PingIntelligence

Installing MongoDB software

ABS uses a MongoDB database (5.0.18) to store analyzed logs and ABS cluster node information.

Before you begin

  • Download either the RHEL or Ubuntu MongoDB 4.2 Linux tarball from the MongoDB website.

    The steps below use a RHEL 7 download, but the equivalent Ubuntu version of MongoDB is also supported. Use the Ubuntu MongoDB URL to download the Ubuntu version.

  • Copy the following files to the MongoDB node:

    • /opt/pingidentity/abs/mongo/abs_init.js

    • /opt/pingidentity/abs/mongo/abs_rs.js

      To avoid issues in your production MongoDB deployment, it is advised to follow MongoDB recommended settings. For more information, see MongoDB Operations Checklist and MongoDB Performance.

About this task

MongoDB is installed using a replica set. In a replica set, MongoDB is installed on three nodes for high availability (HA).

If you are installing as a non-root user, then increase the ulimit -n to 65535.

You can change the default username and password of MongoDB by editing the /opt/pingidentity/abs/mongo/abs_init.js file. Change the username and password and save the file. The following is a snippet of the abs_init.js file:

{
    user: “absuser”,
    pwd: “abs123",
    roles: [{ role: “clusterMonitor”, db: “admin” },
            { role: “readWrite”, db: “abs_metadata” },
            { role: “readWrite”, db: “abs_data” },
            { role: “readWrite”, db: “abs_mldata” },
            { role: “readWrite”, db: “local” } ]
});

Download MongoDB on three nodes that will form the replica set for high availability (HA) and install MongoDB on each node:

Steps

  1. Create the following MongoDB directory structure on each MongoDB node:

    1. mongo

    2. data

    3. logs

    4. key

      # mkdir -p /opt/pingidentity/mongo/data /opt/pingidentity/mongo/logs \
/opt/pingidentity/mongo/key

  2. Download MongoDB 5.0.18 on each node and extract to /opt/pingidentity/mongo.

    # cd /opt/pingidentity/
/opt/pingidentity# wget \
https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-5.0.18.tgz \
-O mongodb.tgz && tar xzf mongodb.tgz -C /opt/pingidentity/mongo/ --strip-components=1

  3. Update shell path variable and reload the shell.

    /opt/pingidentity# echo PATH=$PATH:/opt/pingidentity/mongo/bin >> ~/.bashrc;
/opt/pingidentity# source ~/.bashrc

  4. Start the MongoDB database on each node. The name of the replica set is absrs01. You can choose your own name for the replica set.

    /opt/pingidentity# cd mongo
/opt/pingidentity/mongo# mongod --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork -bind_ip 0.0.0.0

    bind_ip is required for MongoDB to accept connections coming from machines other than the local host.

  5. Check MongoDB connectivity among the three nodes. On MongoDB node 1, run the following command to check connectivity with node 2:

    /opt/pingidentity/mongo# mongo --host <mongo node 2 IP address> --port 27017

  6. Navigate to the abs_rs.js file and edit to configure the IP address of the primary and secondary MongoDB nodes:

    rsconf = {
	  _id: "absrs01",
	  members: [
	    {
	     _id: 0,
	     host: "127.0.0.1:27017",
	     priority: 10
	    },
	    {
	     _id: 1,
	     host: "<Mongo Node 2 IP>:27017",
	     priority: 2
	    },
	    {
	     _id: 2,
	     host: "<Mongo Node 3 IP>:27017",
	     priority: 2
	    }
	   ]
	};
rs.initiate(rsconf)
rs.conf();
exit

    Make sure the secondary MongoDB nodes are reachable and their host names are resolvable from the primary MongoDB node.

  7. Initiate the configuration by entering the following command on the shell of MongoDB node 1:

    /opt/pingidentity/mongo# mongo --port 27017 < abs_rs.js

  8. To verify that all the MongoDB nodes are running, enter the following on each MongoDB node:

     /opt/pingidentity/mongo# mongo --port 27017

    Result:

    • The primary node will display the following prompt:

      absrs01:PRIMARY>

    • The secondary nodes will display the following prompt:

      absrs01:SECONDARY>

  9. Create user and initialize the database using the abs_init.js file after making necessary modifications. On the primary node (node 1), enter the following command:

    # mongo --host <mongo node 1 IP> --port 27017 < abs_init.js

    Username and password should be changed from the default values.

  10. Generate a MongoDB key file.

    /opt/pingidentity/mongo# openssl rand -base64 741 >key/mongodb-keyfile

  11. Change the key file permission.

     /opt/pingidentity/mongo# chmod 600 key/mongodb-keyfile

  12. Copy the key file generated in step 11 on each node of the replica set.

  13. Shutdown MongoDB using the following command:

    # mongod --dbpath ./data --shutdown

  14. Restart all the MongoDB nodes with a key file and enable MongoDB authentication.

    /opt/pingidentity/mongo# mongod --auth --dbpath ./data/ --logpath \
./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0

    • bind_ip is required for MongoDB to accept connections coming from machines other than the local host.

    • The MongoDB cache size should be restricted to 25% of system memory. You can configure this by using MongoDB’s wiredTigerCacheSizeGB option.