Connecting to MongoDb with SSL from JAVA app

Question

I have a MongoDb instance running(single instance) with SSL enabled. I am able to connect to it with RoboMongo where on SSL tab I provide the following :

CA File : /path to my certificate/testCA.pem 
PEM certificate/key: /path to my key/testKey.pem

Which successfully connects. Now I'm trying to connect to the same mondodb from java app. I imported the testCA.pem into cacerts using the following command:

keytool -import -keystore cacerts -file testCA.pem -storepass changeit

and I can see a new entry added to the store. Tried to add the other key into it and it says invalid certificate. On the Java app I set system property as following:

System.setProperty ("javax.net.ssl.trustStore","C:\\Program Files\\Java\\jre1.8.0_91\\lib\\security\\cacerts");
System.setProperty ("javax.net.ssl.trustStorePassword","changeit");

and I'm getting the following error:

org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting to connect. Client view of cluster state is {type=Unknown, servers=[{address=test.mongo.com:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.io.EOFException}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting to connect. Client view of cluster state is {type=Unknown, servers=[{address=test.mongo.com:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.io.EOFException}}]
    at org.springframework.data.mongodb.core.MongoExceptionTranslator.translateExceptionIfPossible(MongoExceptionTranslator.java:75)
    at org.springframework.data.mongodb.core.MongoTemplate.potentiallyConvertRuntimeException(MongoTemplate.java:2075)
    at org.springframework.data.mongodb.core.MongoTemplate.executeFindMultiInternal(MongoTemplate.java:1918)

What am I missing here, thanks in advance!

Ankur Soni · Accepted Answer · 2018-09-15 11:26:01Z

6

In addition to importing the CAFile.pem with the command:

(navigate to your java_home/jre/lib/security to run the commands)

1. keytool -import -trustcacerts -file testCA.pem -keystore cacerts -storepass "changeit"

I also had to export the key.pem into a pkcs12 format(default password 'changeit')

2. openssl pkcs12 -export -out mongodb.pkcs12 -in testKey.pem

and in addition to setting system property trustStore/password, keyStore/password should also be set:

System.setProperty ("javax.net.ssl.trustStore",JAVA_HOME + "\\lib\\security\\cacerts");
System.setProperty ("javax.net.ssl.trustStorePassword","changeit");
System.setProperty ("javax.net.ssl.keyStore",JAVA_HOME + "\\lib\\security\\mongodb.pkcs12");
System.setProperty ("javax.net.ssl.keyStorePassword","changeit");

edited Sep 15, 2018 at 11:26

Ankur Soni

6,0685 gold badges57 silver badges89 bronze badges

answered Apr 3, 2017 at 14:38

Gurkha

1,1344 gold badges20 silver badges39 bronze badges

Sign up to request clarification or add additional context in comments.

8 Comments

Amit Over a year ago

I have exact same issue, but it is still not working for me, I am running windows so created xyz.pkcs12 from 'testKey.pem' in linux and copied it over to windows and imported the same in keystore, is there any thing else I should do ?

Gurkha Over a year ago

@Amit can you post your stacktrace?

Amit Over a year ago

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source)

Amit Over a year ago

Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(Unknown Source) at sun.security.util.HostnameChecker.match(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)

Amit Over a year ago

.sslInvalidHostNameAllowed(true).build(); above code allowed me to connect and get passed this issue atleast fr now.

|

RGB314 · Accepted Answer · 2017-11-25 22:27:06Z

Both the approaches mentioned below usually suggested on forums will 'work' but are not secure as they disable the host-name verification essentially negating the SSL. Hence they are not recommended especially if your code would be deployed on production:

// 1. For any HTTPS connection
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
        new javax.net.ssl.HostnameVerifier(){
            public boolean verify(String hostname,
                javax.net.ssl.SSLSession sslSession) {
                    if(hostname.equals("<hostname>")) {
                        return true; 
                    }
                }
            });

// 2. MongoDB SSL specific 
MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(true).build();

Refer: https://wiki.openssl.org/index.php/Hostname_validation

To fix this, you'll need a certificate containing the DNS of the server as a Subject Alternative Name entry, which you can import to your JDK cacerts

Alternatively, if you want establish SSL at the application level, I'd recommend creating a SSLContext for that particular connection instead of using System.setProperty() for setting key-stores/trust-stores. This would help in avoiding conflicts if your application connects to different external services who have different SSL implementations.

Specifically for MongoDB, you would just need to append ?ssl=true at the end of the MongoDBURI after the above mentioned step. If it still doesn't work, I'd recommend updating your JDK version as per https://jira.mongodb.org/browse/JAVA-2184

Hope this helps

Redlab · Accepted Answer · 2017-02-17 14:31:32Z

0

You need to configure the monog db driver to use SSL. You can do this with configuring it manually in a @Configuration class.

    public @Bean MongoClient mongo()  {
        MongoClientOptions.Builder options = MongoClientOptions.builder().sslEnabled(true);
        // add more options to the builder with your config
        MongoClient mongoClient = new MongoClient("localhost", options.build());
        return mongoClient;
    }

answered Feb 17, 2017 at 14:31

Redlab

3,10322 silver badges18 bronze badges

5 Comments

Gurkha Over a year ago

I enabled SSL via URI: test.mongo.com:27017/TestDb?ssl=true

Redlab Over a year ago

afiak Mongo database URI. Cannot be set with host, port and credentials. It uses internal ServerAddress class that accepts only host and port.

Gurkha Over a year ago

Yes it can be mongodb.github.io/mongo-java-driver/3.0/driver/reference/…'

Redlab Over a year ago

ah yes, I was looking at the MongoClient that takes a string. Not the MongoClientURI

Gurkha Over a year ago

the general format for URI is mongodb://username:[email protected]:portNum/DatabaseName?W=1&ssl=true. I just need to provide a way to look for the certificates in the keystore.

iowatiger08 · Accepted Answer · 2018-08-02 21:42:42Z

0

If you are using RAD with WAS local servers, you have to add the pem file to the java VM for that server.

So if you have WAS installed to X:\IBM\WASx, X:\IBM\WASx\java_17\jre is the directory that you would navigate and then execute the keytool import there. Hope this helps others.

answered Aug 2, 2018 at 21:42

iowatiger08

1,96224 silver badges32 bronze badges

Comments

Dipraj Shahane · Accepted Answer · 2020-10-21 15:48:19Z

Please check below code for MongoDB Java Driver 4.x and MongoDB 3.x

Where you have to configure spring.data.mongodb.xxxx properties as per your MongoDB.

import java.util.Arrays;
import java.util.List;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import com.mongodb.MongoClientSettings;
import com.mongodb.MongoCredential;
import com.mongodb.ServerAddress;
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoClients;

@Configuration
public class MongoClientConfig {

    @Value("${spring.data.mongodb.username}")
    private String user;
    
    @Value("${spring.data.mongodb.password}")
    private char[] password;
    
    @Value("${spring.data.mongodb.host}")
    private String host;
    
    @Value("${spring.data.mongodb.port}")
    private int port;
    
    @Value("${spring.data.mongodb.database}")
    private String database;
    
    @Bean
    public MongoClient mongo() {
        List<ServerAddress> hosts = Arrays.asList(new ServerAddress(host, port));
        MongoCredential credential = MongoCredential.createCredential(user, database, password);

        MongoClientSettings settings = MongoClientSettings.builder().credential(credential)
                .applyToSslSettings(builder -> builder.enabled(true))
                .applyToClusterSettings(builder -> builder.hosts(hosts)).build();
        MongoClient mongoClient = MongoClients.create(settings);
        System.out.println("====================================================================");
        System.out.println("========= MongoClientConfig: " + mongoClient.toString() + "=========");
        System.out.println("====================================================================");
        return mongoClient;
    }
}

Vladi · Accepted Answer · 2022-07-18 11:57:02Z

I download a openssl program from here and install it
i open a cmd in the foler of my Pem file certiface.pem
and i run a command :

DIRECTION\OpenSSL\bin\openssl pkcs12 -export -out keystore.pkcs12 -in certiface.pem

on password you put what you want example: blabla should create a file name keystore.pkcs12

run the command on cmd

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

on passwords i put blabla check that created file keystore.jks

now my code

      System.setProperty("javax.net.ssl.keyStore", keystore.jks);
      System.setProperty("javax.net.ssl.keyStorePassword", "blabla");
      MongoClient mongoClient = MongoClients.create("mongodb+srv://YOURLINK.mongodb.net/?authSource=%24external&authMechanism=MONGODB-X509&retryWrites=true&w=majority");
      database = mongoClient.getDatabase("DatabaseName");

Nilendu · Accepted Answer · 2022-09-13 07:06:01Z

0

Here is a complete implementation of how to connect to MongoDB/DocDB over ssl using mongoUri and sslCertificates. In this implementation, the application itself creates the keystore file and imports the certificate into it. So, there is no need to do any server side changes (in most cases). https://github.com/BarathArivazhagan/spring-boot-aws-documentdb

answered Sep 13, 2022 at 7:06

Nilendu

4245 silver badges14 bronze badges

Comments

Rizwaan · Accepted Answer · 2020-08-11 18:04:26Z

-1

As Redlab mentioned in the code, it can be disabled for restricting ssl validation. Specially this case comes on local setup. No extra effort required to do.

public @Bean MongoClient mongo()  {
    MongoClientOptions.Builder options = MongoClientOptions.builder().sslEnabled(false);
    // add more options to the builder with your config
    MongoClient mongoClient = new MongoClient("localhost", options.build());
    return mongoClient;
}

just I modified-- sslEnabled(true) ===> sslEnabled(false).

edited Aug 11, 2020 at 18:04

answered Aug 11, 2020 at 17:58

Rizwaan

294 bronze badges

1 Comment

Rizwaan Over a year ago

I was facing same problem, i resolved it by above way.

Collectives™ on Stack Overflow

Connecting to MongoDb with SSL from JAVA app

8 Answers 8

8 Comments

Comments

5 Comments

Comments

Comments

Comments

Comments

1 Comment

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

8 Answers 8

8 Comments

Comments

5 Comments

Comments

Comments

Comments

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related