用x.509证书来认证客户端
Use x.509 Certificates to Authenticate Clients
用x.509证书来认证客户端
On this page
此页面
NOTE
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password. The following tutorial outlines the steps to use x.509 for client authentication with a standalone mongod instance.
To use x.509 authentication for replica sets or sharded clusters, see Use x.509 Certificate for Membership Authentication.
注意 从4.0版本开始,MongoDB不在支持TLS1.0加密,而TLS 1.1+可用,更多细节,请参见 禁用TLS 1.0 。 MongoDB支持使用安全的 TLS/SSL连接 进行x.509证书身份验证。x.509客户端身份验证允许 客户端使用证书认证服务 ,而不是使用用户名和密码。下面的教程逐步展示了x.509客户端认证步骤,使用单
mongod实例。 使用x.509认证复制集及分片集群,详细见 使用x.509证书对成员身份验证
Prerequisites
IMPORTANT
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
规程
重要 对TLS/SSL、PKI(公钥基础设施)证书,特别是x.509证书和凭证管理中心完整描述超出了本文档的范围。本教程假设您已经了解TLS/SSL,并且能够使用有效的x.509证书。
Certificate Authority
For production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor. Obtaining and managing certificates is beyond the scope of this documentation.
IMPORTANT
To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless using --tlsCertificateSelector or --net.tls.certificateSelector. Or if using the ssl aliases, --sslCAFile or net.ssl.CAFile must be specified unless using --sslCertificateSelector or net.ssl.certificateSelector.
凭证管理中心
对于生产环境,您部署的MongoDB应该使用由单个证书颁发机构生成并签名的有效证书。您或者您的组织可以生成和维护一个独立的证书授权,或使用由第三方TLS/SSL供应商生成的证书。获取和管理证书超出了本文档的范围。
重要 要使用x.509身份验证,
--tlsCAFile或net.tls.CAFile必须指定, 除非使用--tlsCertificateSelector或--net.tls.certificateSelector。或者如果使用ssl别名,--sslCAFile或net.ssl.CAFile必须指定,除非使用--sslCertificateSelector或net.ssl.certificateSelector。
Client x.509 Certificate
NOTE
You must have valid x.509 certificates.
Starting in MongoDB 4.0, if you specify --sslAllowInvalidCertificates or net.ssl.allowInvalidCertificates: true (or in MongoDB 4.2, the alias --tlsAllowInvalidateCertificates or net.tls.allowInvalidCertificates: true) when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is insufficient for authentication.
The client certificate must have the following properties:
A single Certificate Authority (CA) must issue the certificates for both the client and the server.
Client certificates must contain the following fields:
Each unique MongoDB user must have a unique certificate.
A client x.509 certificate’s subject, which contains the Distinguished Name (
DN), must differ from that of a Member x.509 Certificate.At least one of the Organization (
O), Organizational Unit (OU), or Domain Component (DC) attributes in the client certificate must differ from those in thenet.tls.clusterFileandnet.tls.certificateKeyFileserver certificates.If the MongoDB deployment has
tlsX509ClusterAuthDNOverrideset (available starting in MongoDB 4.2), the client x.509 certificate’s subject must also differ from that value.WARNING
If a client x.509 certificate’s subject has the same
O,OU, andDCcombination as the Member x.509 Certificate (ortlsX509ClusterAuthDNOverrideif set), the client connection is rejected. Only cluster member x509 certificates should use the sameO,OU, andDCcombinations as this grants full permissions.
客户端x.509证书
请注意 您必须拥有有效的x.509证书。
从MongoDB 4.0开始,如果你指定--sslAllowInvalidCertificates或net.ssl.allowInvalidCertificates: true (或在MongoDB 4.2中,使用别名的方式,--tlsAllowInvalidateCertificates 或者 net.tls.allowInvalidCertificates: true)。当使用x.509身份验证时,一个无效的证书只足以建立一个TLS/SSL连接,但对于身份验证是_不足_的。 客户端证书必须具有以下属性:
单个证书颁发机构(CA)必须同时为客户端和服务器颁发证书。
客户端证书必须包含以下字段:
每个唯一的MongoDB用户必须有一个唯一的证书。
客户端x.509证书的主题(subject),包含专有名称(
DN)。必须不同与成员x.509证书 的主题(subject)。至少有一个组织(
O),组织单元(OU),或域组件 (DC) 属性,在客户端证书必须与那些net.tls.clusterFile和net.tls.certificateKeyFile服务器证书不同。如果部署的MongoDB有
tlsX509ClusterAuthDNOverride设置(在MongoDB 4.2版本中可用),那么客户端x.509证书的主题也必须与该值不同。
警告 如果客户端证书的主题有相同的
O,OU, 和DC组合为 成员x.509证书 (或tlsX509ClusterAuthDNOverride如果设置),客户端连接将被拒绝。只有 集群成员x509证书 应该使用相同的O,OU, 和DC组合作为授予完全权限。
MongoDB Deployment Configured for x.509 (Using TLS Options)
NOTE
The procedures in this section use the tls settings/option (Available in MongoDB 4.2). For procedures using their ssl aliases, see MongoDB Deployment Configured for x.509 (Using SSL Options).
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.
Command-Options
Configuration File
You can configure a mongod instance for x.509 authentication from the command-line. For example, to configure a standalone mongod instance:
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
The x.509 configuration requires:
Specify requireTLS.
The instance’s x.509 certificate to present to clients.
Certificate Authority file to verify the certificates presented to the instance.
To set up x.509 authentication for replica sets or sharded clusters, see Use x.509 Certificate for Membership Authentication.
在部署的MongoDB上配置x.509(使用TLS选项)
请注意 本节中使用
tls设置/选项(在MongoDB 4.2中可用)。对于使用ssl别名,请参见 使用x.509配置部署的MongoDB(使用TLS选项) 。
tls设置/选项提供了与ssl选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。
命令选项
根据需要配置可用其他选项。例如,如果您希望远程客户端连接到您部署的MongoDB数据库,或者您的部署MongoDB运行在不同的主机上,请指定--bind_ip。有关更多信息,请参见 本地主机绑定兼容性更改 。
x.509配置包含:
要为复制集或分片集群设置x.509身份验证,请参见 为成员身份验证使用x.509证书 。
MongoDB Deployment Configured for x.509 (Using SSL Options)
NOTE
The procedures in this section use the ssl settings/option. For procedures using their tls aliases (Available in MongoDB 4.2), see MongoDB Deployment Configured for x.509 (Using TLS Options).
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.
Command-Options
Configuration File
You can configure a mongod instance for x.509 authentication from the command-line. For example, to configure a standalone mongod instance:
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
The x.509 configuration for a standalone requires:
Specify requireSSL.
The instance’s x.509 certificate.
Certificate Authority file to verify the certificate presented to the instance.
To set up x.509 authentication for replica sets or sharded clusters, see Use x.509 Certificate for Membership Authentication.
在部署的MongoDB上配置x.509(使用SSL选项)
注意 本节中使用
ssl设置/选项。有关使用tls别名(在MongoDB 4.2版本中可用),请参见 使用x.509配置部署的MongoDB(使用TLS选项) 。tls设置/选项提供了与ssl选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。
命令选项
根据需要配置可用其他选项。例如,如果您希望远程客户端连接到部署的MongoDB数据库,或者您的部署MongoDB运行在不同的主机上,请指定--bind_ip。有关更多信息,请参见 本地主机绑定兼容性更改 。 x.509配置包括:
Procedures
Add x.509 Certificate subject as a User
subject as a UserTo authenticate with a client certificate, you must first add the value of the subject from the client certificate as a MongoDB user to the $external database. Each unique x.509 client certificate corresponds to a single MongoDB user; i.e. you cannot use a single client certificate to authenticate more than one MongoDB user.
Changed in version 3.6.3: To use sessions with $external authentication users (i.e. Kerberos, LDAP, x.509 users), the usernames cannot be greater than 10k bytes.
NOTE
The RDNs in the subject string must be compatible with the RFC2253 standard.
You can retrieve the
RFC2253formattedsubjectfrom the client certificate with the following command:
The command returns the subject string as well as certificate:
Add the
RFC2253compliant value of thesubjectas a user. Omit spaces as needed.For example, the following adds a user and grants the user
readWriterole in thetestdatabase and theuserAdminAnyDatabaserole:copycopied
See Manage Users and Roles for details on adding a user with roles.
流程
添加x.509证书的subject作为用户
subject作为用户通过客户端证书进行授权,你必须首先从客户端证书添加subject值来作为MongoDB用户,在 $external数据库中,每个x.509客户端证书相当于一个MongoDB用户,例如,你不能用一个客户端证书来认证多个MongoDB用户 _在版本3.6.3中_使用$external身份验证用户(如Kerberos, LDAP, x.509用户)的会话,用户名不能大于10k字节。
注意
subject字符串中的RDNs必须兼容 RFC2253 标准。
你可以通过如下命令,从客户端证书来还原RFC2253格式的subject :
下面命令返回subject字符串以及证书:
Authenticate with a x.509 Certificate (Using tls Options)
tls Options)NOTE
The procedures in this section use the tls settings/option (Available in MongoDB 4.2). For procedures using their ssl aliases, see Authenticate with a x.509 Certificate (Using ssl Options).
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.
After you have added the x.509 client certificate subject as a corresponding MongoDB user, you can authenticate with the client certificate.
Connect with Authentication
Authenticate after Connection
To authenticate during connection:
Client’s x.509 file.
Certificate Authority file to verify the certificate presented by the mongod instance.
Specify '$external'.
Specify MONGODB-X509.
认证x.509证书 (使用tls选项)
tls选项)注意 本节中使用
tls设置/选项(在MongoDB 4.2版本中可用)。有关使用ssl别名,请参见 使用x.509证书权限认证(用ssl选项) 。
tls设置/选项提供了与ssl选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。
在您 添加x.509客户端证书的subject相当于创建一个MongoDB用户 之后,您可以使用客户端证书进行身份验证。
连接认证
连接后进行认证
在连接时进行身份验证:
Authenticate with a x.509 Certificate (Using ssl Options)
ssl Options)NOTE
The procedures in this section use the ssl settings/options. For procedures using their tls (Available in MongoDB 4.2) aliases, see Authenticate with a x.509 Certificate (Using tls Options).
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.
After you have added the x.509 client certificate subject as a corresponding MongoDB user, you can authenticate with the client certificate.
Connect with Authentication
Authenticate after Connection
To authenticate during connection:
Client’s x.509 file.
Specify '$external'.
Specify MONGODB-X509.
认证x.509证书 (用ssl选项)
ssl选项)注意
本节中使用
ssl设置/选项。有关使用tls(在MongoDB 4.2版本中可用)别名,请参见使用x.509证书进行验证(用tls选项) 。tls设置/选项提供了与ssl选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。
在您 添加x.509客户端证书的subject相当于创建一个MongoDB用户 之后,您可以使用客户端证书进行身份验证。
使用授权信息进行连接
连接后进行认证
在连接时进行身份验证:
客户端的x.509文件
Specify '$external'.
Specify MONGODB-X509.
英文原文地址:https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/
译者:管祥青
最后更新于