[NXP-27694] Fix connection to MongoDB SSL - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 10.10
Fix Version/s: 10.10-HF14, 11.1, 2021.0
Component/s: Core MongoDB

Release Notes Summary:
Nuxeo can connect to MongoDB with SSL and custom certificates.
Tags:
- SupCom
- nxplatform
Backlog priority:
900
Team:
PLATFORM
Sprint:
nxplatform 11.1.15, nxplatform 11.1.17
Story Points:
5

Description

Please find the steps to create the files required to configure Nuxeo

Root certificate

create a private key
```
openssl genrsa -out rootCA.key 2048
```

Self sign the certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

MongoDB keyfile

create a private key
```
openssl genrsa -out mongodb.key 2048
```

generate the certificate signing request and set "Common Name" to MongoDB IP or hostname
```
openssl req -new -key mongodb.key -out mongodb.csr
```

sign the CSR

openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256

create the .pem file

cat mongodb.key mongodb.crt > mongodb.pem

Start mongo

mongod --sslMode requireSSL --sslPEMKeyFile mongodb.pem  --sslCAFile rootCA.pem

Client keyfile (useful to test with mongo shell)

TBD

Build stores for Nuxeo

Add rootCA to truststore

keytool -import -trustcacerts -file rootCA.pem -keystore cacerts -storepass "changeit"

Add key to keystore in JKS format (Java8)
- build the keystore and set the password to changeit
```
keytool -keystore clientkeystore -genkey -alias client
```

Generate the Certificate Signing Request

keytool -keystore clientkeystore -certreq -alias client -keyalg rsa -file client.csr

Generate a signed certificate for the associated Certificate Signing Request

openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -in client.csr -out client.cer -days 365 -CAcreateserial

Import Root certificate to keystore

keytool -import -keystore clientkeystore -file CARoot.pem -alias theCARoot

Import key to keystore

keytool -import -keystore clientkeystore -file client.cer -alias client

Configure Nuxeo to use MongoDB SSL

nuxeo.mongodb.ssl=true
nuxeo.mongodb.truststore.path=/path/to/cacerts
nuxeo.mongodb.truststore.password=changeit
nuxeo.mongodb.truststore.type=jks
nuxeo.mongodb.keystore.path=/path/to/clientkeystore
nuxeo.mongodb.keystore.password=changeit
nuxeo.mongodb.keystore.type=jks

Connection checker failed with

Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a
Exception in thread "NuxeoProcessThread-0" java.lang.RuntimeException: Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a
	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:151)
	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.newMongoClient(MongoDBConnectionHelper.java:110)
	at org.nuxeo.ecm.core.storage.mongodb.MongoDBChecker.check(MongoDBChecker.java:72)
	at org.nuxeo.launcher.config.BackingServiceConfigurator.lambda$verifyInstallation$2(BackingServiceConfigurator.java:101)
	at net.jodah.failsafe.Functions$10.call(Functions.java:252)
	at net.jodah.failsafe.SyncFailsafe.call(SyncFailsafe.java:145)
	at net.jodah.failsafe.SyncFailsafe.run(SyncFailsafe.java:81)
	at org.nuxeo.launcher.config.BackingServiceConfigurator.verifyInstallation(BackingServiceConfigurator.java:101)
	at org.nuxeo.launcher.config.ConfigurationGenerator.verifyInstallation(ConfigurationGenerator.java:1287)
	at org.nuxeo.launcher.NuxeoLauncher.doStart(NuxeoLauncher.java:2056)
	at org.nuxeo.launcher.NuxeoLauncher.lambda$launch$0(NuxeoLauncher.java:1171)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.UnrecoverableKeyException: Password must not be null
	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302)
	at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323)
	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:147)
	... 13 more

Attachments

Issue Links

is related to

NXP-27993 Put Nuxeo with a MongoDB SSL connection under CI

Resolved

NXP-27836 Find a solution to make Quartz work with MongoDB SSL/TLS

Resolved

Activity

People

Assignee:

Antoine Taillefer

Reporter:

Thierry Martins

Participants:

Antoine Taillefer, Jenkins, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2019-07-05 13:57

Updated:

2020-12-17 16:35

Resolved:

2019-09-09 09:10

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: