How to secure mongoDB database

The mongoDB database can be accessed via different tools such as roboMongo. The access is done on a given port (27017 by default), and for security reasons, it is recommended to secure this port against external connections.

From update 9, it is possible to secure the connection with a certificate and have a very strong security. But even before, securing the port on the servers that runs mongoDB ensures a very good security.

This document explains how to do this.

Mono-server configuration

The procedure is the following:

• Install mongodb, X3 and New Webserver with standard procedures.
• Connect to New Webserver, Open Endpoints page, and select the “Syracuse Administration” endpoint.
• Make sure that the box Use local database settings is checked.
• Identify mongodb service configuration file. Depending on your setup it can be mongod.cfg in mongodb program folder. Refer to your mongodb setup notes and service configuration.
• Add the parameter bind_ip=127.0.0.1 into the configuration file.
• Identify web server’s configuration file : nodelocal.js located in Syracuse/bin folder.
• Modify the value config.collaboration.hostname to “localhost”
• Start mongodb
• Start Webserver

Cluster configuration

In cluster configuration, mongodb servers must access each other. The recommended configuration is to setup the firewalls to allow port 27017 to relevant servers only.

Reading mongodb data from third party tools

We do not recommend direct access to mongodb from third party applications, every data stored in mongodb being available through REST web services from Webserver. This method guarantee services stability and user rights compliance.

Installing certificates (from release 9)

In release 9, the installation procedure of MongoDB can be done with certificates. If this has been done, using a tool like robomongo will require a dedicated set up, summarized here:

• the installation procedure has created, in the configuration directory (usually a conf sub-directory of the installation directory), a set of files related to certificates. The only file you have to be copy on the server that runs robomongo is the file called client.pem. This file can be renamed.
• when launching robomongo, the configuration setup has to be defined as shown in the screen copy:

• the address of the MongoDB server must be the full qualified name.
• the Use SSL protocol checkbox must be set.
• the SSL certificate entered must be the client.pem file previously copied/renamed.