Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26072

Enable use of a custom MongoDB Client TrustStore for in-flight encryption

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.10
    • Fix Version/s: 9.10-HF22, 10.3
    • Component/s: Core MongoDB
    • Release Notes Summary:
      A MongoDB Client TrustStore can be configured for in-flight encryption.
    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for MongoDB:

      • nuxeo.mongodb.ssl=true
      • nuxeo.mongodb.truststore.path
      • nuxeo.mongodb.truststore.password
      • nuxeo.mongodb.truststore.type
      • nuxeo.mongodb.keystore.path
      • nuxeo.mongodb.keystore.password
      • nuxeo.mongodb.keystore.type

      If more fine-grained configuration is needed than properties, the following extension point can be used instead:

        <require>org.nuxeo.mongodb.connection</require>
  <extension target="org.nuxeo.runtime.mongodb.MongoDBComponent" point="connection">
    <connection id="default">
      ...
      <ssl>true</ssl>
      <trustStorePath>/path/to/cacerts.jks</trustStorePath>
      <trustStorePassword>changeit</trustStorePassword>
      <trustStoreType>jks</trustStoreType>
      <keyStorePath>/path/to/keystore.jks</keyStorePath>
      <keyStorePassword>changeit</keyStorePassword>
      <keyStoreType>jks</keyStoreType>
    </connection>
  </extension>
      Show
      The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for MongoDB: nuxeo.mongodb.ssl=true nuxeo.mongodb.truststore.path nuxeo.mongodb.truststore.password nuxeo.mongodb.truststore.type nuxeo.mongodb.keystore.path nuxeo.mongodb.keystore.password nuxeo.mongodb.keystore.type If more fine-grained configuration is needed than properties, the following extension point can be used instead: <require> org.nuxeo.mongodb.connection </require> <extension target= "org.nuxeo.runtime.mongodb.MongoDBComponent" point= "connection" > <connection id= "default" > ... <ssl> true </ssl> <trustStorePath> /path/to/cacerts.jks </trustStorePath> <trustStorePassword> changeit </trustStorePassword> <trustStoreType> jks </trustStoreType> <keyStorePath> /path/to/keystore.jks </keyStorePath> <keyStorePassword> changeit </keyStorePassword> <keyStoreType> jks </keyStoreType> </connection> </extension>
    • Sprint:
      nxFG 10.3.9
    • Story Points:
      2

      Description

      Allow deployments to require one-way SSL between Nuxeo and a MongoDB Key/Value store.

      The default Nuxeo recommendations for configuring a static TrustStore provided here (https://doc.nuxeo.com/nxdoc/trust-store-and-key-store-configuration/) has the problem that they result in the value for JVM system property javax.net.ssl.trustStorePassword appearing on the nuxeo java entry in the process list. Since a MongoDB server can have a self-signed certificate, it also requires that the MongoDB CA cert be added to the JVM TrustStore which is also undesirable. Furthermore, an SSL best practice is to use a specific SSLContext for each secure client connection rather than relying on the global DefaultSSLContext which is configured via JVM system properties. We may not want the MongoDB SSL client configuration affecting the configuration of two-way SSL client connections to other internal services on the network.

      The MongoDB Java Driver allows for the specification of the javax.net.ssl.SSLContext via MongoClientOptions as described in the following documentation: http://mongodb.github.io/mongo-java-driver/3.6/driver/tutorials/ssl/#specify-sslcontext-via-mongoclientoptions.

      In the same way the Nuxeo Elasticsearch RestClient configures its SSLContext here: https://github.com/nuxeo/nuxeo/blob/1f77c6fe40ede55fe7293a892eb429703314d522/nuxeo-features/nuxeo-elasticsearch/nuxeo-elasticsearch-core/src/main/java/org/nuxeo/elasticsearch/client/ESRestClientFactory.java#L148 the Nuxeo MongoDBConnectionHelper available here: https://github.com/nuxeo/nuxeo/blob/1f77c6fe40ede55fe7293a892eb429703314d522/nuxeo-runtime/nuxeo-runtime-mongodb/src/main/java/org/nuxeo/runtime/mongodb/MongoDBConnectionHelper.java#L61 should be enhanced to do likewise.

      Also, by allowing a custom MongoDB TrustStore to be specified, the configuration of a secure connection between the nuxeo-apb and the nuxeo-mongodb-apb on OpenShift is simplified and improved.

      No longer does the nuxeo-mongodb-apb self-signed CA certificate need to be imported into the JVM-wide Nuxeo trustore. Instead, it can be imported into its own mongodb-specific TrustStore for direct use by Nuxeo. This also potentially eliminates the need in the nuxeo-apb to set ssl-related JVM system properties.

      Finally, this solution resolves NXP-25095 in a secure manner. Previously, JVM system properties were used to set KeyStore/TrustStore passwords which is problematic because the passwords appear on the java entry in the process list.

        Attachments

          Issue Links

          is duplicated by

          New Feature - A new feature of the product, which has yet to be developed. NXP-24213 X509 certificate authentication for mongodb

          • Major - Major loss of function.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. NXP-25095 Nuxeo Launcher JAVA_OPTS should be configurable

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NXP-26073 Allow configuring Redis in SSL mode and with custom TrustStore

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-26074 Enable use of a custom Elasticsearch RestClient Truststore

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXP-24213 X509 certificate authentication for mongodb

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXP-25956 Add simple configuration for Kafka SASL and TLS authentication

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h