You are viewing the documentation for Blueriq 18. Documentation for other versions is available in our documentation directory.
The DCM Lists service supports TLS/SSL connections to MongoDB. TLS/SSL connections can be configured in two modes: one-way validation or two-way validation.
One-Way Validation
In one-way validation, only the client validates that the data originates from a trusted source (i.e., the MongoDB instance). To validate the MongoDB instance’s identity, the client requires the MongoDB instance's public certificate, which must be stored in the client’s truststore (in this case, the DCM Lists application).
For this to work, the MongoDB instance must be configured with TLS enabled, and the certificate should be present in the truststore of the DCM Lists application.
Instructions for configuring TLS in MongoDB can be found [here].
The MongoDB certificate must also be recognized in the truststore of the environment where the DCM Lists application is running. For more information, please refer to this [page].
Next, you need to configure the MongoDB client to use a TLS connection. To do this, add the following properties to the blueriq-dcm-lists.yml
file:
blueriq: dcm: lists: mongodb: ... tls: enabled: true # insecure: true // Optional: Flag to disable hostname validation for the received certificate
Finally, the application environment must know where to find the trusted certificates in order to validate the certificate received from the MongoDB instance. This is done by specifying the location of the truststore and the password required to access it. Add the following JVM arguments when starting the DCM Lists application:
-Djavax.net.ssl.trustStore=<path\to\client-trust-store>/clienttruststore.jks -Djavax.net.ssl.trustStorePassword=truststorePassword
Two-Way Validation
Two-way validation extends one-way validation by requiring mutual authentication. In this case, the DCM Lists application also sends its public certificate, which is validated by the MongoDB instance before exchanging data using its own certificate.
To enable two-way validation, in addition to the steps for one-way validation, the DCM Lists application certificate must be added to the environment of the MongoDB instance. A keystore containing the DCM Lists application’s certificate must also be added to the DCM Lists environment.
Then, add the following JVM arguments when starting the DCM Lists application:
-Djavax.net.ssl.trustStore=<path\to\client-trust-store>/clienttruststore.jks -Djavax.net.ssl.trustStorePassword=truststorePassword -Djavax.net.ssl.keyStore=<path\to\client-key-store>/clientkeystore.p12 -Djavax.net.ssl.keyStorePassword=keystorePassword
MongoDB TLS properties
There are only two tls related properties that are recognized by the DCM Lists application. The table below describes them in more detail:
property | description | notes |
---|---|---|
blueriq.dcm.lists.mongodb.tls.enabled | Whether to connect using tls or not. | |
blueriq.dcm.lists.mongodb.tls.insecure | If connecting with TLS, this option enables insecure TLS connections. Currently this has the same effect of setting tlsAllowInvalidHostnames to true. | this property is only processed when tls.enabled is set to true. |