Sametime and MongoDB - TLS with Self-Signed Certificates
For the purposes of this document, self signed refers to any certificate that is signed with an internal Certificate Authority (CA). As a general statement, certificates signed by a well known authority are automatically trusted.
For information on configuring MongoDB to use TLS connections, see - https://www.mongodb.com/docs/v7.0/tutorial/configure-ssl/.
General Steps
- Obtain your client and server certificate along with the signer certificate.
- Configure MongoDB to use TLS
- Validate the connection to MongoDB using the mongo shell (mongosh).
- Configure Sametime to Connect to MongoDB.
For simplicity, use a folder called "certs" located in the same folder that docker-compose.yml is located.
Step 1 - Obtain Your Client and Server Certificate Along with the Signer Certificate
NOTE: this example creates only the mongodb server certificate, if you want to create a client certificate, we will need more steps, the principle is the same.
Steps Used to Create Self-Signed Certificate
1. Generate a Self-Signed Certificate and Key
OpenSSL Command: Use the following command to generate a certificate and key:
openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
This command creates a certificate (mongodb-cert.crt) and a private key (mongodb-cert.key).
- Replace 2048 with your desired key length (e.g., 4096).
- You'll be prompted to enter information for the certificate, such as country, state, and organization.
- Be sure that the CN of the certificate matches the hostname of the mongodb server.
2. Create a PEM File
Combine Certificate and Key: Combine the certificate and key into a single PEM file:
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
This creates a file named mongodb.pem containing both the key and certificate.
You will use the mongodb.pem to Configure Mongodb and the mongodb-cert.crt is the signer that we use on the Sametime side.
Step 2 - Configure MongoDB to Use TLS
Note: For more information, see https://www.mongodb.com/docs/v7.0/tutorial/configure-ssl/
Copy the pem and crt files to the mongodb server. In the mongod.conf file, be sure to use the absolute path to the files.
Edit the mongod.conf file - on linux, this file is located at /etc/mongod.conf
In the net: section, add the following:
net:
tls:
mode: requireTLS
certificateKeyFile: mongodb.pem
CAFile: mongodb-cert.crt
allowConnectionsWithoutCertificates: true
NOTE: spacing is critical
certificateKeyFileis the server certificate including the private keyCAFileis the signer file - in our example, it is the crt file that we createdallowConnectionsWithoutCertificates- this flag disables the requirement for a client certificate. if you wish to use a client certificate, remove this setting. If you use a client certificate, it should be signed by the same CA as the server certificate.
Step 3 - Test the Connection Using mongosh (Mongo Shell)
mongosh --tls --host mongodbhostname --tlscafile mongodb-cert.crt
There are additional options available, for example, if you want to use a client certificate, you would add --tlsCertificateKeyFile=mongoclient.pem --tlsCertificateKeyFilePassword=<password> (if encrypted)
[Screenshot of successful mongosh connection would go here]
Step 4 - Configure Sametime to Use TLS When Connecting to MongoDB
Docker Specific
In custom.env, set:
# Mongo DB connection URL
MONGO_URL=mongodb://sametimeAdmin:sametime@mongo_hostl:27017/?tls=true&tlsCAFile=/local/notesdata/mongodb-cert.crt
MONGO_SELF_SIGNED=true
And in docker-compose, map in your mongodb-cert.crt file:
volumes:
- ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.crt
After Startup
Where MONGO_SELF_SIGNED is set (and confirm Community connections to Mongo are working):
a) Copy the cacerts file from community container:
docker cp <communitycontainer>:/opt/hcl/domino/notes/11000000/linux/jdk-17.0.12+7/lib/security/cacerts ./certs/
b) Add the following to proxy section in docker-compose.yml:
volumes:
- ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.pem
- proxy-workspace:/workspace/proxy-storage
- ./certs:/trust:ro # <-- highlighted
........
environment:
JAVA_TOOL_OPTIONS=-XX:MaxDirectMemorySize=64M -XX:MaxMetaspaceSize=192M -Djavax.net.ssl.trustStore=/trust/cacerts -Djavax.net.ssl.trustStorePassword=changeit # <-- last two entries highlighted
Then restart.
Using a Client Keystore
If using a client keystore, your mongoURL will look like:
MONGO_URL=mongodb://sametimeAdmin:sametime@mongo_hostl:27017/?tls=true&tlsCAFile=/local/notesdata/mongodb-cert.crt&tlsCertificateKeyFile=mongoclient.pem&tlsCertificateKeyFilePassword=<password>
After Community is started, a new keystore will be created in the community container.
a) Copy from community container the mongo.keystore to the local certs directory:
docker cp <communitycontainer>:/local/notesdata/mongo.keystore ./certs/
b) Map it into the volumes of proxy:
volumes:
- ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.pem
- proxy-workspace:/workspace/proxy-storage
- ./certs:/trust:ro
- ./certs/mongo.keystore:/local/notesdata/mongo.keystore # <-- highlighted
c) Add the following to the environment "JAVA_TOOL_OPTIONS" parameter. The keystore password will be what you have in the mongoURL for "tlsCertificateKeyFilePassword". If you did not set one, then it will be "samet1me":
-Djavax.net.ssl.keyStore=/local/notesdata/mongo.keystore -Djavax.net.ssl.keyStorePassword=<password>
Then restart.
Kubernetes Specific
[Content for Kubernetes-specific configuration would go here]