← Back to MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

V-279411

CAT II (Medium)

MongoDB must include only approved trust anchors in trust stores or certificate stores managed by the organization.

Rule ID

SV-279411r1179400_rule

STIG

MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004909

Discussion

Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

Check Content

Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile". 

Example shown below:
 
net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
      ocsp:
        enabled: true
        responderURL: <your organization's OCSP responder URL>

If this key is not found, this is a finding.

Fix Text

Edit the MongoDB configuration file (default location /etc/mongod.conf) and add a key named "net.tls.CAFile" to configure the certificate trust. 

Example shown below:
 
net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
      ocsp:
        enabled: true
        responderURL: <your organization's OCSP responder URL>