Mongodb – How to reject unvalidated SSL client connections from the MongoDB server

I found the answer.

In my post I've described how to create trusted and user certificates. As I guess trusted certificate is public key and user certificate is a private key(correct me if I am wrong).

Now I write how I have done this job.

--on DB server

Run owm(Oracle Wallet Manager) and:

1. Create new wallet.
2. Create certification request.
3. Export certification request.
4. using ssl.ca-0.1(Downloaded from http://www.openssl.org/contrib/) created self-signed root certificate using new-root-ca.sh and imported as a trusted certificate on DB server.
5. Created self-signed server certificate by running the sign-server-cert.sh and imported as an user certificate on DB server.

--On client server Copied root certificate(generated previously).

1. Create new wallet.

2. Create certification request.

3. Import trusted certificate by choosing copied root certificate.

Edit tnsnames.ora file on client server to use TNS entry using protocol TCPS and port, for example, 2484.

Edit listener.ora file on DB server to listen port 2484 and protocol TCPS.

Open Net Manager and configure SSL on both sides.

--DB side

Indicate wallet directory.

I've unchecked "Require Client Authentication" and other options what you want.

--Client side

Indicate wallet directory..

and other options what you want.

If you have the PEMKeyfile and CAFile set up correctly (per the docs) then the remaining piece of the puzzle is to run with requireSSL sslMode to make sure that you will only accept SSL connections for your databases (there are other modes to allow for mixing encrypted and non-encrypted clients, but that is only really recommended for upgrading from non-SSL).

You can also use CRLs to revoke bad certs, allow weak validation for particular clients, but those are optional.

As the weak validation piece suggests you also have to set up your clients to use SSL and that will vary depending on the driver in use (as will getting it to present a valid cert). Don't forget things like MMS agents will need to be enabled for SSL also (commonly forgotten).