Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Integration with MongoDB

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

Integrate MongoDB with the CipherTrust Manager using either of the following methods:

Note

These options are available in MongoDB Enterprise only.

Integrate Using a New Key

  1. Create a directory mongodb at /var/lib/ to store the data directory files.

  2. Concatenate the clientcertificate.pem and clientkey.pem files into a single file using:

    cat clientcertificate.pem clientkey.pem > client.pem

  3. Start MongoDB manually using the following parameters to create an encryption key:

    mongod --enableEncryption 
--kmipServerName <IP/Hostname of the CipherTrust Manager> 
--kmipPort <KMIP port number of the CipherTrust Manager> 
--kmipServerCAFile ca.pem 
--kmipClientCertificateFile client.pem 
--dbPath /var/lib/mongodb

    Note

    You will need to add the CipherTrust Manager’s hostname to the /etc/hosts file on your MongoDB server so that the name can be resolved to the IP address of the CipherTrust Manager.

Integrate Using an Existing Key

  1. Create a directory mongodb at /var/lib/ to store the data directory files.

  2. Concatenate the clientcertificate.pem and clientkey.pem files into a single file using:

    cat clientcertificate.pem clientkey.pem > client.pem

  3. Create a key on the CipherTrust Manager using the API playground.

    a. Open the CipherTrust Manager API playground.

    b. Log on using your credentials.

    c. In the left pane, search for the Keys APIs and go to the Create API.

    d. Create a key using the AES Algorithm. Set the state as Pre-Active. Also, specify the user creating the key in the ownerId attribute. Use the following sample to create the key.

    {
"name": "Test_Key",
"usageMask": 12,
"algorithm": "aes",
"meta": {
    "ownerId": "local|mongodb"
},
"state": "Pre-Active",
"deactivationDate": "2023-10-02T14:24:37.436073Z",
"protectStopDate": "2023-10-02T14:24:37.436073Z",
"aliases": [
    {
    "alias": "altname2",
    "type": "string"
    },
    {
    "alias": "altname2:keysecure:gemalto:com",
    "type": "uri"
    }
]
}

    e. Click POST.

  4. Add the key management security options to /etc/mongod.conf.

    The MongoDB configuration file contains a security section. In this section, update the KMIP server name, certificate details, KMIP port number, and Key ID to use the CipherTrust Manager as a key management service.

    security:
enableEncryption: true
kmip:
    serverName: <IP/Hostname of the CipherTrust Manager>
    port: <KMIP port number of the CipherTrust Manager>
    serverCAFile: <Path to the CA certificate>
    clientCertificateFile: <Path to the client.pem> 
    keyIdentifier: <ID of the key created on the CipherTrust Manager>

  5. Start MongoDB manually using the following parameters:

    mongod --enableEncryption 
--kmipServerName <IP/Hostname of the CipherTrust Manager>
--kmipPort <KMIP port number of the CipherTrust Manager> 
--kmipServerCAFile ca.pem
--kmipClientCertificateFile client.pem 
--kmipKeyIdentifier <ID of the key created on the CipherTrust Manager>

    Note

    You will need to add the CipherTrust Manager’s hostname to the /etc/hosts file on your MongoDB server so that the name can be resolved to the IP address of the CipherTrust Manager.

After the service starts successfully, encryption is enabled and the integration is complete.

On this page