--- title: Install MongoDB software description: ABS uses a MongoDB database (4.2) to store analyzed logs and ABS cluster node information. MongoDB is installed using a replica set. In a replica set, MongoDB is installed on three nodes for high-availability (HA). component: pingintelligence version: 5.1 page_id: pingintelligence:pingintelligence_production_deployment:pingintelligence_install_mongodb canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_production_deployment/pingintelligence_install_mongodb.html revdate: April 3, 2024 section_ids: update-mongodb-default-username-and-password: Update MongoDB default username and password install-mongodb-in-replica-set: Install MongoDB in replica set --- # Install MongoDB software ABS uses a MongoDB database (4.2) to store analyzed logs and ABS cluster node information. MongoDB is installed using a replica set. In a replica set, MongoDB is installed on three nodes for high-availability (HA). | | | | - | --------------------------------------------------------------------------------- | | | If you are installing as a non-root user then, increase the` ulimit -n` to 65535. | ## Update MongoDB default username and password You can change the default username and password of MongoDB by editing the `/opt/pingidentity/abs/mongo/abs_init.js` file. Change the username and password and save the file. The following is a snippet of the `abs_init.js` file: ```json { user: "absuser", pwd: "abs123", roles: [{ role: "clusterMonitor", db: "admin" }, { role: "readWrite", db: "abs_metadata" }, { role: "readWrite", db: "abs_data" }, { role: "readWrite", db: "abs_mldata" }, { role: "readWrite", db: "local" } ] }); ``` ## Install MongoDB in replica set Download either the RHEL or Ubuntu MongoDB 4.2 Linux `tarball` from the MongoDB website. For more information, see . IMPORTANT: This document describes a RHEL 7 download, but the equivalent Ubuntu version of MongoDB is also supported. Use the Ubuntu MongoDB URL to download the Ubuntu version. **Prerequisite:** * Copy `/opt/pingidentity/abs/mongo/abs_init.js` file to the MongoDB node. * Copy `/opt/pingidentity/abs/mongo/abs_rs.js` file to the MongoDB node. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | It is advised to follow MongoDB recommended setting, to avoid issues in your production MongoDB deployment. For more information, see and | Download MongoDB on three nodes which would form the replica set for high-availability (HA). Install MongoDB one each node: 1. Create the MongoDB directory structure: create `mongo`, `data`, `logs`, and `key` directory on each MongoDB node. ``` # mkdir -p /opt/pingidentity/mongo/data /opt/pingidentity/mongo/logs \ /opt/pingidentity/mongo/key ``` 2. Download MongoDB 4.2 on each node and extract to `/opt/pingidentity/mongo` ``` # cd /opt/pingidentity/ /opt/pingidentity# wget \ https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-4.2.0.tgz \ -O mongodb.tgz && tar xzf mongodb.tgz -C /opt/pingidentity/mongo/ --strip-components=1 ``` 3. Update shell path variable and reload the shell. ``` /opt/pingidentity# echo PATH=$PATH:/opt/pingidentity/mongo/bin >> ~/.bashrc; /opt/pingidentity# source ~/.bashrc ``` 4. Start the MongoDB database on each node. `absrs01` is the name of the replica set. You can choose your own name for the replica set. ``` /opt/pingidentity# cd mongo /opt/pingidentity/mongo# mongod --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork -bind_ip 0.0.0.0 ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------- | | | ``` [.codeph]``bind_ip`` is required for MongoDB to accept connections coming from machines other than the local host. ``` | 5. Check MongoDB connectivity among the three nodes. On MongoDB node 1, run the following command to check connectivity with node 2: ``` /opt/pingidentity/mongo# mongo --host --port 27017 ``` 6. Navigate to `abs_rs.js` file and edit to configure the IP address of the primary and secondary MongoDB nodes: ``` rsconf = { _id: "absrs01", members: [ { _id: 0, host: "127.0.0.1:27017", priority: 10 }, { _id: 1, host: ":27017", priority: 2 }, { _id: 2, host: ":27017", priority: 2 } ] }; rs.initiate(rsconf) rs.conf(); exit ``` | | | | - | ----------------------------------------------------------------------------------------------------------------------- | | | Make sure the secondary MongoDB nodes are reachable, and their host names are resolvable from the primary MongoDB node. | 7. Initiate the configuration by entering the following command on MongoDB node 1's shell: ``` /opt/pingidentity/mongo# mongo --port 27017 < abs_rs.js ``` 8. Verify that all the MongoDB nodes are running. On each MongoDB node, enter the following: ``` /opt/pingidentity/mongo# mongo --port 27017 ``` The primary node will display the following prompt: ``` absrs01:PRIMARY> ``` The secondary nodes will display the following prompt: ``` absrs01:SECONDARY> ``` 9. Create User and initialize the database using `abs_init.js` file after making necessary modifications. On the primary node (node 1) Enter the following command: ``` # mongo --host --port 27017 < abs_init.js ``` | | | | - | ----------------------------------------------------------------- | | | user name and password should be changed from the default values. | 10. Generate a MongoDB key file. ``` /opt/pingidentity/mongo# openssl rand -base64 741 >key/mongodb-keyfile ``` 11. Change the key file permission. ``` /opt/pingidentity/mongo# chmod 600 key/mongodb-keyfile ``` 12. Copy the key file generated in step 11 on each node of the replica set 13. Shutdown MongoDB using the following command: ``` # mongod --dbpath ./data --shutdown ``` 14. Restart all the MongoDB nodes with a key file and enable MongoDB authentication. ``` /opt/pingidentity/mongo# mongod --auth --dbpath ./data/ --logpath \ ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0 ``` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * `bind_ip` is required for MongoDB to accept connections coming from machines other than the local host. * The MongoDB cache size should be restricted to 25% of system memory. You can configure this by using MongoDB's `wiredTigerCacheSizeGB` option. | **Starting MongoDB with SSL** You can start MongoDB with SSL by using either a CA-signed or a self-signed certificate. * **Using CA-signed certificate**: To add a CA-signed certificate, create a new PEM file by concatenating the certificate and its private key. Copy the resulting PEM file to the`/opt/pingidentity/mongo/key/` directory created in Step 1. ``` cat mongo-node-private-key mongo-node-certificate > /opt/pingidentity/mongo/key/mongodb.pem ``` * **Using self-signed certificate**: To use a self-signed certificate then as a first-step generate a self-signed certificate and keys. Complete the following steps: 1. Change directory to `key` directory: ``` cd /opt/pingidentity/mongo/key ``` 2. Generate a self-signed certificate and key: ``` openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key ``` 3. Concatenate the certificate and the key: ``` cat mongodb-cert.key mongodb-cert.crt > mongodb.pem ``` After either a CA-signed certificate or self-signed certificate has been added to the `key` directory, shut down MongoDB and restart with `--tlsMode` flag. 1. Shut down MongoDB: ``` # mongod --dbpath ./data --shutdown ``` 2. Restart MongoDB with `-tlsMode` flag: ``` mongod --auth --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0 --tlsMode requireTLS --tlsCertificateKeyFile ./key/mongodb.pem ``` The --tlsMode flag can take the following three values: * allowTLS * preferTLS * requireTLS For more information on these options, see the .mongodb.com/manual/reference/configuration-options///\[MongoDB documentation].