Affects Version/s: 9.10
Component/s: Core MongoDB
Release Notes Summary:A MongoDB Client TrustStore can be configured for in-flight encryption.
Impact type:Configuration Change
The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for MongoDB:
If more fine-grained configuration is needed than properties, the following extension point can be used instead:The following nuxeo.conf properties can be set to define appropriate TLS/SSL configuration for MongoDB: nuxeo.mongodb.ssl=true nuxeo.mongodb.truststore.path nuxeo.mongodb.truststore.password nuxeo.mongodb.truststore.type nuxeo.mongodb.keystore.path nuxeo.mongodb.keystore.password nuxeo.mongodb.keystore.type If more fine-grained configuration is needed than properties, the following extension point can be used instead: <require> org.nuxeo.mongodb.connection </require> <extension target= "org.nuxeo.runtime.mongodb.MongoDBComponent" point= "connection" > <connection id= "default" > ... <ssl> true </ssl> <trustStorePath> /path/to/cacerts.jks </trustStorePath> <trustStorePassword> changeit </trustStorePassword> <trustStoreType> jks </trustStoreType> <keyStorePath> /path/to/keystore.jks </keyStorePath> <keyStorePassword> changeit </keyStorePassword> <keyStoreType> jks </keyStoreType> </connection> </extension>
Allow deployments to require one-way SSL between Nuxeo and a MongoDB Key/Value store.
The default Nuxeo recommendations for configuring a static TrustStore provided here (https://doc.nuxeo.com/nxdoc/trust-store-and-key-store-configuration/) has the problem that they result in the value for JVM system property javax.net.ssl.trustStorePassword appearing on the nuxeo java entry in the process list. Since a MongoDB server can have a self-signed certificate, it also requires that the MongoDB CA cert be added to the JVM TrustStore which is also undesirable. Furthermore, an SSL best practice is to use a specific SSLContext for each secure client connection rather than relying on the global DefaultSSLContext which is configured via JVM system properties. We may not want the MongoDB SSL client configuration affecting the configuration of two-way SSL client connections to other internal services on the network.
The MongoDB Java Driver allows for the specification of the javax.net.ssl.SSLContext via MongoClientOptions as described in the following documentation: http://mongodb.github.io/mongo-java-driver/3.6/driver/tutorials/ssl/#specify-sslcontext-via-mongoclientoptions.
In the same way the Nuxeo Elasticsearch RestClient configures its SSLContext here: https://github.com/nuxeo/nuxeo/blob/1f77c6fe40ede55fe7293a892eb429703314d522/nuxeo-features/nuxeo-elasticsearch/nuxeo-elasticsearch-core/src/main/java/org/nuxeo/elasticsearch/client/ESRestClientFactory.java#L148 the Nuxeo MongoDBConnectionHelper available here: https://github.com/nuxeo/nuxeo/blob/1f77c6fe40ede55fe7293a892eb429703314d522/nuxeo-runtime/nuxeo-runtime-mongodb/src/main/java/org/nuxeo/runtime/mongodb/MongoDBConnectionHelper.java#L61 should be enhanced to do likewise.
Also, by allowing a custom MongoDB TrustStore to be specified, the configuration of a secure connection between the nuxeo-apb and the nuxeo-mongodb-apb on OpenShift is simplified and improved.
No longer does the nuxeo-mongodb-apb self-signed CA certificate need to be imported into the JVM-wide Nuxeo trustore. Instead, it can be imported into its own mongodb-specific TrustStore for direct use by Nuxeo. This also potentially eliminates the need in the nuxeo-apb to set ssl-related JVM system properties.
Finally, this solution resolves NXP-25095 in a secure manner. Previously, JVM system properties were used to set KeyStore/TrustStore passwords which is problematic because the passwords appear on the java entry in the process list.