-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 10.10
-
Fix Version/s: 10.10-HF14, 11.1, 2021.0
-
Component/s: Core MongoDB
-
Release Notes Summary:Nuxeo can connect to MongoDB with SSL and custom certificates.
-
Tags:
-
Backlog priority:900
-
Team:PLATFORM
-
Sprint:nxplatform 11.1.15, nxplatform 11.1.17
-
Story Points:5
Please find the steps to create the files required to configure Nuxeo
Root certificate
- create a private key
openssl genrsa -out rootCA.key 2048
- Self sign the certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
MongoDB keyfile
- create a private key
openssl genrsa -out mongodb.key 2048
- generate the certificate signing request and set "Common Name" to MongoDB IP or hostname
openssl req -new -key mongodb.key -out mongodb.csr
- sign the CSR
openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
- create the .pem file
cat mongodb.key mongodb.crt > mongodb.pem
Start mongo
mongod --sslMode requireSSL --sslPEMKeyFile mongodb.pem --sslCAFile rootCA.pem
Client keyfile (useful to test with mongo shell)
TBD
Build stores for Nuxeo
- Add rootCA to truststore
keytool -import -trustcacerts -file rootCA.pem -keystore cacerts -storepass "changeit"
- Add key to keystore in JKS format (Java8)
- build the keystore and set the password to changeit
keytool -keystore clientkeystore -genkey -alias client
- build the keystore and set the password to changeit
-
- Generate the Certificate Signing Request
keytool -keystore clientkeystore -certreq -alias client -keyalg rsa -file client.csr
- Generate the Certificate Signing Request
-
- Generate a signed certificate for the associated Certificate Signing Request
openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -in client.csr -out client.cer -days 365 -CAcreateserial
- Generate a signed certificate for the associated Certificate Signing Request
-
- Import Root certificate to keystore
keytool -import -keystore clientkeystore -file CARoot.pem -alias theCARoot
- Import Root certificate to keystore
-
- Import key to keystore
keytool -import -keystore clientkeystore -file client.cer -alias client
- Import key to keystore
Configure Nuxeo to use MongoDB SSL
nuxeo.mongodb.ssl=true
nuxeo.mongodb.truststore.path=/path/to/cacerts
nuxeo.mongodb.truststore.password=changeit
nuxeo.mongodb.truststore.type=jks
nuxeo.mongodb.keystore.path=/path/to/clientkeystore
nuxeo.mongodb.keystore.password=changeit
nuxeo.mongodb.keystore.type=jks
Connection checker failed with
Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a Exception in thread "NuxeoProcessThread-0" java.lang.RuntimeException: Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:151) at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.newMongoClient(MongoDBConnectionHelper.java:110) at org.nuxeo.ecm.core.storage.mongodb.MongoDBChecker.check(MongoDBChecker.java:72) at org.nuxeo.launcher.config.BackingServiceConfigurator.lambda$verifyInstallation$2(BackingServiceConfigurator.java:101) at net.jodah.failsafe.Functions$10.call(Functions.java:252) at net.jodah.failsafe.SyncFailsafe.call(SyncFailsafe.java:145) at net.jodah.failsafe.SyncFailsafe.run(SyncFailsafe.java:81) at org.nuxeo.launcher.config.BackingServiceConfigurator.verifyInstallation(BackingServiceConfigurator.java:101) at org.nuxeo.launcher.config.ConfigurationGenerator.verifyInstallation(ConfigurationGenerator.java:1287) at org.nuxeo.launcher.NuxeoLauncher.doStart(NuxeoLauncher.java:2056) at org.nuxeo.launcher.NuxeoLauncher.lambda$launch$0(NuxeoLauncher.java:1171) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.security.UnrecoverableKeyException: Password must not be null at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) at java.security.KeyStore.getKey(KeyStore.java:1023) at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302) at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323) at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:147) ... 13 more