Skip to content

Sametime and MongoDB - TLS with Self-Signed Certificates

For the purposes of this document, self signed refers to any certificate that is signed with an internal Certificate Authority (CA). As a general statement, certificates signed by a well known authority are automatically trusted.

For information on configuring MongoDB to use TLS connections, see - https://www.mongodb.com/docs/v7.0/tutorial/configure-ssl/.

General Steps

  1. Obtain your client and server certificate along with the signer certificate.
  2. Configure MongoDB to use TLS
  3. Validate the connection to MongoDB using the mongo shell (mongosh).
  4. Configure Sametime to Connect to MongoDB.

For simplicity, use a folder called "certs" located in the same folder that docker-compose.yml is located.

Step 1 - Obtain Your Client and Server Certificate Along with the Signer Certificate

NOTE: this example creates only the mongodb server certificate, if you want to create a client certificate, we will need more steps, the principle is the same.

Steps Used to Create Self-Signed Certificate

1. Generate a Self-Signed Certificate and Key

OpenSSL Command: Use the following command to generate a certificate and key:

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

This command creates a certificate (mongodb-cert.crt) and a private key (mongodb-cert.key).

  • Replace 2048 with your desired key length (e.g., 4096).
  • You'll be prompted to enter information for the certificate, such as country, state, and organization.
  • Be sure that the CN of the certificate matches the hostname of the mongodb server.

2. Create a PEM File

Combine Certificate and Key: Combine the certificate and key into a single PEM file:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

This creates a file named mongodb.pem containing both the key and certificate.

You will use the mongodb.pem to Configure Mongodb and the mongodb-cert.crt is the signer that we use on the Sametime side.

Step 2 - Configure MongoDB to Use TLS

Note: For more information, see https://www.mongodb.com/docs/v7.0/tutorial/configure-ssl/

Copy the pem and crt files to the mongodb server. In the mongod.conf file, be sure to use the absolute path to the files.

Edit the mongod.conf file - on linux, this file is located at /etc/mongod.conf

In the net: section, add the following:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: mongodb.pem
    CAFile: mongodb-cert.crt
    allowConnectionsWithoutCertificates: true

NOTE: spacing is critical

  • certificateKeyFile is the server certificate including the private key
  • CAFile is the signer file - in our example, it is the crt file that we created
  • allowConnectionsWithoutCertificates - this flag disables the requirement for a client certificate. if you wish to use a client certificate, remove this setting. If you use a client certificate, it should be signed by the same CA as the server certificate.

Step 3 - Test the Connection Using mongosh (Mongo Shell)

mongosh --tls --host mongodbhostname --tlscafile mongodb-cert.crt

There are additional options available, for example, if you want to use a client certificate, you would add --tlsCertificateKeyFile=mongoclient.pem --tlsCertificateKeyFilePassword=<password> (if encrypted)

[Screenshot of successful mongosh connection would go here]

Step 4 - Configure Sametime to Use TLS When Connecting to MongoDB

Docker Specific

In custom.env, set:

# Mongo DB connection URL
MONGO_URL=mongodb://sametimeAdmin:sametime@mongo_hostl:27017/?tls=true&tlsCAFile=/local/notesdata/mongodb-cert.crt
MONGO_SELF_SIGNED=true

And in docker-compose, map in your mongodb-cert.crt file:

volumes:
  - ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.crt

After Startup

Where MONGO_SELF_SIGNED is set (and confirm Community connections to Mongo are working):

a) Copy the cacerts file from community container:

docker cp <communitycontainer>:/opt/hcl/domino/notes/11000000/linux/jdk-17.0.12+7/lib/security/cacerts ./certs/

b) Add the following to proxy section in docker-compose.yml:

volumes:
  - ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.pem
  - proxy-workspace:/workspace/proxy-storage
  - ./certs:/trust:ro  # <-- highlighted
........
environment:
  JAVA_TOOL_OPTIONS=-XX:MaxDirectMemorySize=64M -XX:MaxMetaspaceSize=192M -Djavax.net.ssl.trustStore=/trust/cacerts -Djavax.net.ssl.trustStorePassword=changeit  # <-- last two entries highlighted

Then restart.

Using a Client Keystore

If using a client keystore, your mongoURL will look like:

MONGO_URL=mongodb://sametimeAdmin:sametime@mongo_hostl:27017/?tls=true&tlsCAFile=/local/notesdata/mongodb-cert.crt&tlsCertificateKeyFile=mongoclient.pem&tlsCertificateKeyFilePassword=<password>

After Community is started, a new keystore will be created in the community container.

a) Copy from community container the mongo.keystore to the local certs directory:

docker cp <communitycontainer>:/local/notesdata/mongo.keystore ./certs/

b) Map it into the volumes of proxy:

volumes:
  - ./certs/mongodb-cert.crt:/local/notesdata/mongodb-cert.pem
  - proxy-workspace:/workspace/proxy-storage
  - ./certs:/trust:ro  
  - ./certs/mongo.keystore:/local/notesdata/mongo.keystore  # <-- highlighted

c) Add the following to the environment "JAVA_TOOL_OPTIONS" parameter. The keystore password will be what you have in the mongoURL for "tlsCertificateKeyFilePassword". If you did not set one, then it will be "samet1me":

-Djavax.net.ssl.keyStore=/local/notesdata/mongo.keystore -Djavax.net.ssl.keyStorePassword=<password>

Then restart.

Kubernetes Specific

[Content for Kubernetes-specific configuration would go here]