PingIntelligence

Install MongoDB software

ABS uses a MongoDB database (4.2) to store analyzed logs and ABS cluster node information. MongoDB is installed using a replica set. In a replica set, MongoDB is installed on three nodes for high-availability (HA).

If you are installing as a non-root user then, increase the ulimit -n to 65535.

Update MongoDB default username and password

You can change the default username and password of MongoDB by editing the /opt/pingidentity/abs/mongo/abs_init.js file. Change the username and password and save the file. The following is a snippet of the abs_init.js file:

{
    user: “absuser”,
    pwd: “abs123",
    roles: [{ role: “clusterMonitor”, db: “admin” },
            { role: “readWrite”, db: “abs_metadata” },
            { role: “readWrite”, db: “abs_data” },
            { role: “readWrite”, db: “abs_mldata” },
            { role: “readWrite”, db: “local” } ]
});

Install MongoDB in replica set

Download either the RHEL or Ubuntu MongoDB 4.2 Linux tarball from the MongoDB website. For more information, see https://www.mongodb.org/downloads. IMPORTANT: This document describes a RHEL 7 download, but the equivalent Ubuntu version of MongoDB is also supported. Use the Ubuntu MongoDB URL to download the Ubuntu version.

Prerequisite:

  • Copy /opt/pingidentity/abs/mongo/abs_init.js file to the MongoDB node.

  • Copy /opt/pingidentity/abs/mongo/abs_rs.js file to the MongoDB node.

It is advised to follow MongoDB recommended setting, to avoid issues in your production MongoDB deployment. For more information, see https://docs.mongodb.com/manual/administration/production-checklist-operations/ and https://docs.mongodb.com/manual/administration/analyzing-mongodb-performance/

Download MongoDB on three nodes which would form the replica set for high-availability (HA).

Install MongoDB one each node:

  1. Create the MongoDB directory structure: create mongo, data, logs, and key directory on each MongoDB node.

    # mkdir -p /opt/pingidentity/mongo/data /opt/pingidentity/mongo/logs \
    /opt/pingidentity/mongo/key
  2. Download MongoDB 4.2 on each node and extract to /opt/pingidentity/mongo

    # cd /opt/pingidentity/
    /opt/pingidentity# wget \
    https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-4.2.0.tgz \
    -O mongodb.tgz && tar xzf mongodb.tgz -C /opt/pingidentity/mongo/ --strip-components=1
  3. Update shell path variable and reload the shell.

    /opt/pingidentity# echo PATH=$PATH:/opt/pingidentity/mongo/bin >> ~/.bashrc;
    /opt/pingidentity# source ~/.bashrc
  4. Start the MongoDB database on each node. absrs01 is the name of the replica set. You can choose your own name for the replica set.

    /opt/pingidentity# cd mongo
    /opt/pingidentity/mongo# mongod --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork -bind_ip 0.0.0.0
    [.codeph]``bind_ip`` is required for MongoDB to accept connections coming from machines other than the local host.
  5. Check MongoDB connectivity among the three nodes. On MongoDB node 1, run the following command to check connectivity with node 2:

    /opt/pingidentity/mongo# mongo --host <mongo node 2 IP address> --port 27017
  6. Navigate to abs_rs.js file and edit to configure the IP address of the primary and secondary MongoDB nodes:

    rsconf = {
    	  _id: "absrs01",
    	  members: [
    	    {
    	     _id: 0,
    	     host: "127.0.0.1:27017",
    	     priority: 10
    	    },
    	    {
    	     _id: 1,
    	     host: "<Mongo Node 2 IP>:27017",
    	     priority: 2
    	    },
    	    {
    	     _id: 2,
    	     host: "<Mongo Node 3 IP>:27017",
    	     priority: 2
    	    }
    	   ]
    	};
    rs.initiate(rsconf)
    rs.conf();
    exit
    Make sure the secondary MongoDB nodes are reachable, and their host names are resolvable from the primary MongoDB node.
  7. Initiate the configuration by entering the following command on MongoDB node 1’s shell:

    /opt/pingidentity/mongo# mongo --port 27017 < abs_rs.js
  8. Verify that all the MongoDB nodes are running. On each MongoDB node, enter the following:

     /opt/pingidentity/mongo# mongo --port 27017

    The primary node will display the following prompt:

    absrs01:PRIMARY>

    The secondary nodes will display the following prompt:

    absrs01:SECONDARY>
  9. Create User and initialize the database using abs_init.js file after making necessary modifications.

    On the primary node (node 1) Enter the following command:

    # mongo --host <mongo node 1 IP> --port 27017 < abs_init.js
    user name and password should be changed from the default values.
  10. Generate a MongoDB key file.

    /opt/pingidentity/mongo# openssl rand -base64 741 >key/mongodb-keyfile
  11. Change the key file permission.

     /opt/pingidentity/mongo# chmod 600 key/mongodb-keyfile
  12. Copy the key file generated in step 11 on each node of the replica set

  13. Shutdown MongoDB using the following command:

    # mongod --dbpath ./data --shutdown
  14. Restart all the MongoDB nodes with a key file and enable MongoDB authentication.

    /opt/pingidentity/mongo# mongod --auth --dbpath ./data/ --logpath \
    ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0
    • bind_ip is required for MongoDB to accept connections coming from machines other than the local host.

    • The MongoDB cache size should be restricted to 25% of system memory. You can configure this by using MongoDB’s wiredTigerCacheSizeGB option.

Starting MongoDB with SSL

You can start MongoDB with SSL by using either a CA-signed or a self-signed certificate.

  • Using CA-signed certificate: To add a CA-signed certificate, create a new PEM file by concatenating the certificate and its private key. Copy the resulting PEM file to the/opt/pingidentity/mongo/key/ directory created in Step 1.

    cat mongo-node-private-key mongo-node-certificate > /opt/pingidentity/mongo/key/mongodb.pem
  • Using self-signed certificate: To use a self-signed certificate then as a first-step generate a self-signed certificate and keys. Complete the following steps:

    1. Change directory to key directory:

      cd /opt/pingidentity/mongo/key
    2. Generate a self-signed certificate and key:

      openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
    3. Concatenate the certificate and the key:

      cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

After either a CA-signed certificate or self-signed certificate has been added to the key directory, shut down MongoDB and restart with --tlsMode flag.

  1. Shut down MongoDB:

    # mongod --dbpath ./data --shutdown
  2. Restart MongoDB with -tlsMode flag:

    mongod --auth --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0 --tlsMode requireTLS --tlsCertificateKeyFile ./key/mongodb.pem

    The --tlsMode flag can take the following three values:

    • allowTLS

    • preferTLS

    • requireTLS

For more information on these options, see the .mongodb.com/manual/reference/configuration-options///[MongoDB documentation].