On this page本页内容
MongoDB supports x.509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.MongoDB支持x.509证书身份验证,用于客户端身份验证以及副本集和分片集群成员的内部身份验证。
x.509 certificate authentication requires a secure TLS/SSL connection.x.509证书身份验证需要安全的TLS/SSL连接。
For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. 对于生产使用,MongoDB部署应使用由证书颁发机构生成和签名的有效证书。You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS vendors. 您或您的组织可以生成和维护独立的证书颁发机构,或使用第三方TLS供应商生成的证书。Obtaining and managing certificates is beyond the scope of this documentation.获取和管理证书超出了本文档的范围。
To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords.要对服务器进行身份验证,客户端可以使用x.509证书,而不是用户名和密码。
Client certificate requirements:客户证书要求:
The x.509 certificate must not be expired.x.509证书不得过期。
Changed in version 4.4.在版本4.4中更改。
mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. mongod/mongos主机系统时间的30天内到期,mongod/mongos将在连接时记录警告。Client certificates must contain the following fields:客户端证书必须包含以下字段:
keyUsage = digitalSignature extendedKeyUsage = clientAuth
At least one of the following client certificate attributes must be differentthan the attributes in both the 以下至少一个客户端证书属性必须与net.tls.clusterFile and net.tls.certificateKeyFile server certificates:net.tls.clusterFile和net.tls.certificateKeyFile服务器证书中的属性不同:
O)OU)DC)The 包含可分辨名称(subject of a client x.509 certificate, which contains the Distinguished Name (DN), must be different than the subject s of member x.509 certificates.DN)的客户端x.509证书的主题必须不同于成员x.508证书的subject。
If a client x.509 certificate's subject matches the 如果客户端x.509证书的主题与成员x.509证书(或O, OU, and DC attributes of the Member x.509 Certificate (or tlsX509ClusterAuthDNOverride, if set) exactly, the client connection is accepted, full permissions are granted, and a warning message appears in the log.tlsX509ClusterAuthDNOverride,如果设置)的O、OU和DC属性完全匹配,则接受客户端连接,授予完全权限,并在日志中显示警告消息。
Only cluster member x509 certificates should use the same 只有集群成员x509证书应使用相同的O, OU, and DC attribute combinations.O、OU和DC属性组合。
New in version 4.2.在版本4.2中新增。 If the MongoDB deployment has 如果MongoDB部署设置了tlsX509ClusterAuthDNOverride set, the client x.509 certificate's subject must not match that value.tlsX509ClusterAuthDNOverride,则客户端x.509证书的主题必须与该值不匹配。
$external Database$external数据库To authenticate with a client certificate, you must first add the client certificate's 要使用客户端证书进行身份验证,必须首先将客户端证书的subject as a MongoDB user in the $external database. subject添加为$external数据库中的MongoDB用户。The $external database is the Authentication Database for the user.$external数据库是用户的身份验证数据库。
Each unique x.509 client certificate is for one MongoDB user. 每个唯一的x.509客户端证书用于一个MongoDB用户。You cannot use a single client certificate to authenticate more than one MongoDB user.不能使用单个客户端证书对多个MongoDB用户进行身份验证。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
Starting in MongoDB 5.0, 从MongoDB 5.0开始,mongod and mongos now issue a startup warning when their certificates do not include a Subject Alternative Name attribute.mongod和mongos现在在其证书不包含Subject Alternative Name属性时发出启动警告。
The following platforms do not support common name validation:以下平台不支持通用名称验证:
Clients using these platforms will not authenticate to MongoDB servers that use x.509 certificates whose hostnames are specified by CommonName attributes.使用这些平台的客户端不会对使用x.509证书的MongoDB服务器进行身份验证,这些证书的主机名由CommonName属性指定。
For internal authentication between members of sharded clusters and replica sets, you can use x.509 certificates instead of keyfiles.对于分片集群和副本集成员之间的内部身份验证,可以使用x.509证书而不是密钥文件。
Use member certificates to verify membership to a sharded cluster or a replica set. 使用成员证书验证分片群集或副本集的成员资格。Member certificates are stored in 成员证书存储在net.tls.clusterFile and net.tls.certificateKeyFile. net.tls.clusterFile和net.tls.certificateKeyFile中。Member certificate requirements:会员证书要求:
The x.509 certificate must not be expired.x.509证书不得过期。
Changed in version 4.4.在版本4.4中更改。
mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. mongod/mongos主机系统时间的30天内到期,mongod/mongos将在连接时记录警告。The Distinguished Name (在成员证书的DN), found in the member certificate's subject, must specify a non-empty value for at least one of the following attributes:subject中找到的可分辨名称(DN)必须为以下至少一个属性指定非空值:
O)OU)DC)Each cluster member certificate must have identical 每个集群成员证书在其O s, OU s, and DC s in their net.tls.clusterFile and net.tls.certificateKeyFile certificates. net.tls.clusterFile和net.tls.certificateKeyFile证书中必须具有相同的O、OU和DC。This also applies to the 这也适用于tlsX509ClusterAuthDNOverride value, if set. Attribute order doesn't matter.tlsX509ClusterAuthDNOverride值(如果设置)。属性顺序并不重要。
Here's an example. The two 这里有一个例子。以下两个DN s below have matching specifications for O and OU, and DC is not specified.DN具有O和OU的匹配规范,未指定DC。
CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US C=US, ST=CA, O=MongoDB, OU=Dept1, CN=host2
The following example is incorrect, because the 以下示例不正确,因为DN s don't match. DN不匹配。One 一个DN has two OU specifications and the other has only one OU specification.DN有两个OU规范,另一个只有一个OU规格。
CN=host1,OU=Dept1,OU=Sales,O=MongoDB CN=host2,OU=Dept1,O=MongoDB
Either the Common Name (公共名称(CN) or one of the Subject Alternative Name (SAN) entries must match the server hostname for other cluster members. CN)或主题替代名称(SAN)条目之一必须与其他集群成员的服务器主机名匹配。Starting in MongoDB 4.2, when comparing 从MongoDB 4.2开始,在比较SAN s, MongoDB can compare either DNS names or IP addresses. SAN时,MongoDB可以比较DNS名称或IP地址。In previous versions, MongoDB only compares DNS names.在以前的版本中,MongoDB只比较DNS名称。
For example, the certificates for a cluster could have the following 例如,集群的证书可能具有以下subject s:subject:
subject= CN=<myhostname1>,OU=Dept1,O=MongoDB,ST=NY,C=US subject= CN=<myhostname2>,OU=Dept1,O=MongoDB,ST=NY,C=US subject= CN=<myhostname3>,OU=Dept1,O=MongoDB,ST=NY,C=US
If the certificate includes the Extended Key Usage (如果证书包含扩展密钥用法(extendedKeyUsage) setting, the value must include clientAuth ("TLS Web Client Authentication").extendedKeyUsage)设置,则该值必须包括clientAuth(“TLS Web客户端身份验证”)。
extendedKeyUsage = clientAuth
You can use TLS for internal authentication between each member of your replica set (each 您可以使用TLS在副本集的每个成员(每个mongod instance) or sharded cluster (each mongod and mongos instance).mongod实例)或分片集群(每个Mongo和mongos实例)之间进行内部身份验证。
To use TLS for internal authentication, use the following settings:要使用TLS进行内部身份验证,请使用以下设置:
security.clusterAuthMode or --clusterAuthMode set to x509net.tls.clusterFile--tlsClusterFile (mongod and mongos instances use their certificate key files to prove their identity to clients, but certificate key files can also be used for membership authentication. mongod和mongos实例使用其证书密钥文件向客户端证明其身份,但证书密钥文件也可用于成员身份验证。If you do not specify a cluster file, members use their certificate key files for membership authentication. 如果未指定群集文件,成员将使用其证书密钥文件进行成员身份验证。Specify the certificate key file with 使用net.tls.certificateKeyFile or --tlsCertificateKeyFile(available starting in MongoDB 4.2).net.tls.certificateKeyFile或--tlsCertificateKeyFile(从MongoDB 4.2开始提供)指定证书密钥文件。
To use the certificate key file for both client authentication and membership authentication, the certificate must either:要将证书密钥文件用于客户端身份验证和成员身份验证,证书必须:
extendedKeyUsage orextendedKeyUsage或extendedKeyUsage = serverAuth, clientAuth