How to connect from spring boot to mongodb securely over TLS / SSL

How to connect from spring boot to mongodb securely over TLS / SSL

For a secure production setup, MongoDB deployment should use valid CA certificates generated and signed by a certificate authority. This document / blog outlines the steps to be followed in setting up a SpringBoot application can connect to MongoDb using valid certificates. However the process of obtaining and managing certificates is beyond the scope of this documentation. There is not much good documentation around connecting a SpringBoot application securely using a certificate and hence this document attempts to bridge the gap.

Step 1 : Configure MongoDb:

The first step is essentially preparing MongoDb to start with SSL mode enabled. Once it is done – only it accepts request from clients who has encrypted the data using MongoDB’s public key.

For development purpose, you can generate a self-signed certificate and private key on a Unix system with a command that resembles the following:

openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

This operation generates a new, self-signed certificate with no passphrase that is valid for 365 days. Once you have the certificate, concatenate the certificate and private key to a .pem file, as in the following example:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

To use TLS/SSL in your MongoDB deployment, include the following run-time options with mongod

mongod --sslMode requireSSL --sslPEMKeyFile <pem>

Step 2 : Configure Spring Boot:

The second step is configuring (overriding the default configuration) of SpringBoot application to use the MongoDb certificate.

For connection with MongoDB, you need to extend org.springframework.data.mongodb.config.AbstractMongoConfiguration in your MongoConnection class. Then you need to override the mongoClient() method with SSL enabled true and configure MongoClient as below

@Override

 public MongoClient mongoClient() {

   MongoClientOptions.Builder builder = MongoClientOptions.builder();

   MongoClientOptions options = builder.sslEnabled(true).build();

   return new MongoClient(mongohost,options);

 }

And also you need to override getDatabaseName() method with your Mongo DB database name as below:

@Override

 protected String getDatabaseName() {

   return mongodatabaseName;

 }

Now you need to configure trust store with a public key certificate which is used for MongoDb ssl  as in the following example.

keytool -import -alias "MongoDB-cert" -file "mongodb-cert.crt" -keystore truststore.jks -noprompt -storepass "password"

Now you need to configure javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword with path of truststore and  truststore password as in example

java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=password -jar build/libs/*.jar

OR

You can also use this option to configure truststore as in example

bootRun {

        main = 'main method”

        jvmArgs = ["-Djavax.net.ssl.trustStore=path/to/truststore", "-Djavax.net.ssl.trustStorePassword=truststore"]

}