x509 Authentication via PHP to mongo 3.x

175 views
Skip to first unread message

Micheal Shallop

unread,
Oct 16, 2015, 7:06:04 PM10/16/15
to mongodb-user
Hi -

This has been posted to stackOverflow...restating for groups/max coverage:


After setting up all the root, chain, server and client certificates, I'm able to establish TLS X509 connection to mongodb via the mongo client.


Next, I added the x509 user grep'd out of the client cert to the $external db.


I set-up a php test script to test the x509 login from a client using the client cert:


<?php

$mongoClient = null;
$context = stream_context_create(
    array(
        "ssl" => array(
            "local_cert" => "/home/mshallop/code/database/ome-mongo/certsByEnv/badLatitude/intermediate/certs/dapi.cert.pem"
        )
    )
);

$options = array(
    'ssl'           =>      true,
    'username'      =>      'CN=mike.s...@pathway.com,O=PathwayGenomics,ST=California,C=US',
    'authSource'    =>      '$external',
    'authMechanism' =>      'MONGODB-X509'
);

try {
    $mongoClient = new MongoClient(
        '127.0.0.1',
        $options,
        array("context" => $context)
    );
} catch (MongoConnectionException $e) {
    echo $e->getMessage() . PHP_EOL;
}
if (is_null($mongoClient)) exit('mongo client is null' . PHP_EOL);
var_dump(iterator_to_array($mongoClient->atl->pgTest_tst->find().limit(1)));


The results I get back on the console are:


Failed to connect to: 127.0.0.1:27017: Cannot setup SSL, is ext/openssl loaded?
mongo client is null


And in the mongod log I see:


Fri Oct 16 14:35:27.165 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:34398 #11 (2 connections now open)
Fri Oct 16 14:35:27.166 W -        [conn11] DBException thrown :: caused by :: 9001 socket exception [CLOSED] for 127.0.0.1:34398


The openSSL extension is loaded (php -i | grep -i openssl):



SSL Version => OpenSSL/1.0.1f
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL support => enabled


And in the PHP mongo extension, I see:

mongo

MongoDB Support => enabled
Version => 1.6.10
Streams Support => enabled
SSL Support => enabled

                   Supported Authentication Mechanisms                  

MONGODB-CR => enabled
SCRAM-SHA-1 => enabled
MONGODB-X509 => enabled
GSSAPI (Kerberos) => disabled
PLAIN => disabled

Directive => Local Value => Master Value
mongo.allow_empty_keys => 0 => 0
mongo.chunk_size => 261120 => 261120
mongo.cmd => $ => $
mongo.default_host => localhost => localhost
mongo.default_port => 27017 => 27017
mongo.is_master_interval => 15 => 15
mongo.long_as_object => 0 => 0
mongo.native_long => 1 => 1
mongo.ping_interval => 5 => 5


One last tidbit - I tried entering this command via the mongo client to authenticate the client user:


> db.getSiblingDB("$external").auth(
... {
... mechanism: "MONGODB-X509",
... user: "CN=mi...@shallop.com,O=MyCompany,ST=California,C=US"
... }
... )
Error: 18 Username "CN=mi...@shallop.com,O=MyCompany,ST=California,C=US" does not match the provided client certificate user ""
0


Just to make sure the x509 user I created still exists after several restarts, I attempted to re-enter the user and got this:


> db.getSiblingDB("$external").runCommand(
... {
... createUser: "CN=mi...@shallop.com,O=MyCompany,ST=California,C=US",
... roles: [
... { role: 'readWrite', db: 'atl' },
... { role: 'userAdminAnyDatabase', db: 'admin' }
... ],
... writeConcern : { w: "majority", wtimeout:5000 }
... }
... )
{
    "ok" : 0,
    "errmsg" : "User \"CN=mi...@shallop.com,O=MyCompany,ST=California,C=US@$external\" already exists",
    "code" : 11000


...and I confirmed that the x509 user was stored as expected:


> db.getSiblingDB("$external").getUsers()
[
 {
     "_id" : "$external.CN=mike.s...@pathway.com,O=PathwayGenomics,ST=California,C=US",
     "user" : "CN=mike.s...@pathway.com,O=PathwayGenomics,ST=California,C=US",
     "db" : "$external",
     "roles" : [
     {
         "role" : "readWrite",
         "db" : "atl"
     },
     {
         "role" : "userAdminAnyDatabase",
         "db" : "admin"
     }
]}]


And am sort-of stuck at this point...so here's my questions:

  1. What are some of the other db.getSiblingDB("$external"). commands? 
  2. Why am I getting the "cannot set SSL" error on the console after exec'ing the PHP stub?
  3. If I had to start over, how would I remove the entry I already made into the $external table?

Thanks!


--mike



Jeremy Mikola

unread,
Oct 26, 2015, 2:33:27 PM10/26/15
to mongod...@googlegroups.com
On Fri, Oct 16, 2015 at 6:37 PM, Micheal Shallop <msha...@gmail.com> wrote:

And am sort-of stuck at this point...so here's my questions:

  1. What are some of the other db.getSiblingDB("$external"). commands? 
  2. Why am I getting the "cannot set SSL" error on the console after exec'ing the PHP stub?
  3. If I had to start over, how would I remove the entry I already made into the $external table?

Thanks!

Michael,

I followed up in the Stack OVerflow thread. Apologies for the delay.
Reply all
Reply to author
Forward
0 new messages