and the ‘database’ VM is in fact an Enterprise version.

I followed your steps and I was able to complete the task correctly. It is not really clear…I also bound the hostname with --bind_ip in order to start all the Replicas with the same hostname.