Mongodb x.509'客户端未提供经过验证的主题名称' [英] Mongodb x.509 'No verified subject name available from client'

查看:173
本文介绍了Mongodb x.509'客户端未提供经过验证的主题名称'的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有以下问题:

我使用以下配置文件运行mongobd

I run mongobd with the following config file

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
#  destination: file
#  path: /var/log/mongodb/mongod.log
  logAppend: true


# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

  ssl:
    mode: requireSSL
    PEMKeyFile: /home/hikmat/mongodbssl/s2/conf/server2.pem
    CAFile: /home/hikmat/mongodbssl/s2/conf/mongo-CA-cert.crt
    clusterFile: /home/hikmat/mongodbssl/s2/conf/server2.pem

# how the process runs
processManagement:
  timeZoneInfo: /usr/share/zoneinfo

#security:
security:
  clusterAuthMode: x509

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

然后我使用以下命令运行:

and I run using this command:

sudo mongod --config /etc/mongod.conf --sslAllowConnectionsWithoutCertificates

在Java代码中,我编写了这段代码:

and in java code I write this code:

String user = "emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX";
        MongoCredential credential = MongoCredential.createMongoX509Credential(user);
        MongoClientOptions options = MongoClientOptions.builder().sslEnabled(true).build();
        MongoClient m = new MongoClient("mongodbserver", credential, options);

在MongoDB中,我将用户添加到#external中,如下所示:

and in MongoDB I added the user to #external as follow:

db.getSiblingDB("$external").runCommand({
    createUser: "emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX",
        roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
       { role: "dbAdminAnyDatabase", db: "admin" },
       { role: "readWriteAnyDatabase", db:"admin" },
       { role: "clusterAdmin",  db: "admin" }
]});


db.getSiblingDB("$external").auth(
{ mechanism: "MONGODB-X509",
user:"emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX"
});

现在身份验证在 mongo客户端上可以正常使用,并且我可以显示所有数据库并运行所有查询

now the authentication works fine with mongo client and I can show all DBs and run all queries

mongo --ssl --sslPEMKeyFile hkshreimuser.pem --sslCAFile mongo-CA-cert.crt --host mongodbserver

但是如果我使用JAVA代码运行,则会出现异常,这是我开始运行查询时获得的异常: 例外:

but I get an exception if I run with JAVA code, the exception acquired when I start to run queries: Exception:

Caused by: com.mongodb.MongoCommandException: Command failed with error 18 (AuthenticationFailed): 'No verified subject name available from client' on server mongodbserver:27017. The full response is { "ok" : 0.0, "errmsg" : "No verified subject name available from client", "code" : 18, "codeName" : "AuthenticationFailed" }

Mongodb日志:

Mongodb logs:

hikmat@hikmat-N501VW:~/mongodbssl/s2$ sudo mongod --config /etc/mongod.conf --sslAllowConnectionsWithoutCertificates
2018-12-23T12:52:37.847+0200 I CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] MongoDB starting : pid=9248 port=27017 dbpath=/var/lib/mongodb 64-bit host=hikmat-N501VW
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] db version v4.0.2
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] git version: fc1573ba18aee42f97a3bb13b67af7d837826b47
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.2g  1 Mar 2016
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] allocator: tcmalloc
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] modules: none
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] build environment:
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten]     distmod: ubuntu1604
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten]     distarch: x86_64
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten]     target_arch: x86_64
2018-12-23T12:52:37.870+0200 I CONTROL  [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1", port: 27017, ssl: { CAFile: "/home/hikmat/mongodbssl/s2/conf/mongo-CA-cert.crt", PEMKeyFile: "/home/hikmat/mongodbssl/s2/conf/server2.pem", allowConnectionsWithoutCertificates: true, clusterFile: "/home/hikmat/mongodbssl/s2/conf/server2.pem", mode: "requireSSL" } }, processManagement: { timeZoneInfo: "/usr/share/zoneinfo" }, security: { clusterAuthMode: "x509" }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { logAppend: true } }
2018-12-23T12:52:37.871+0200 I STORAGE  [initandlisten] Detected data files in /var/lib/mongodb created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2018-12-23T12:52:37.871+0200 I STORAGE  [initandlisten] 
2018-12-23T12:52:37.871+0200 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2018-12-23T12:52:37.871+0200 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2018-12-23T12:52:37.871+0200 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=7439M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),statistics_log=(wait=0),verbose=(recovery_progress),
2018-12-23T12:52:38.512+0200 I STORAGE  [initandlisten] WiredTiger message [1545562358:512480][9248:0x7f4ee92bda00], txn-recover: Main recovery loop: starting at 80/29440
2018-12-23T12:52:38.590+0200 I STORAGE  [initandlisten] WiredTiger message [1545562358:590416][9248:0x7f4ee92bda00], txn-recover: Recovering log 80 through 81
2018-12-23T12:52:38.644+0200 I STORAGE  [initandlisten] WiredTiger message [1545562358:644117][9248:0x7f4ee92bda00], txn-recover: Recovering log 81 through 81
2018-12-23T12:52:38.689+0200 I STORAGE  [initandlisten] WiredTiger message [1545562358:689716][9248:0x7f4ee92bda00], txn-recover: Set global recovery timestamp: 0
2018-12-23T12:52:38.729+0200 I RECOVERY [initandlisten] WiredTiger recoveryTimestamp. Ts: Timestamp(0, 0)
2018-12-23T12:52:38.907+0200 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2018-12-23T12:52:38.907+0200 I CONTROL  [initandlisten] 
2018-12-23T12:52:39.517+0200 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'
2018-12-23T12:52:39.541+0200 I NETWORK  [initandlisten] waiting for connections on port 27017 ssl
2018-12-23T12:52:46.543+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56876 #1 (1 connection now open)
2018-12-23T12:52:46.565+0200 I NETWORK  [conn1] received client metadata from 127.0.0.1:56876 conn1: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.0.2" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } }
2018-12-23T12:52:48.226+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56894 #2 (2 connections now open)
2018-12-23T12:52:48.234+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56896 #3 (3 connections now open)
2018-12-23T12:52:48.235+0200 W NETWORK  [conn2] no SSL certificate provided by peer
2018-12-23T12:52:48.236+0200 I NETWORK  [conn2] received client metadata from 127.0.0.1:56894 conn2: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:52:48.242+0200 W NETWORK  [conn3] no SSL certificate provided by peer
2018-12-23T12:52:48.243+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56898 #4 (4 connections now open)
2018-12-23T12:52:48.243+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56900 #5 (5 connections now open)
2018-12-23T12:52:48.244+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:56902 #6 (6 connections now open)
2018-12-23T12:52:48.245+0200 I NETWORK  [conn3] received client metadata from 127.0.0.1:56896 conn3: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:52:48.248+0200 W NETWORK  [conn5] no SSL certificate provided by peer
2018-12-23T12:52:48.248+0200 I NETWORK  [conn5] received client metadata from 127.0.0.1:56900 conn5: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:52:48.248+0200 W NETWORK  [conn4] no SSL certificate provided by peer
2018-12-23T12:52:48.248+0200 W NETWORK  [conn6] no SSL certificate provided by peer
2018-12-23T12:52:48.248+0200 I NETWORK  [conn4] received client metadata from 127.0.0.1:56898 conn4: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:52:48.248+0200 I NETWORK  [conn6] received client metadata from 127.0.0.1:56902 conn6: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:52:49.615+0200 I ACCESS   [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX", $db: "$external" }
2018-12-23T12:53:01.951+0200 I NETWORK  [conn5] end connection 127.0.0.1:56900 (3 connections now open)
2018-12-23T12:53:01.951+0200 I NETWORK  [conn4] end connection 127.0.0.1:56898 (5 connections now open)
2018-12-23T12:53:01.951+0200 I NETWORK  [conn6] end connection 127.0.0.1:56902 (1 connection now open)
2018-12-23T12:53:01.951+0200 I NETWORK  [conn3] end connection 127.0.0.1:56896 (2 connections now open)
2018-12-23T12:53:01.951+0200 I NETWORK  [conn2] end connection 127.0.0.1:56894 (4 connections now open)
2018-12-23T12:53:56.018+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57466 #7 (2 connections now open)
2018-12-23T12:53:56.060+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57468 #8 (3 connections now open)
2018-12-23T12:53:56.061+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57470 #9 (4 connections now open)
2018-12-23T12:53:56.082+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57474 #10 (5 connections now open)
2018-12-23T12:53:56.114+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57476 #11 (6 connections now open)
2018-12-23T12:53:56.117+0200 W NETWORK  [conn9] no SSL certificate provided by peer
2018-12-23T12:53:56.118+0200 W NETWORK  [conn8] no SSL certificate provided by peer
2018-12-23T12:53:56.119+0200 W NETWORK  [conn10] no SSL certificate provided by peer
2018-12-23T12:53:56.122+0200 I NETWORK  [conn8] received client metadata from 127.0.0.1:57468 conn8: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:53:56.122+0200 W NETWORK  [conn7] no SSL certificate provided by peer
2018-12-23T12:53:56.123+0200 I NETWORK  [conn7] received client metadata from 127.0.0.1:57466 conn7: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:53:56.123+0200 I NETWORK  [conn10] received client metadata from 127.0.0.1:57474 conn10: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:53:56.126+0200 I NETWORK  [conn9] received client metadata from 127.0.0.1:57470 conn9: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:53:56.129+0200 W NETWORK  [conn11] no SSL certificate provided by peer
2018-12-23T12:53:56.130+0200 I NETWORK  [conn11] received client metadata from 127.0.0.1:57476 conn11: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:54:19.547+0200 I NETWORK  [listener] connection accepted from 127.0.0.1:57776 #12 (7 connections now open)
2018-12-23T12:54:19.550+0200 W NETWORK  [conn12] no SSL certificate provided by peer
2018-12-23T12:54:19.550+0200 I NETWORK  [conn12] received client metadata from 127.0.0.1:57776 conn12: { driver: { name: "mongo-java-driver", version: "3.8.1" }, os: { type: "Linux", name: "Linux", architecture: "amd64", version: "4.15.0-42-generic" }, platform: "Java/Oracle Corporation/1.8.0_191-b12" }
2018-12-23T12:54:19.553+0200 I ACCESS   [conn12]  authenticate db: $external { authenticate: 1, user: "emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX", mechanism: "MONGODB-X509", $db: "$external" }
2018-12-23T12:54:19.574+0200 I NETWORK  [conn12] end connection 127.0.0.1:57776 (6 connections now open)

有人可以帮我吗?

推荐答案

我找到了解决该问题的方法.

I found how I have to solve the issue.

确定我已将mongo证书注册到Java安全性,如下所示:

For sure I registered the mongo certificate to java security as is shown here:

sudo keytool -import -alias ca1 -file mongo-CA-cert.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

我做了以下事情: 1)将pem文件转换为pkcs12

I did the following: 1) Convert pem file to pkcs12

openssl pkcs12 -export -out hikmatuser.pfx -inkey hkshreimuser.key -in hkshreimuser.crt -certfile mongo-CA-cert.crt

2)我编写了以下JAVA代码进行测试,并且工作正常:

2) I write the following JAVA code for testing and it works fine:

private SSLContext getSSLContext(String filePath){

        String password = "123456";
        String jvm_certs_path = "/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts";
        String jvm_certs_password = "changeit";

        try{

            KeyStore clientStore = KeyStore.getInstance("PKCS12");
            clientStore.load(new FileInputStream(filePath), password.toCharArray());

            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmf.init(clientStore, password.toCharArray());
            KeyManager[] kms = kmf.getKeyManagers();

            KeyStore trustStore = KeyStore.getInstance("JKS");
            trustStore.load(new FileInputStream(jvm_certs_path), jvm_certs_password.toCharArray());

            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(trustStore);
            TrustManager[] tms = tmf.getTrustManagers();

            SSLContext sslContext = null;
            sslContext = SSLContext.getInstance("TLS");
            sslContext.init(kms, tms, new SecureRandom());

            return  sslContext;

        }catch (Exception e){
            e.printStackTrace();
        }

        return null;

    }

    public void getMongoClient() {

        String filePath2 = "/home/hikmat/mongodbssl/s2/hikmatuser.pfx";
        String user = "emailAddress=xxxx@xxxxx.xxx,CN=xxxx,OU=xxxxxx,O=xxxxxx,L=xxxx,ST=xxxx,C=XX";


        SSLContext sslContext = getSSLContext(filePath2);

        MongoCredential credential = MongoCredential.createMongoX509Credential(user);
        MongoClientOptions options = MongoClientOptions.builder().sslEnabled(true).sslContext(sslContext).build();

        //mongodbserver should be the same name "CN" that you use when you create server cert file
        MongoClient mongoClient = new MongoClient(new ServerAddress("mongodbserver", 27017), credential,options);


        return mongoClient;

    }// end of method

这篇关于Mongodb x.509'客户端未提供经过验证的主题名称'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆