Menu
I have a MongoDb instance running(single instance) with SSL enabled. I am able to connect to it with RoboMongo where on SSL tab I provide the following :
CA File : /path to my certificate/testCA.pem
PEM certificate/key: /path to my key/testKey.pem
Which successfully connects. Now I'm trying to connect to the same mondodb from java app. I imported the testCA.pem into cacerts using the following command:
keytool -import -keystore cacerts -file testCA.pem -storepass changeit
and I can see a new entry added to the store. Tried to add the other key into it and it says invalid certificate. On the Java app I set system property as following:
System.setProperty ("javax.net.ssl.trustStore","C:\\Program Files\\Java\\jre1.8.0_91\\lib\\security\\cacerts");
System.setProperty ("javax.net.ssl.trustStorePassword","changeit");
and I'm getting the following error:
org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting to connect. Client view of cluster state is {type=Unknown, servers=[{address=test.mongo.com:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.io.EOFException}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting to connect. Client view of cluster state is {type=Unknown, servers=[{address=test.mongo.com:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.io.EOFException}}]
at org.springframework.data.mongodb.core.MongoExceptionTranslator.translateExceptionIfPossible(MongoExceptionTranslator.java:75)
at org.springframework.data.mongodb.core.MongoTemplate.potentiallyConvertRuntimeException(MongoTemplate.java:2075)
at org.springframework.data.mongodb.core.MongoTemplate.executeFindMultiInternal(MongoTemplate.java:1918)
What am I missing here, thanks in advance!
978
MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. If you use a self-signed certificate, although the communications channel will be encrypted to prevent eavesdropping on the connection, there will be no validation of server identity.
A Java SSL certificate works on the technology regarded as “public key infrastructure” (PKI). PKI involves a trusted and recognized certificate authority (CA) that issues the certificate. However, the certificate is only issued when it has verified the identity of the party requesting it.
In addition to importing the CAFile.pem with the command:
(navigate to your java_home/jre/lib/security to run the commands)
1. keytool -import -trustcacerts -file testCA.pem -keystore cacerts -storepass "changeit"
I also had to export the key.pem into a pkcs12 format(default password 'changeit')
2. openssl pkcs12 -export -out mongodb.pkcs12 -in testKey.pem
and in addition to setting system property trustStore/password, keyStore/password should also be set:
System.setProperty ("javax.net.ssl.trustStore",JAVA_HOME + "\\lib\\security\\cacerts");
System.setProperty ("javax.net.ssl.trustStorePassword","changeit");
System.setProperty ("javax.net.ssl.keyStore",JAVA_HOME + "\\lib\\security\\mongodb.pkcs12");
System.setProperty ("javax.net.ssl.keyStorePassword","changeit");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With