FYI, here's the steps I took to get a very basic, self-signed SSL configuration in place:
$ openssl req -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:mongodb Email Address []: $ cat mongodb-cert.* >> mongodb.pem Add 'sslOnNormalPorts = 1' and 'sslPemKeyFile = /etc/ssl/mongodb.pem' to /etc/mongodb.conf Add 'ssl: true' and 'verify_ssl: true' to [database] section of /etc/pulp/server.conf BONUS: Because I used 'mongodb' in the certificate above and using 'verify_ssl' in the Pulp configuration Pulp expects it's request to match the returned CN. In order to do this, do the following: -Add 'seeds: mongodb:27017' to the [database] section of /etc/pulp/server.conf -Add 'mongodb' to the '127.0.0.1' line of /etc/hosts On Wed, Jan 27, 2016 at 12:29 PM, Kodiak Firesmith <[email protected]> wrote: > Hi Lesley, > I just had to do this during my setup. Well, part b at least - haven't > throttled the # connections. > > Here is what is working for me, YMMV as I'm hardly an expert: > > > use pulp_database > switched to db pulp_database > > show users > { > "_id" : "pulp_database.pulpAdministrator", > "user" : "pulpAdministrator", > "db" : "pulp_database", > "roles" : [ > { > "role" : "dbAdmin", > "db" : "pulp_database" > }, > { > "role" : "readWrite", > "db" : "pulp_database" > } > ] > } > > > Hit me up on #pulp if you have any trouble and I'll see if your errors > match any of the ones I hit during my struggle to get mongo auth set up :) > > On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel <[email protected]> > wrote: > >> All; >> >> I am attempting to secure Satellite/Katello per DoD security guidance. >> The first few items I need to do is to limit incoming connections and to >> enable access control. Along those lines can anyone answer: >> >> a) How many connections to MongoDB does Pulp require? Is it configurable? >> b) Out of the box there is no access control between Pulp and MongoDB. >> What are the minimum permissions/roles needed for a user to allow Pulp do >> do what it needs to do? >> >> _______________________________________________ >> Pulp-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/pulp-list >> > >
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
