You are viewing the documentation for Blueriq 18. Documentation for other versions is available in our documentation directory.

The DCM Lists service supports TLS/SSL connections to MongoDB. TLS/SSL connections can be configured in two modes: one-way validation or two-way validation.

One-Way Validation

In one-way validation, only the client validates that the data originates from a trusted source (i.e., the MongoDB instance). To validate the MongoDB instance’s identity, the client requires the MongoDB instance's public certificate, which must be stored in the client’s truststore (in this case, the DCM Lists application).

For this to work, the MongoDB instance must be configured with TLS enabled, and the certificate should be present in the truststore of the DCM Lists application.

Instructions for configuring TLS in MongoDB can be found [here].

The MongoDB certificate must also be recognized in the truststore of the environment where the DCM Lists application is running. For more information, please refer to this [page].

Next, you need to configure the MongoDB client to use a TLS connection. To do this, add the following properties to the blueriq-dcm-lists.yml file:

dcm-lists-application.yml
 blueriq:
	dcm:
	  lists:
		mongodb:
		 ... 
		 tls:
			enabled: true 
			# insecure: true // Optional: Flag to disable hostname validation for the received certificate


Finally, the application environment must know where to find the trusted certificates in order to validate the certificate received from the MongoDB instance. This is done by specifying the location of the truststore and the password required to access it. Add the following JVM arguments when starting the DCM Lists application:


one-way JVM arguments
-Djavax.net.ssl.trustStore=<path\to\client-trust-store>/clienttruststore.jks 
-Djavax.net.ssl.trustStorePassword=truststorePassword


Two-Way Validation

Two-way validation extends one-way validation by requiring mutual authentication. In this case, the DCM Lists application also sends its public certificate, which is validated by the MongoDB instance before exchanging data using its own certificate.

To enable two-way validation, in addition to the steps for one-way validation, the DCM Lists application certificate must be added to the environment of the MongoDB instance. A keystore containing the DCM Lists application’s certificate must also be added to the DCM Lists environment.

Then, add the following JVM arguments when starting the DCM Lists application:

two-way JVM arguments
-Djavax.net.ssl.trustStore=<path\to\client-trust-store>/clienttruststore.jks 
-Djavax.net.ssl.trustStorePassword=truststorePassword 
-Djavax.net.ssl.keyStore=<path\to\client-key-store>/clientkeystore.p12 
-Djavax.net.ssl.keyStorePassword=keystorePassword



MongoDB TLS properties

There are only two tls related properties that are recognized by the DCM Lists application. The table below describes them in more detail:

propertydescriptionnotes
blueriq.dcm.lists.mongodb.tls.enabledWhether to connect using tls or not. 
blueriq.dcm.lists.mongodb.tls.insecure If connecting with TLS, this option enables insecure TLS connections. Currently this has the same effect of setting tlsAllowInvalidHostnames to true.this property is only processed when tls.enabled is set to true.
  • No labels