0

I'm trying to understand this part of RESTHeart documentation, but I can't: https://softinstigate.atlassian.net/wiki/spaces/RH/pages/9207828/Installation+and+Setup#InstallationandSetup-5.1ConnectRESTHearttoMongoDBoverTLS/SSL

create the keystore importing the public certificate used by mongod using keytool (with keytool, the java tool to manage keystores of cryptographic keys)

where can I take the public certificate used by mongod?

start restheart with following options: $ java -server -Djavax.net.ssl.trustStore=rhTrustStore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.security.auth.useSubjectCredsOnly=false -jar restheart.jar restheart.yml

In this case option "use-embedded-keystore" in the restheart.yml conf file must have value=true or false and I should use own keystore? As I understand if the option have value true, this part of command

-Djavax.net.ssl.trustStore=rhTrustStore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.security.auth.useSubjectCredsOnly=false

ignored? Or not?

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
konsul777
  • 11
  • 5
  • "where can I take the public certificate used by mongod?" Try to connect your mongo with an openssl command, it will display the certificate and you can save it in a text file then import. The command is openssl s_client -connect yourmongo:443 (change port if necessary), the certificate is -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- , and keep these 2 lines too. – Eugène Adell Mar 04 '18 at 16:18
  • thanks @EugèneAdell for your answer. In my question: "option "use-embedded-keystore" in the restheart.yml conf file must have value=true or false". This option isn't linked with the connecting restheart and mongodb via tls/ssl. – konsul777 Mar 04 '18 at 19:44
  • I got public certificate as well as me suggested above and addet it in keystore, but connecting between restheart and mongo via ssl/tls isn't working. – konsul777 Mar 04 '18 at 19:52
  • I didn't try and I'm not that comfortable with this techno. From the doc (https://softinstigate.atlassian.net/wiki/spaces/RH/pages/9207845/Advanced+Configuration), set to FALSE to use your own certificates and the system properties. TRUE will make these properties to be ignored. – Eugène Adell Mar 04 '18 at 20:42

2 Answers2

0

the option use-embedded-keystore controls the SSL certificate used by restheart for the https protocol and it has nothing to do with the connection to mongodb.

to connect to mongodb over SSL you have to install the public certificate used by mongodb in the java keystore and follow the instructions in the documentation.

Andrea Di Cesare
  • 1,125
  • 6
  • 11
  • thanks @AndreaDiCesare, I already understood, this option isn't linked with the connection of restheart to mongodb via ssl/tls, but where I can take public cerificate used by mongodb? I got certificate through openssl and imported it in keystore, but the ssl connection between resthart and mongodb isn't working. – konsul777 Mar 05 '18 at 18:44
  • If MongoDb is correctly configured for ssl (https://docs.mongodb.com/manual/tutorial/configure-ssl/), then I usually just add the &ssl=true parameter to the mongouri in restheart.yml and that's it. I never have to add any certificate to restheart (maybe it could be mandatory if you configure mongodb with a self-signed certificate, but I never tried that). For example, we connect to mlab.com databases exclusively under ssl like this. – mturatti Mar 14 '18 at 15:21
  • If you created self-signed certificates via openssl, this thread might help: https://stackoverflow.com/questions/2893819/accept-servers-self-signed-ssl-certificate-in-java-client – mturatti Mar 14 '18 at 15:25
0

You can find detailed documentation about connecting restheart to mongodb over Ssl at the following addess:

https://softinstigate.atlassian.net/wiki/x/FICM#InstallationandSetup-5.1ConnectRESTHearttoMongoDBoverTLS/SSL

5.1 Connect RESTHeart to MongoDB over TLS/SSL

MongoDB clients can use TLS/SSL to encrypt connections to mongod and mongos instances.

To configure RESTHeart for TLS/SSL do as follows:

create the keystore importing the public certificate used by mongod using keytool (with keytool, the java tool to manage keystores of cryptographic keys)

 $ keytool -importcert -file mongo.cer -alias mongoCert -keystore rhTrustStore
 # asks for password, use "changeit"

specify the ssl option in the mongo-uri in the restheart yml configuration file:

 mongo-uri: mongodb://your.mongo-domain.com?ssl=true

start restheart with following options:

 $ java -server -Djavax.net.ssl.trustStore=rhTrustStore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.security.auth.useSubjectCredsOnly=false -jar restheart.jar restheart.yml
Community
  • 1
  • 1
Andrea Di Cesare
  • 1,125
  • 6
  • 11