---------- Forwarded message ---------- From: Lesley Kimmel <[email protected]> Date: Fri, Feb 12, 2016 at 8:00 AM Subject: Re: [Pulp-list] Pulp (MongoDB) Security Configuration To: Kodiak Firesmith <[email protected]>
FYI, here's the steps I took to get a very basic, self-signed SSL configuration in place: $ openssl req -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:mongodb Email Address []: $ cat mongodb-cert.* >> mongodb.pem Add 'sslOnNormalPorts = 1' and 'sslPemKeyFile = /etc/ssl/mongodb.pem' to /etc/mongodb.conf Add 'ssl: true' and 'verify_ssl: true' to [database] section of /etc/pulp/server.conf BONUS: Because I used 'mongodb' in the certificate above and using 'verify_ssl' in the Pulp configuration Pulp expects it's request to match the returned CN. In order to do this, do the following: -Add 'seeds: mongodb:27017' to the [database] section of /etc/pulp/server.conf -Add 'mongodb' to the '127.0.0.1' line of /etc/hosts On Wed, Jan 27, 2016 at 4:13 PM, Kodiak Firesmith <[email protected]> wrote: > I deprioritized that part for now because they are on the same host and > wanted to get more practical security components in place first. AD > integration is next and we'll see how that goes. > On Jan 27, 2016 5:04 PM, "Lesley Kimmel" <[email protected]> > wrote: > >> Did you discover the magic to communicate from Pulp to MongoDB over SSL? >> >> On Wed, Jan 27, 2016 at 12:52 PM, Kodiak Firesmith <[email protected]> >> wrote: >> >>> I dumped Sat6/Katello in favor of using Pulp for everything we can't >>> already do with our Puppet 4 cluster. The final result should be: >>> * Puppet4 cluster (dns round robin, integrated with R10K) >>> * Pulp for all non-Puppet content, including using the "ISO" repo >>> function of Pulp to host Kickstarts for https net booting (since we don't >>> use PXE we don't need cobbler, one less attack surface). >>> Next steps now that I'm pulling in cdn.redhat.com content fine and >>> whatnot are getting internal ssl connections for mongo and qpid, and >>> getting Active Directory integration for pulp activities sorted out. >>> >>> Things are really looking up. >>> >>> On Wed, Jan 27, 2016 at 1:45 PM, Lesley Kimmel < >>> [email protected]> wrote: >>> >>>> What kind of overall progress have you made on securing >>>> Satellite6/Katello? >>>> >>>> On Wed, Jan 27, 2016 at 12:29 PM, Kodiak Firesmith < >>>> [email protected]> wrote: >>>> >>>>> Hi Lesley, >>>>> I just had to do this during my setup. Well, part b at least - >>>>> haven't throttled the # connections. >>>>> >>>>> Here is what is working for me, YMMV as I'm hardly an expert: >>>>> >>>>> > use pulp_database >>>>> switched to db pulp_database >>>>> > show users >>>>> { >>>>> "_id" : "pulp_database.pulpAdministrator", >>>>> "user" : "pulpAdministrator", >>>>> "db" : "pulp_database", >>>>> "roles" : [ >>>>> { >>>>> "role" : "dbAdmin", >>>>> "db" : "pulp_database" >>>>> }, >>>>> { >>>>> "role" : "readWrite", >>>>> "db" : "pulp_database" >>>>> } >>>>> ] >>>>> } >>>>> >>>>> >>>>> Hit me up on #pulp if you have any trouble and I'll see if your errors >>>>> match any of the ones I hit during my struggle to get mongo auth set up :) >>>>> >>>>> On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel < >>>>> [email protected]> wrote: >>>>> >>>>>> All; >>>>>> >>>>>> I am attempting to secure Satellite/Katello per DoD security >>>>>> guidance. The first few items I need to do is to limit incoming >>>>>> connections >>>>>> and to enable access control. Along those lines can anyone answer: >>>>>> >>>>>> a) How many connections to MongoDB does Pulp require? Is it >>>>>> configurable? >>>>>> b) Out of the box there is no access control between Pulp and >>>>>> MongoDB. What are the minimum permissions/roles needed for a user to >>>>>> allow >>>>>> Pulp do do what it needs to do? >>>>>> >>>>>> _______________________________________________ >>>>>> Pulp-list mailing list >>>>>> [email protected] >>>>>> https://www.redhat.com/mailman/listinfo/pulp-list >>>>>> >>>>> >>>>> >>>> >>> >>
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
