Details
Use TLS or SSL to protect all incoming and outgoing connections. This should include using TLS or SSL to encrypt communication between mongod and mongos components of a MongoDB client as well as between all applications and MongoDB.
Most MongoDB distributions include support for SSL or TLS.
Rationale:
This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB.
Solution
Configure MongoDB servers to require the use of SSL or TLS to encrypt all MongoDB network communications.
To implement SSL or TLS to encrypt all MongoDB network communication, perform the following steps:
For mongod (Primary daemon process for the MongoDB system)
In the configuration file /etc/mongod.conf, set the PEMKeyFile option to the certificate files path and then start the component with this command:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca.pem
And restart monogdb instance with
mongod –config /etc/mongod.conf
Or
mongod –sslMode requireSSL –sslPEMKeyFile /etc/ssl/mongodb.pem –sslCAFile /etc/ssl/ca.pem
Default Value:
Not configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.