Skip to content

Secure MongoDB


For security reasons, SEAL Systems strongly recommends configuring the TLS encryption and changing the token used for encrypting the credentials. For even more security, activate the user authentication for MongoDB.


Configure the TLS Encryption

In order to secure the connection with MongoDB, you need a combined PEM file containing both the TLS certificate and the private key.

  1. Combine the file containing the certificate:

    /opt/seal/etc/tls/cert.pem
    

    and the file containing the private key:

    /opt/seal/etc/tls/key.pem
    
  2. Save the combined file as:

    /opt/seal/etc/tls/cert-key-combined.pem
    

Change the Token for Encrypting the Credentials

If you keep the standard installation, MongoDB is used as credential store. For security reasons, change the pre-configured token used for encrypting the credentials. The token may be any string.

  1. In the configuration of SEAL Operator, specify the token with MONGO_TOKEN.

  2. Stop all SEAL Operator services.

  3. Delete the complete data directory of MongoDB:

    /opt/seal/data/seal-mongodb
    
  4. Start the following service:

    • seal-mongodb
  5. Start the Complete SEAL Operator System.


Enable the User Authentication

After the installation, the user authentication of MongoDB is disabled. In order to make MongoDB more secure, activate the user authentication.

  1. Open a shell and change to the following directory:

    /opt/seal/seal-mongodb
    
  2. Execute the following script:

    ./secure-mongo.sh
    

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, MongoDB requires a client certificate from each client, that means from all SEAL Operator services in the case of MongoDB. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with MongoDB:

  1. Open the configuration file of MongoDB:

    /opt/seal/etc/mongod.conf
    
  2. Replace the following line:

    allowInvalidCertificates: true
    

    by the following line:

    CAFile: /opt/seal/etc/tls/ca.pem
    
  3. Save the configuration file.

  4. Restart the following service:

    • seal-mongodb

Back to top