一、环境
| hostname |
ip |
role |
| mongo-1 |
10.1.1.1 |
PRIMARY |
| mongo-2 |
10.1.1.2 |
SECONDARY |
| mongo-3 |
10.1.1.3 |
SECONDARY |
二、认证相关
$ cat server.sh
# ca
openssl req -passout pass:password -new -x509 -keyout ca_p.pem -out ca.pem -subj "/CN=jigela/OU=supsersb/O=supsersb/L=tm/ST=tm/C=CN"
# db
# sbtest-mongo-1
openssl req -newkey rsb:2048 -nodes -out sbtest-mongo-1.csr -keyout sbtest-mongo-1.key -subj '/CN=10.1.1.1/OU=supsersb/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:password -tma256 -req -in sbtest-mongo-1.csr -signkey sbtest-mongo-1.key -CA ca.pem -CAkey ca_p.pem -CAcreateserial -out sbtest-mongo-1.crt
cat sbtest-mongo-1.crt sbtest-mongo-1.key > sbtest-mongo-1.pem
# sbtest-mongo-2
openssl req -newkey rsb:2048 -nodes -out sbtest-mongo-2.csr -keyout sbtest-mongo-2.key -subj '/CN=10.1.1.2/OU=supsersb/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:password -tma256 -req -in sbtest-mongo-2.csr -signkey sbtest-mongo-2.key -CA ca.pem -CAkey ca_p.pem -CAcreateserial -out sbtest-mongo-2.crt
cat sbtest-mongo-2.crt sbtest-mongo-2.key > sbtest-mongo-2.pem
# sbtest-mongo-3
openssl req -newkey rsb:2048 -nodes -out sbtest-mongo-3.csr -keyout sbtest-mongo-3.key -subj '/CN=10.1.1.3/OU=supsersb/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:password -tma256 -req -in sbtest-mongo-3.csr -signkey sbtest-mongo-3.key -CA ca.pem -CAkey ca_p.pem -CAcreateserial -out sbtest-mongo-3.crt
cat sbtest-mongo-3.crt sbtest-mongo-3.key > sbtest-mongo-3.pem
$ cat root.sh
# Users
# root
openssl req -newkey rsb:2048 -nodes -out root.csr -keyout root.key -subj '/CN=root/OU=sb/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:password -tma256 -req -in root.csr -signkey root.key -CA ca.pem -CAkey ca_p.pem -CAcreateserial -out root.crt
cat root.crt root.key > root.pem
$ cat client.sh
openssl req -newkey rsb:2048 -nodes -out sbtest.csr -keyout sbtest.key -subj '/CN=sbtest/OU=sb/O=supsersb/L=tm/ST=tm/C=CN'
openssl x509 -passin pass:password -tma256 -req -in sbtest.csr -signkey sbtest.key -CA ca.pem -CAkey ca_p.pem -CAcreateserial -out sbtest.crt
cat sbtest.crt sbtest.key > sbtest.pem
三、将产生的证书复制到对应服务器上
| hostname |
存在证书 |
| mongo-1 |
ca.pem、sbtest.pem、sbtest-mongo-1.pem |
| mongo-2 |
ca.pem、sbtest.pem、sbtest-mongo-2.pem |
| mongo-3 |
ca.pem、sbtest.pem、sbtest-mongo-3.pem |
四、部署环境
1. 无认证启动mongodb
略
2. mongodb授权
# 创建普通用户
> db.getSiblingDB('$external').runCommand({ createUser: "C=CN,ST=tm,L=tm,O=supsersb,OU=sb,CN=sbtest", roles:[{role: 'readWrite', db: 'sbtest'}] });
# 创建管理员用户
> db.getSiblingDB('$external').runCommand({ createUser: "C=CN,ST=tm,L=tm,O=supsersb,OU=sb,CN=root", roles:[{role:"root", db: "admin" }]})
3. 修改配置
systemLog:
destination: file
path: /opt/mongodb/27017/log/mongodb.log
logAppend: true
logRotate: "rename"
processManagement:
fork: true
pidFilePath: "/opt/mongodb/27017/mongod.pid"
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /opt/mongodb/
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
