DOCSP-28315 X.509 Parameters (#2943)

kennethdyer · varunravi98 · web-flow · commit f7c2356e5017 · 2023-05-26T13:54:01.000-07:00
* DOCSP-28315 Documents X.509 parameters and configuration optiosn for TLS cluster authentication * Fixes build issue * Documents the parameter * Refactors existing rotate page * Override step for procedure * Completes procedure * text adjustment * text adjustments * text adjustments * text adjustments * text adjustments * text adjustments * text adjustments * Clarification per Varun * Splits rotate and rolling upgrades, per feedback from Varun * Adds note on rolling upgrade page * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Fixes per Jeff * Update source/includes/extracts-x509-certificate.yaml Co-authored-by: Varun Ravichandran <varun.ravichandran@mongodb.com> * Update source/includes/extracts-x509-certificate.yaml Co-authored-by: Varun Ravichandran <varun.ravichandran@mongodb.com> * Update source/reference/configuration-options.txt Co-authored-by: Varun Ravichandran <varun.ravichandran@mongodb.com> * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes per Varun * Fixes spelling * Fixes build issue * Fixes build issue --------- Co-authored-by: Varun Ravichandran <varun.ravichandran@mongodb.com>
diff --git a/source/core/security-internal-authentication.txt b/source/core/security-internal-authentication.txt
@@ -170,3 +170,4 @@ see :doc:`/tutorial/upgrade-keyfile-to-x509`.
    /tutorial/configure-x509-member-authentication
    /tutorial/upgrade-keyfile-to-x509
    /tutorial/rotate-x509-membership-certificates
+   /tutorial/rotate-x509-member-cert
diff --git a/source/includes/extracts-x509-certificate.yaml b/source/includes/extracts-x509-certificate.yaml
@@ -101,6 +101,12 @@ content: |
         CN=host1,OU=Dept1,OU=Sales,O=MongoDB
         CN=host2,OU=Dept1,O=MongoDB
 
+     You can also specify a custom set of DN attributes and values in the configuration file using the 
+     :setting:`net.tls.clusterAuthX509.attributes` setting.  This is useful 
+     when you wish to configure X.509 authentication with member certificates that do not have DC, O, or OU attributes in their subject DNs.
+
+     For more information, see :ref:`x509-rotate-member-certs`.
+
    - Either the Common Name (``CN``) or one of the Subject Alternative
      Name (``SAN``) entries must match the server hostname for other cluster
      members. Starting in MongoDB 4.2, when comparing ``SAN``\s, MongoDB can 
diff --git a/source/includes/fact-x509-authorization.rst b/source/includes/fact-x509-authorization.rst
@@ -0,0 +1,13 @@
+
+When the server authenticates connections from members, it analyzes the
+X.509 certificate to determine whether it belongs to a cluster member.
+If the server uses the :setting:`~net.tls.clusterAuthX509.attributes` 
+setting or the ``attributes`` field on the 
+:parameter:`tlsClusterAuthX509Override` parameter, it checks 
+the Distinguished Name (DN) values of the certificate.
+If the :setting:`~net.tls.clusterAuthX509.extensionValue` setting or the
+``extensionValue`` field of 
+the :parameter:`tlsClusterAuthX509Override` parameter is set, it checks 
+the extension values of the certificate.  If it finds a match,
+it authorizes the connection as a peer.
+
diff --git a/source/includes/procedure-replica-set-restart-primary.rst b/source/includes/procedure-replica-set-restart-primary.rst
@@ -0,0 +1,23 @@
+
+Restart the primary member:
+
+#. Connect to the primary using :program:`mongosh`, then use the
+   :method:`rs.stepDown` method to step the member down as the
+   primary:
+
+   .. code-block:: javascript
+   
+      rs.stepDown()    
+   
+   The cluster promotes a secondary with the new certificate to serve
+   as the new primary.
+
+#. Use the :method:`db.shutdownServer` method to shut the server down:
+
+   .. code-block:: javascript
+   
+      use admin
+      db.shutdownServer()
+   
+#. Restart the server. 
+
diff --git a/source/includes/procedure-replica-set-restart-secondaries.rst b/source/includes/procedure-replica-set-restart-secondaries.rst
@@ -0,0 +1,22 @@
+
+Restart each secondary cluster member:
+
+#. Use :program:`mongosh` to connect to each secondary cluster member,
+   then use the :method:`db.shutdownServer` method to stop the server:
+
+   .. code-block:: javascript
+
+      use admin
+      db.shutdownServer()
+
+#. Restart the server.
+
+#. Use the :method:`rs.status` method to determine the member state:
+
+   .. code-block:: javascript
+
+      rs.status().members
+
+#. Wait for the ``stateStr`` field for this member to show a value of
+   :replstate:`SECONDARY`, then restart the next secondary.
+
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
@@ -1063,6 +1063,9 @@ Core Options
          clusterPassword: <string>
          CAFile: <string>
          clusterCAFile: <string>
+         clusterAuthX509:
+           attributes: <string>
+           extensionValue: <string>
          CRLFile: <string>
          allowConnectionsWithoutCertificates: <boolean>
          allowInvalidCertificates: <boolean>
@@ -1341,6 +1344,9 @@ Core Options
          clusterCertificateSelector: <string>
          clusterFile: <string>
          clusterPassword: <string>
+         clusterAuthX509:
+           attributes: <string>
+           extensionValue: <string>
          CAFile: <string>
          clusterCAFile: <string>
          CRLFile: <string>
@@ -1614,6 +1620,50 @@ Core Options
    
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
+
+.. setting:: net.tls.clusterAuthX509
+
+   .. versionadded:: 7.0
+
+   .. code-block:: yaml
+
+      net:
+         tls:
+           clusterAuthX509:
+             attributes: <string>
+             extensionValue: <string>
+
+
+.. setting:: net.tls.clusterAuthX509.attributes
+
+   *Type*: string
+
+   .. versionadded:: 7.0
+
+   Specifies a set of X.509 Distinguished Name (DN) attributes and values that
+   the server expects cluster member nodes to contain in their certificate
+   subject names.  This lets you use certificates that don't contain DC,
+   O, and OU values to authenticate cluster members.
+
+   When ``attributes`` is set, MongoDB matches certificates using the DN
+   and ignores extension values.
+
+
+.. setting:: net.tls.clusterAuthX509.extensionValue
+
+   *Type*: string
+
+   .. versionadded:: 7.0
+
+   Specifies an extension value that corresponds to the MongoDB cluster
+   membership extension :abbr:`OID`, 1.3.6.1.4.1.34601.2.1.2, that the server expects cluster 
+   member nodes to contain in their certificates. This allows you 
+   to use certificates that don't contain DC, O, and OU values to authenticate 
+   cluster members.
+
+   When ``extensionValue`` is set, MongoDB matches certificates using
+   certificate extension values and ignores the Distinguished Name (DN).
+
 .. setting:: net.tls.CAFile
 
    *Type*: string
diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt
@@ -759,6 +759,24 @@ Authentication Parameters
 
       :parameter:`sslMode`
 
+.. parameter:: tlsClusterAuthX509Override
+
+   .. versionadded:: 7.0
+
+   Overrides the :setting:`~net.tls.clusterAuthX509` configuration options.
+
+   .. code-block:: yaml
+
+      setParameter:
+         tlsClusterAuthX509Override: { attributes: O=MongoDB, OU=MongoDB Server }
+
+   The parameter supports ``attributes`` and ``extensionValue`` overrides.
+
+   .. include:: /includes/fact-x509-authorization
+
+   Use this parameter to rotate certificates when the new certificates have
+   different attributes or extension values.
+
 .. parameter:: tlsOCSPStaplingTimeoutSecs
 
    .. versionadded:: 4.4
diff --git a/source/tutorial/rotate-x509-member-cert.txt b/source/tutorial/rotate-x509-member-cert.txt
@@ -0,0 +1,213 @@
+.. _x509-rotate-member-certs:
+
+=================================
+Rotate X.509 Cluster Certificates 
+=================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. versionadded:: 7.0
+
+Cluster members can use X.509 certificates for :ref:`membership
+authentication <internal-auth-x509>` to identify other servers
+in the same deployment.
+
+To identify each other as members, Distinguished Name (DN) values
+for the X.509 certificate of each member must have the same
+Organization (O), Organizational Unit (OU), and Domain Component (DC)
+attributes.  Alternatively, the certificates must have the same
+extension value.
+
+Clusters adopting new certificates can use the 
+:parameter:`tlsClusterAuthX509Override` parameter to accept X.509 certificates
+with different DN attributes during the certificate rotation procedure.  Once
+all members use certificates with the new value, remove the override to begin
+rejecting the now out of date certificates.
+
+.. note::
+
+   To perform a rolling update to rotate certificates on a cluster that doesn't
+   use the :setting:`net.tls.clusterAuthX509` settings and won't after the update,
+   see :ref:`x509-rolling-update`.
+
+About This Task
+---------------
+
+Consider a replica set where member certificates 
+(set using the :setting:`~net.tls.clusterFile` and 
+:setting:`~net.tls.certificateKeyFile` settings) 
+have Distinguished Name (DN) values that use the ``10gen`` organization
+and ``10gen Server`` organizational unit (set using the
+:setting:`~net.tls.clusterAuthX509.attributes` setting).
+
+.. code-block:: yaml
+   :emphasize-lines: 6, 8, 11
+
+   security:
+     clusterAuthMode:      x509
+   net:
+     tls:
+       mode:               requireTLS
+       certificateKeyFile: /etc/mycerts/10gen-server1.pem
+       CAFile:             /etc/mycerts/ca.pem
+       clusterFile:        /etc/mycerts/10gen-cluster1.pem
+       clusterCAFile:      /etc/mycerts/ca.pem
+       clusterAuthX509:
+          attributes:      O=10gen, OU=10gen Server
+
+This tutorial assumes that the new X.509 certificates meet
+membership certificate and all other requirements and that
+the cluster configuration identifies peer certificates
+using Distinguished Name (DN) values.
+For details, see :ref:`x509-member-certificate-requirements`.
+
+Steps
+-----
+
+These steps update member certificates to use new X.509 certificates on a cluster
+configured with the :setting:`~net.tls.clusterAuthX509.attributes` setting.
+
+The new certificates have Distinguished Names (DN) that change the 
+Organization (O) attributes from ``10gen`` to ``MongoDB`` and the
+Organizational Unit (OU) attribute from ``10gen Server`` to ``MongoDB Server``.
+
+.. procedure::
+
+   .. step:: Update the TLS Cluster Membership Configuration
+
+      Update the configuration file of each server:
+
+      * Change :setting:`~net.tls.clusterAuthX509.attributes` setting to use
+        the values on the new certificate
+
+      * Set the :parameter:`tlsClusterAuthX509Override` parameter to use the
+        DN attributes of the old certificate.
+
+      For example: 
+
+      .. code-block:: yaml
+         :emphasize-lines: 9, 13
+
+         net:
+           tls:
+             mode:               requireTLS
+             certificateKeyFile: /etc/mycerts/mongodb-server1.pem
+             CAFile:             /etc/mycerts/ca.pem
+             clusterFile:        /etc/mycerts/mongodb-cluster1.pem
+             clusterCAFile:      /etc/mycerts/ca.pem
+             clusterAuthX509:
+                attributes:      O=MongoDB, OU=MongoDB Server
+         security:
+           clusterAuthMode: x509
+         setParameter:
+            tlsClusterAuthX509Override: { attributes: O=10gen, OU=10gen Server }
+
+   .. step:: Restart Secondary Cluster Members
+   
+      .. include:: /includes/procedure-replica-set-restart-secondaries
+
+      Secondary servers in the replica set now accept peer connections from
+      members using certificates with the new DN attributes.
+   
+   .. step:: Restart Primary Cluster Member
+   
+      .. include:: /includes/procedure-replica-set-restart-primary
+
+      The primary server in the replica set steps down and restarts as a
+      secondary that now accepts peer connections from members using
+      certificates with the new DN attributes.
+
+   .. step:: Update the TLS Certificates
+
+      Update the configuration file of each server:
+
+      * Change the :setting:`net.tls.certificateKeyFile` setting to use the 
+        new certificate.
+
+      * Change the :setting:`net.tls.clusterFile` setting to use the 
+        new certificate.
+
+      For example:
+
+      .. code-block:: yaml
+         :emphasize-lines: 4, 6
+
+         net:
+           tls:
+             mode:               requireTLS
+             certificateKeyFile: /etc/mycerts/mongodb-server2.pem
+             CAFile:             /etc/mycerts/ca.pem
+             clusterFile:        /etc/mycerts/mongodb-cluster2.pem
+             clusterCAFile:      /etc/mycerts/ca.pem
+             clusterAuthX509:
+                attributes:      O=MongoDB, OU=MongoDB Server
+         security:
+           clusterAuthMode: x509
+         setParameter:
+            tlsClusterAuthX509Override: { attributes: O=10gen, OU=10gen Server }
+            
+
+   .. step:: Restart Secondary Cluster Members
+   
+      .. include:: /includes/procedure-replica-set-restart-secondaries
+
+      Secondary servers in the replica set now use the new X.509 certificates.
+   
+   .. step:: Restart Primary Cluster Member
+   
+      .. include:: /includes/procedure-replica-set-restart-primary
+
+      The primary server in the replica set steps down and restarts as a 
+      secondary that uses the new X.509 certificate. 
+
+   .. step:: Remove the DN Certification Override Configuration
+
+      With all members of the cluster now using the new X.509 certificate, 
+      update the configuration file to remove the :setting:`setParameter` 
+      settings for the :parameter:`tlsClusterAuthX509Override` parameter.
+
+      For example:
+
+      .. code-block:: yaml
+
+         net:
+           tls:
+             mode:               requireTLS
+             certificateKeyFile: /etc/mycerts/mongodb-server1.pem
+             CAFile:             /etc/mycerts/ca.pem
+             clusterFile:        /etc/mycerts/mongodb-cluster1.pem
+             clusterCAFile:      /etc/mycerts/ca.pem
+             clusterAuthX509:
+                attributes:      O=MongoDB, OU=MongoDB Server
+         security:
+           clusterAuthMode: x509
+
+      This ensures that the server doesn't configure the old certificate
+      settings on startup.
+
+   .. step:: Restart Secondary Cluster Members
+   
+      .. include:: /includes/procedure-replica-set-restart-secondaries
+
+      Secondary servers in the replica set restart and no longer accept
+      connections from the old X.509 certificates.
+   
+   .. step:: Restart Primary Cluster Member
+   
+      .. include:: /includes/procedure-replica-set-restart-primary
+
+      The primary server steps down and restarts as a secondary that no longer
+      accepts connections from the old X.509 certificates.
+
+Learn More
+----------
+
+* :ref:`security-auth-x509`
+* :ref:`x509-internal-authentication`
+* :ref:`upgrade-to-x509-internal-authentication`
diff --git a/source/tutorial/rotate-x509-membership-certificates.txt b/source/tutorial/rotate-x509-membership-certificates.txt
