Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27694

Fix connection to MongoDB SSL

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Nuxeo can connect to MongoDB with SSL and custom certificates.
    • Backlog priority:
      900
    • Team:
      PLATFORM
    • Sprint:
      nxplatform 11.1.15, nxplatform 11.1.17
    • Story Points:
      5

      Description

      Please find the steps to create the files required to configure Nuxeo

      Root certificate

      1. create a private key
        openssl genrsa -out rootCA.key 2048
        
      1. Self sign the certificate
        openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
        

      MongoDB keyfile

      1. create a private key
        openssl genrsa -out mongodb.key 2048
        
      1. generate the certificate signing request and set "Common Name" to MongoDB IP or hostname
        openssl req -new -key mongodb.key -out mongodb.csr
        
      1. sign the CSR
        openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
        
      1. create the .pem file
        cat mongodb.key mongodb.crt > mongodb.pem
        

      Start mongo

      mongod --sslMode requireSSL --sslPEMKeyFile mongodb.pem  --sslCAFile rootCA.pem
      

      Client keyfile (useful to test with mongo shell)

      TBD

      Build stores for Nuxeo

      1. Add rootCA to truststore
        keytool -import -trustcacerts -file rootCA.pem -keystore cacerts -storepass "changeit"
        
      1. Add key to keystore in JKS format (Java8)
        • build the keystore and set the password to changeit
          keytool -keystore clientkeystore -genkey -alias client
        • Generate the Certificate Signing Request
          keytool -keystore clientkeystore -certreq -alias client -keyalg rsa -file client.csr
        • Generate a signed certificate for the associated Certificate Signing Request
          openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -in client.csr -out client.cer -days 365 -CAcreateserial
        • Import Root certificate to keystore
          keytool -import -keystore clientkeystore -file CARoot.pem -alias theCARoot
        • Import key to keystore
          keytool -import -keystore clientkeystore -file client.cer -alias client

      Configure Nuxeo to use MongoDB SSL

      nuxeo.mongodb.ssl=true
      nuxeo.mongodb.truststore.path=/path/to/cacerts
      nuxeo.mongodb.truststore.password=changeit
      nuxeo.mongodb.truststore.type=jks
      nuxeo.mongodb.keystore.path=/path/to/clientkeystore
      nuxeo.mongodb.keystore.password=changeit
      nuxeo.mongodb.keystore.type=jks
      

      Connection checker failed with

      Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a
      Exception in thread "NuxeoProcessThread-0" java.lang.RuntimeException: Cannot setup SSL context: org.nuxeo.runtime.mongodb.MongoDBConnectionConfig@4b57d15a
      	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:151)
      	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.newMongoClient(MongoDBConnectionHelper.java:110)
      	at org.nuxeo.ecm.core.storage.mongodb.MongoDBChecker.check(MongoDBChecker.java:72)
      	at org.nuxeo.launcher.config.BackingServiceConfigurator.lambda$verifyInstallation$2(BackingServiceConfigurator.java:101)
      	at net.jodah.failsafe.Functions$10.call(Functions.java:252)
      	at net.jodah.failsafe.SyncFailsafe.call(SyncFailsafe.java:145)
      	at net.jodah.failsafe.SyncFailsafe.run(SyncFailsafe.java:81)
      	at org.nuxeo.launcher.config.BackingServiceConfigurator.verifyInstallation(BackingServiceConfigurator.java:101)
      	at org.nuxeo.launcher.config.ConfigurationGenerator.verifyInstallation(ConfigurationGenerator.java:1287)
      	at org.nuxeo.launcher.NuxeoLauncher.doStart(NuxeoLauncher.java:2056)
      	at org.nuxeo.launcher.NuxeoLauncher.lambda$launch$0(NuxeoLauncher.java:1171)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.UnrecoverableKeyException: Password must not be null
      	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
      	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
      	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
      	at java.security.KeyStore.getKey(KeyStore.java:1023)
      	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
      	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
      	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      	at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302)
      	at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323)
      	at org.nuxeo.runtime.mongodb.MongoDBConnectionHelper.getSSLContext(MongoDBConnectionHelper.java:147)
      	... 13 more
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h