Connect to MongoDB with SSL Client Certificate using Java driver
8,768 views
Skip to first unread message
Winnie Lin
Jan 20, 2014, 4:30:55 AM1/20/14
to mongod...@googlegroups.com
Hi,
Does anyone know how to connect to MongoDB with SSL Client Certificate using the Java driver? I can not find any example in the documents. I appreciate any help.
Thanks!
-Winnie
Anil Kumar
Jan 28, 2014, 11:12:07 AM1/28/14
to mongod...@googlegroups.com
Hi Winnie,
A couple of places that you can look for examples and how SSL client certificates can be used in Java are:
- An examples - https://github.com/mongodb/mongo-java-driver/blob/master/src/examples/example/X509CredentialsExample.java
- http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication explains the process for Java for using SSL certificates.
Anil
P A
Feb 18, 2014, 8:32:43 PM2/18/14
to mongod...@googlegroups.com
Hi,
The example shows how to configure Java client to use SSL. But it is still not clear where do I need to place the certificate (anywhere is the class path?), or how to specify the path to certificate? Can someone please clarify?
Thanks.
Winnie Lin
Feb 25, 2014, 2:08:53 PM2/25/14
to mongod...@googlegroups.com
Here's what I found out. With the mongodb Java driver, it is subject to the way the JVM works.
1.) So for the ssl client certificate, you'd have to use the KeyStore approach or write a java program to programmatically add a certificate to the Java Key Store on a given machine to make it work with your Java apps.
here are some links to show you how to programmatically add a certificates into your Java Key Store:
2.) Java will by default attempt to validate the SSL connection. If your java client is trying to communicating with a server that does not have a valid certificate from an authorized Certification Authority such as Verisign or GoDaddy. Instead, the server is using a self-signed SSL. You will get the following error which requires that you install the certificate to the local JDK's keystore:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Basically, you want to add the server's certificate to the KeyStore with your trusted certificates. There are any number of ways to achieve that, but a simple solution I found is to compile and run this InstallCert program.
Here are some links about this program.
3.) after you had all of your certificates in your keystore, supposably you can just run your java app to connect to your mongodb right?
This is where I need HELP!!!
After I added my certificates into my keystore, then modified the simple SSLApp.java program that I got from the mongdb documentation to connect to my mongodb server. It still doesn't work. I am getting the "java.io.EOFException" error. So I enabled SSL debug option and was getting following exceptions:
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 32
0000: 01 00 94 b9 d5 c1 e7 53 bc 40 46 74 70 37 bb 19 .......S..Ftp7..
0010: f8 b2 29 0d ac 91 09 09 09 09 09 09 09 09 09 09 ................
main, WRITE: TLSv1 Alert, length = 32
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket(selfInitiated)
main, called close()
main, called closeInternal(true)
Exception in thread "main" com.mongodb.MongoException$Network: IOException authenticating the connection
at com.mongodb.DBPort$NativeAuthenticator.authenticate(DBPort.java:552)
at com.mongodb.DBPort.authenticate(DBPort.java:322)
at com.mongodb.DBTCPConnector.authenticate(DBTCPConnector.java:635)
at com.mongodb.DBApiLayer.doAuthenticate(DBApiLayer.java:180)
at com.mongodb.DB.authenticateCommandHelper(DB.java:631)
at com.mongodb.DB.authenticate(DB.java:589)
at SSLClientApp.main(SSLClientApp.java:25)
Caused by: java.io.EOFException
at org.bson.io.Bits.readFully(Bits.java:48)
at org.bson.io.Bits.readFully(Bits.java:33)
at org.bson.io.Bits.readFully(Bits.java:28)
at com.mongodb.Response.<init>(Response.java:40)
at com.mongodb.DBPort.go(DBPort.java:142)
at com.mongodb.DBPort.go(DBPort.java:106)
at com.mongodb.DBPort.findOne(DBPort.java:162)
at com.mongodb.DBPort.runCommand(DBPort.java:170)
at com.mongodb.DBPort$NativeAuthenticator.authenticate(DBPort.java:544)
... 6 more
From the server side, I got the following errors from the log:
Tue Feb 25 04:53:26.599 [DataFileSync] flushing mmaps took 0ms for 5 files
Tue Feb 25 04:53:30.329 [initandlisten] connection accepted from 9.70.147.33:39857 #154 (1 connection now open)
Tue Feb 25 04:53:30.552 [conn154] ERROR: no SSL certificate provided by peer; connection rejected
Tue Feb 25 04:53:30.557 [conn154] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]
Tue Feb 25 04:53:30.629 [initandlisten] connection accepted from 9.70.147.33:39858 #155 (1 connection now open)
Tue Feb 25 04:53:30.980 [conn155] ERROR: no SSL certificate provided by peer; connection rejected
Tue Feb 25 04:53:30.981 [conn155] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]
I had googled the " java.net.SocketException: Broken pipe" error and had read a lot of responds that this means:
"This is caused by writing to a connection when the other end has already closed it."
So I had tried to play with the MongoClientOptions, tried to set socketTimeout to a high number and also tried setting sockeKeepAlive(true). But nothing works.
Any help on how I can fix those errors and get a successful connection with the SSL certificates will be greatly appreciated!
Thanks!
-Winnie
Winnie Lin
Feb 25, 2014, 3:14:30 PM2/25/14
to mongod...@googlegroups.com
ok, I fixed the SSL connection issue right after I posted my question... :-D
So in your Java client program. There are four system properties you need to set:
Well, I hope my answers can help someone. It had took me quite some time to figure out all the steps to connect to mongodb with SSL certificates using the mongodb java driver.
javax.net.ssl.keyStore and javax.net.ssl.trustStore for the file locations of your key and trust store respectively. The passwords to the files are provided with javax.net.ssl.keyStorePassword andjavax.net.ssl.trustStorePassword. Even you have your key and trust sore in the same file, you will have to set the javax.net.ssl.keyStore and javax.net.ssl.trustStore system properties and point to the same file. After that, the connection should be successful. Well, I hope my answers can help someone. It had took me quite some time to figure out all the steps to connect to mongodb with SSL certificates using the mongodb java driver.
-Winnie
balu
May 6, 2014, 3:51:07 AM5/6/14
to mongod...@googlegroups.com
Hi Winnie,
I am figuring out on how to connect to mongod instance through ssl using java driver but not able to do so. Can you assist me in providing sample code for the same.
Thanks
I am figuring out on how to connect to mongod instance through ssl using java driver but not able to do so. Can you assist me in providing sample code for the same.
Thanks
Victor Hooi
May 19, 2014, 11:45:22 PM5/19/14
to mongod...@googlegroups.com
Hi Balu,
Please start a new discussion topic rather than commenting on an old one, as your comments may be missed and the details of your environment may be different.
On your new topic, include specific details of your environment (e.g. MongoDB server and Java driver version), which will help us reproduce the issue.
FYI, based on the previous comments on this thread, a DOCS ticket has been raised:
Thanks,
Victor
amit....@opussoft.com
Jun 30, 2015, 9:45:45 AM6/30/15
to mongod...@googlegroups.com
Hi
Can anyone provide the code for connecting to MongoDB using .pfx certificate or .pem certificate file.
MongoDB also have the username and authentication.
Can someone please provide any information
Rob Moore
Jul 5, 2015, 1:24:49 PM7/5/15
to mongod...@googlegroups.com
A .pfx file and is also known as PKCS12.
Here is documentation on configuring the MongoDB Java Client:
Both drivers can leverage the JSSE system properties for defining the keystore and trust store. See: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization You will set the javax.net.ssl.keyStoreType to "PKCS12".
Async Driver x.509 Auth: http://www.allanbank.com/mongodb-async-driver/userguide/authentication/x509.html
MongoDB Inc Driver x.509 Auth: http://mongodb.github.io/mongo-java-driver/3.0/driver/reference/connecting/authenticating/#x-509
HTH,
Rob
Reply all
Reply to author
Forward
0 new messages