I'm trying to configure a cluster with Sharding and Replication. I'd like to configure certificate-based client authentication. Optimally, it would also use certificate-based member authentication.
First, a Certificate-based Member Authentication related question: is it essential that each cluster member have a different certificate? I’d rather all replica members in all the replica set shards share a single certificate, as the setup is a development setup, and I don’t feel like creating this many certificates.
From what I’ve gathered, using the same certificate is impossible. This is why I’m trying to mix Key File member authentication with certificate-based client authentication (so far with little success).
The way I tried to achieve this is by running all cluster members (including the mongos router) with the keyFile flag, referencing a single file for all the members. For the mongos router I also referenced a config file:
net:
ssl:
mode: allowSSL
PEMKeyFile: C:\MongoDB\server.pem
PEMKeyPassword: 1234
CAFile: C:\MongoDB\ca.pem
allowInvalidCertificates: false
security:
clusterAuthMode: keyFile
Before enabling authentication, I created the required DB user, whose name is based on the subject of the certificate. When trying to authenticate with a x.509 certificate the authentication fails, and the following error appears in the log:
Failed to authenticate CertificateSubject@$external with mechanism MONGODB-X509: AuthenticationFailed The provided certificate can only be used for cluster authentication, not client authentication. The current configuration does not allow x.509 cluster authentication, check the --clusterAuthMode flag
What am I doing wrong? Is mixing up the authentication methods even allowed?
One last, more general, related, set of questions:
- In a shraded cluster, where are the credentials saved? (config servers? router? shards?)
- Is the admin database shared by the members? (config servers? router? shards?)
- Are credentials for shraded DBs kept separately from credentials for non-sharded DBs?
- Is authorization/authentication enforced by the router or propagated to the shards or config servers?
Thanks.