1
00:00:02,360 --> 00:00:08,690
So we had a detailed look at how we can create and manage users and how users are generally set up and

2
00:00:08,690 --> 00:00:11,240
how we work with them. As a developer,

3
00:00:11,240 --> 00:00:15,900
we don't have to worry too much about this whole creation process but it's still nice to know how this

4
00:00:15,950 --> 00:00:20,400
works behind the scenes which is why it was important to me to show this to you.

5
00:00:20,450 --> 00:00:22,960
So now that our database is locked down,

6
00:00:22,970 --> 00:00:28,850
let's make sure that data that is transferred from our app to database also is secure because this is

7
00:00:28,850 --> 00:00:34,230
a typical set up we will have when creating an application that uses mongodb in the backend.

8
00:00:34,460 --> 00:00:41,570
We have our application and this could be a node or a PHP, Python, C++, whatever it is application that

9
00:00:41,570 --> 00:00:46,410
uses them mongodb driver to then communicate to the mongodb server and store data

10
00:00:46,760 --> 00:00:50,070
and of course it's important that the data is encrypted

11
00:00:50,210 --> 00:00:57,950
whilst it is in transport, so that someone who's spoofing our connection cannot read our data and

12
00:00:57,950 --> 00:01:00,490
mongodb has everything we need for that built-in,

13
00:01:00,620 --> 00:01:07,550
so let me now show you how you can easily secure your data whilst it's on its way from client to server.

14
00:01:08,420 --> 00:01:11,160
To encrypt our data in transport,

15
00:01:11,240 --> 00:01:13,440
mongodb uses SSL or actually

16
00:01:13,440 --> 00:01:15,750
TLS which is the successor of SSL

17
00:01:15,800 --> 00:01:17,540
but I'll just say SSL here,

18
00:01:17,600 --> 00:01:18,890
I mean the same though.

19
00:01:18,920 --> 00:01:21,740
So SSL is the more common thing you know and SSL

20
00:01:21,740 --> 00:01:29,480
in the end is just a way of encrypting our data whilst it's on its way and we'll use a public private

21
00:01:29,480 --> 00:01:36,980
key pair to decrypt this information on the server and to prove that we as a client are who we well

22
00:01:37,340 --> 00:01:39,150
make the server think we are.

23
00:01:39,410 --> 00:01:45,100
So essentially it's a secure way of encrypting our data and decrypting it on the server

24
00:01:45,350 --> 00:01:49,840
and whilst it's on its way, it's consistently encrypted.

25
00:01:49,880 --> 00:01:55,410
Now if you want to learn more about SSL and how it works, you'll find a link with detailed instructions

26
00:01:55,520 --> 00:02:00,800
in the last lecture of this module, I will not focus on the underlying technology but how we can make

27
00:02:00,800 --> 00:02:01,810
it work.

28
00:02:01,810 --> 00:02:06,590
Now if you google for a mongodb SSL, you'll find an article that also describes the steps you need

29
00:02:06,590 --> 00:02:12,790
to take and I'm simply showing you this because we will need a command from there which we execute together.

30
00:02:13,130 --> 00:02:20,660
This is essentially a command that will create us the files we need to enable SSL encryption,

31
00:02:20,660 --> 00:02:22,780
so basically this public private key pair

32
00:02:23,270 --> 00:02:24,700
and we can just copy that

33
00:02:24,870 --> 00:02:29,770
and on Linux and Mac, you can just run this command in the terminal, on Windows,

34
00:02:29,780 --> 00:02:31,060
this will not work

35
00:02:31,310 --> 00:02:33,410
but the good thing is on Windows,

36
00:02:33,500 --> 00:02:39,250
if you google for windows open SSL, you will find that binaries open SSL wiki link

37
00:02:43,050 --> 00:02:49,680
and there, you will find open SSL implementations for Windows. Now you can take the top one here and you

38
00:02:49,680 --> 00:02:55,980
should be forwarded to this page and there if you scroll to the bottom, you should find download links

39
00:02:56,060 --> 00:03:03,720
and here for this win64 open SSL Light version, you can just download the executable and then once it

40
00:03:03,720 --> 00:03:06,530
is downloaded, just execute that to install

41
00:03:06,540 --> 00:03:08,360
open SSL on Windows,

42
00:03:08,400 --> 00:03:13,710
this will then ask you for a folder where it should install it and once you did install it into that folder,

43
00:03:13,950 --> 00:03:20,670
you can navigate into that folder in your command prompt on windows, into the bin folder of that installed

44
00:03:20,670 --> 00:03:28,290
folder and from in there, you will be able to run the same command as I do here on Mac and Linux. So on Mac

45
00:03:28,290 --> 00:03:29,170
and Linux,

46
00:03:29,190 --> 00:03:34,710
we can simply paste in this command and again you paste that exact same command on Windows then after

47
00:03:34,710 --> 00:03:37,920
you navigated into that bin folder and hit enter

48
00:03:38,220 --> 00:03:40,840
and now you will be asked a couple of questions.

49
00:03:40,980 --> 00:03:45,690
Now the first questions are not that important and you could enter a dot and hit enter but you can

50
00:03:45,690 --> 00:03:51,430
also fill them out with your right information but the information here doesn't really matter,

51
00:03:51,420 --> 00:03:59,450
you could fill in anything.

52
00:03:59,660 --> 00:04:06,950
Now the important part is that common name here and there, you must fill in localhost during developement,

53
00:04:06,960 --> 00:04:09,270
so whilst we are running this on localhost.

54
00:04:09,500 --> 00:04:17,510
If you were to deploy your mongo database onto a server in the web, you need to fill in the address

55
00:04:17,660 --> 00:04:20,260
of that web server and that will be important

56
00:04:20,270 --> 00:04:24,530
otherwise the connection will fail because this will later be validated

57
00:04:24,680 --> 00:04:30,920
that if you are connecting to a server, that the server you are connecting to is the server that is mentioned

58
00:04:30,920 --> 00:04:32,240
in your certificate,

59
00:04:32,300 --> 00:04:35,860
so we will be connecting to localhost, so we need to put localhost in here.

60
00:04:36,350 --> 00:04:43,160
So hit enter then, you can enter any email address there and now you are done and you will now have two

61
00:04:43,250 --> 00:04:44,160
files,

62
00:04:44,240 --> 00:04:48,860
the mongodb cert key file and the mongodb-cert.crt file.

63
00:04:49,100 --> 00:04:54,350
We now need to concatenate these two into one file and that is also a step you find described in

64
00:04:54,350 --> 00:04:56,620
the official docs. On Mac and Linux,

65
00:04:56,620 --> 00:04:58,880
you can execute this command, on Windows

66
00:04:58,880 --> 00:05:05,140
it's almost the same but you replace cat with type there,

67
00:05:05,200 --> 00:05:07,750
the rest is the same. So you just replace cat with

68
00:05:07,750 --> 00:05:09,670
type on Windows, on Mac and Linux,

69
00:05:09,680 --> 00:05:16,120
it's cat. So after this, you'll have a mongodb.pem file and that is the file you will need to

70
00:05:16,180 --> 00:05:18,710
enable SSL encryption.

71
00:05:18,730 --> 00:05:20,050
Now how does that work?

72
00:05:20,790 --> 00:05:24,150
In that folder where are you stored that pem file

73
00:05:24,180 --> 00:05:26,900
and of course you can now copy and move it around in your file system

74
00:05:26,910 --> 00:05:33,710
but in the folder where that file lives, you can now start your mongod server with SSL enabled,

75
00:05:33,720 --> 00:05:38,310
let's quickly check the options with --help to see how that works.

76
00:05:38,950 --> 00:05:41,110
You'll see a bunch of SSL options here,

77
00:05:41,380 --> 00:05:49,870
one option we need to set is the mode. The SSL mode defines whether SSL is disabled so we connect as before,

78
00:05:50,560 --> 00:05:57,320
if we want to allow clients to connect via SSL but they could still connect without SSL,

79
00:05:57,670 --> 00:06:04,380
if we want to prefer this which is only important if you are using replica sets or if you want to require

80
00:06:04,380 --> 00:06:09,270
this which means any connection that does not use SSL will be denied

81
00:06:09,430 --> 00:06:11,220
and that is actually what I want to use.

82
00:06:11,260 --> 00:06:15,850
So we will need to set SSL mode to require SSL,

83
00:06:15,850 --> 00:06:22,230
we will then also need to point at our pem file with SSL pem key file argument,

84
00:06:22,240 --> 00:06:27,950
now theoretically you could even create such a certificate or such a pem file with a password which you

85
00:06:27,970 --> 00:06:29,440
then also would have to enter

86
00:06:29,800 --> 00:06:31,670
and this is important,

87
00:06:31,780 --> 00:06:35,930
you could also have a CA file, a certificate authority file.

88
00:06:35,950 --> 00:06:40,980
Now you will get this if you get your SSL certificate through an official authority,

89
00:06:41,020 --> 00:06:44,430
you can get those on the Internet, free ones and paid ones

90
00:06:44,530 --> 00:06:49,150
and this is actually a file which you pass in addition to your pem file,

91
00:06:49,150 --> 00:06:56,170
we have that pem file but we have no CA file right now, that CA file would then be an extra layer of

92
00:06:56,170 --> 00:06:57,340
security

93
00:06:57,340 --> 00:07:00,780
that basically ensures that man in the middle attacks can be prevented.

94
00:07:00,790 --> 00:07:07,300
So if you do deploy your mongodb database in production, you would get your SSL certificate from a

95
00:07:07,300 --> 00:07:13,870
certificate authority and they would give you a pem file and CA file and you would basically add both

96
00:07:13,960 --> 00:07:18,250
arguments and point at the respective files when launching your server.

97
00:07:18,250 --> 00:07:24,840
Now in our case here, we will just launch the server mongod with SSL

98
00:07:24,940 --> 00:07:40,710
mode set to, if we scroll up require SSL, so require SSL and then I'll add my SSL pem key file

99
00:07:41,050 --> 00:07:47,590
and now I need to point at my mongodb.pem file and for that, you should navigate into that folder where

100
00:07:47,590 --> 00:07:51,750
that file lies or specify the full path to that file.

101
00:07:51,880 --> 00:07:52,900
If you now hit enter

102
00:07:56,170 --> 00:08:00,140
and on Mac, you might also need to add sudo as before,

103
00:08:00,370 --> 00:08:03,740
if you now hit enter, it should start your server.

104
00:08:03,790 --> 00:08:08,560
You'll see a warning that we have no SSL certificate validation in place because we are missing that

105
00:08:08,590 --> 00:08:09,820
SSL CA file

106
00:08:09,820 --> 00:08:10,860
I just talked about

107
00:08:10,900 --> 00:08:16,540
but besides that, we got a server which is now waiting for connections on port 27017

108
00:08:16,570 --> 00:08:24,220
SSL. So now to connect to the server, we should navigate in a new terminal window into that same

109
00:08:24,220 --> 00:08:26,410
folder where we have that pem file

110
00:08:26,680 --> 00:08:32,650
and now we'll launch our mongo client but launching it like this will fail and if it succeeds, you connect

111
00:08:32,650 --> 00:08:38,300
it to a different mongod instance which you can shut down with db shutdown server of course which

112
00:08:38,300 --> 00:08:39,640
you saw earlier in the course.

113
00:08:39,860 --> 00:08:45,530
But for me it fails here because indeed I got no mongod running which would allow connections

114
00:08:45,530 --> 00:08:48,440
from non-SSL clients.

115
00:08:48,440 --> 00:08:53,780
Now let's check out the help options for the mongo client to see what we can do with SSL there

116
00:08:54,140 --> 00:09:00,950
and indeed here we need to set two things, we need to enable SSL and we will need to pass our pem file

117
00:09:01,180 --> 00:09:03,340
as a SSL CA file here.

118
00:09:03,620 --> 00:09:06,150
So I simply type mongo

119
00:09:06,290 --> 00:09:16,790
--ssl followed by --sslCAFile and that CA file is my mongodb.pem file.

120
00:09:16,810 --> 00:09:19,320
Now this might actually fail

121
00:09:19,750 --> 00:09:26,410
and for this case you need to add --host localhost, so that host you specified during your certificate

122
00:09:26,410 --> 00:09:27,350
creation,

123
00:09:28,420 --> 00:09:30,450
with that, it should succeed.

124
00:09:30,770 --> 00:09:36,960
Now you need it to specify that because otherwise it tried to connect to the IP address 127.0.0.1

125
00:09:37,010 --> 00:09:43,400
which is localhost but technically is a different word therefore was not considered equal to localhost,

126
00:09:43,610 --> 00:09:49,670
so with specifying --host localhost, we made it really clear that this is the host we expect to

127
00:09:49,670 --> 00:09:51,580
see as a name on the backend,

128
00:09:51,590 --> 00:09:55,640
this is the host which was part of our certificate and therefore this works.

129
00:09:55,640 --> 00:09:58,340
Now obviously, you can have more elaborate set ups

130
00:09:58,370 --> 00:10:04,370
and of course you should mean non self-signed certificate but what one you got from an authority for production

131
00:10:04,490 --> 00:10:05,420
use cases

132
00:10:05,570 --> 00:10:13,040
but this will do for now and this shows you how you can generally connect with SSL turned on and now all

133
00:10:13,040 --> 00:10:14,280
data we send from the client,

134
00:10:14,280 --> 00:10:18,470
so from the mongo shell to the mongo server will be encrypted.