Setting up TLS for the Mongo database
You can update the MongoDB connection with the Sametime server to encrypt data flowing between the Sametime server and a TLS-enabled MongoDB. This step is optional but is recommended for multi-Kubernetes-cluster deployments.
Ensure that the following conditions are met.
- You have a truststore. In Docker, you can have a single truststore for everything. Alternatively, you can create a truststore for every connection (LDAP, SAML, etc.). In Kubernetes, however, you must create a separate truststore for each connection. For more information, refer to Creating a truststore with a third-party certificate.
- You have a valid TLS certificate. See Creating a truststore with a third-party certificate for the details.
- You have a TLS-enabled MongoDB server. For details, refer to the topic Configure mongod and mongos for TLS/SSL in the MongoDB documentation.
You enable the TLS connection to your MongoDB instance by adding TLS options to the mongo connection URL
During Sametime Meeting installation, the chatlogging.ini file is created to contain MongoDB server connection information. The connection configuration information within the chatlogging.ini file must be modified to include parameters necessary to establish a secure connection.
The Sametime administrator can specify a custom connection URL to the MongoDB server. The CL_MONGO_URL configuration parameter can be set with a MongoDB server URL which includes the required settings for the Sametime server to establish a secure connection to the MongoDB server. After adding the CL_MONGO_URL configuration parameter to the chatlogging.ini file, the default setting is overridden by the settings contained within the URL string.
If a self-signed certificate is being used, the certificate must be added to the Sametime certificate store.
-
Open the chatlogging.ini file which is in the HCL Notes data directory.
-
Update or add the CL_MONGO_URL configuration parameter.
This parameter is used to override existing configuration settings specified during installation. If changes were made post installation, this parameter exists in the file. If no changes have been made, add the parameter.
CL_MONGO_URL=mongodb://user:password@hostname_tcpip:port/tls_information
where:
hostname_tcpip : The hostname or TCPIP address of the MongoDB server.
port : The port to be used for communication.
tls_information : The attributes that identify use of a TLS MongoDB. Copy and past the following into the CL_MONGO_URL parameter.
``` /admin?retryWrites=true&w=majority&tls=true&tlsCAFile=/local/notesdata/cacerts.pem ```
For example:
CL_MONGO_URL=mongodb://user:password@192.168.150.1:27017/admin?retryWrites=true&w=majority&ssl=true&tlsCAFile=/local/notesdata/cacerts.pem
NOTE: the path and name of the cacerts.pem file specified in that connection string. That is the name/location of the file that the Mongo driver will use for the TLS connection. The certificates in that file must include certificates for the entire certificate chain. When a tlsCAFile is specified in this manner, the OS default trust store will not be used so it is important that the whole chain be present in this file.
-
Save the file and restart the Sametime server to apply the changes.
Enable TLS for the Mongo database on Kubernetes or Enable TLS for the Mongo database on Docker or Podman.
Parent Topic: Securing