<div dir="ltr">FYI, here's the steps I took to get a very basic, self-signed SSL configuration in place:<br><br>$ openssl req -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key<br>Country Name (2 letter code) [XX]:<br>State or Province Name (full name) []:<br>Locality Name (eg, city) [Default City]:<br>Organization Name (eg, company) [Default Company Ltd]:<br>Organizational Unit Name (eg, section) []:<br>Common Name (eg, your name or your server's hostname) []:mongodb<br>Email Address []:<br>$ cat mongodb-cert.* >> mongodb.pem<br><br>Add 'sslOnNormalPorts = 1' and 'sslPemKeyFile = /etc/ssl/mongodb.pem' to /etc/mongodb.conf<br><br>Add 'ssl: true' and 'verify_ssl: true' to [database] section of /etc/pulp/server.conf<br>BONUS:
Because I used 'mongodb' in the certificate above and using
'verify_ssl' in the Pulp configuration Pulp expects it's request to
match the returned CN. In order to do this, do the following:<br>-Add 'seeds: mongodb:27017' to the [database] section of /etc/pulp/server.conf<br>-Add 'mongodb' to the '127.0.0.1' line of /etc/hosts</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 27, 2016 at 12:29 PM, Kodiak Firesmith <span dir="ltr"><<a href="mailto:kfiresmith@gmail.com" target="_blank">kfiresmith@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Lesley,<div>I just had to do this during my setup. Well, part b at least - haven't throttled the # connections.</div><div><br></div><div>Here is what is working for me, YMMV as I'm hardly an expert:</div><div><br></div><div><div>> use pulp_database</div><div>switched to db pulp_database</div><div>> show users</div><div>{</div><div><span style="white-space:pre-wrap"> </span>"_id" : "pulp_database.pulpAdministrator",</div><div><span style="white-space:pre-wrap"> </span>"user" : "pulpAdministrator",</div><div><span style="white-space:pre-wrap"> </span>"db" : "pulp_database",</div><div><span style="white-space:pre-wrap"> </span>"roles" : [</div><div><span style="white-space:pre-wrap"> </span>{</div><div><span style="white-space:pre-wrap"> </span>"role" : "dbAdmin",</div><div><span style="white-space:pre-wrap"> </span>"db" : "pulp_database"</div><div><span style="white-space:pre-wrap"> </span>},</div><div><span style="white-space:pre-wrap"> </span>{</div><div><span style="white-space:pre-wrap"> </span>"role" : "readWrite",</div><div><span style="white-space:pre-wrap"> </span>"db" : "pulp_database"</div><div><span style="white-space:pre-wrap"> </span>}</div><div><span style="white-space:pre-wrap"> </span>]</div><div>}</div></div><div><br></div><div><br></div><div>Hit me up on #pulp if you have any trouble and I'll see if your errors match any of the ones I hit during my struggle to get mongo auth set up :)</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel <span dir="ltr"><<a href="mailto:lesley.j.kimmel@gmail.com" target="_blank">lesley.j.kimmel@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div><div>All;<br><br></div>I am attempting to secure Satellite/Katello per DoD security guidance. The first few items I need to do is to limit incoming connections and to enable access control. Along those lines can anyone answer:<br><br></div>a) How many connections to MongoDB does Pulp require? Is it configurable?<br></div>b) Out of the box there is no access control between Pulp and MongoDB. What are the minimum permissions/roles needed for a user to allow Pulp do do what it needs to do?<br></div>
<br></div></div>_______________________________________________<br>
Pulp-list mailing list<br>
<a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pulp-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br></blockquote></div><br></div>
</blockquote></div><br></div>