ABS uses a MongoDB database (4.2) to store analyzed logs and ABS cluster node information. MongoDB is installed using a replica set. In a replica set, MongoDB is installed on three nodes for high-availability (HA).
ulimit
-n
to 65535.Update MongoDB default username and password
You can change the default username and password of MongoDB by editing the /opt/pingidentity/abs/mongo/abs_init.js file. Change the username and password and save the file. The following is a snippet of the abs_init.js file:
{
user: “absuser”,
pwd: “abs123",
roles: [{ role: “clusterMonitor”, db: “admin” },
{ role: “readWrite”, db: “abs_metadata” },
{ role: “readWrite”, db: “abs_data” },
{ role: “readWrite”, db: “abs_mldata” },
{ role: “readWrite”, db: “local” } ]
});
Install MongoDB in replica set
tarball
from the
MongoDB website. For more information, see https://www.mongodb.org/downloads. - Copy /opt/pingidentity/abs/mongo/abs_init.js file to the MongoDB node.
- Copy /opt/pingidentity/abs/mongo/abs_rs.js file to the MongoDB node.
Download MongoDB on three nodes which would form the replica set for high-availability (HA).
Install MongoDB one each node:
- Create the MongoDB directory structure: create mongo,
data, logs, and key
directory on each MongoDB
node.
# mkdir -p /opt/pingidentity/mongo/data /opt/pingidentity/mongo/logs \ /opt/pingidentity/mongo/key
- Download MongoDB 4.2 on each node and extract to
/opt/pingidentity/mongo
# cd /opt/pingidentity/ /opt/pingidentity# wget \ https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-4.2.0.tgz \ -O mongodb.tgz && tar xzf mongodb.tgz -C /opt/pingidentity/mongo/ --strip-components=1
- Update shell path variable and reload the
shell.
/opt/pingidentity# echo PATH=$PATH:/opt/pingidentity/mongo/bin >> ~/.bashrc; /opt/pingidentity# source ~/.bashrc
- Start the MongoDB database on each node.
absrs01
is the name of the replica set. You can choose your own name for the replica set./opt/pingidentity# cd mongo /opt/pingidentity/mongo# mongod --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork -bind_ip 0.0.0.0
Note:bind_ip
is required for MongoDB to accept connections coming from machines other than the local host. - Check MongoDB connectivity among the three nodes. On MongoDB node 1, run the
following command to check connectivity with node
2:
/opt/pingidentity/mongo# mongo --host <mongo node 2 IP address> --port 27017
- Navigate to abs_rs.js file and edit to configure the IP address
of the primary and secondary MongoDB nodes:
rsconf = { _id: "absrs01", members: [ { _id: 0, host: "127.0.0.1:27017", priority: 10 }, { _id: 1, host: "<Mongo Node 2 IP>:27017", priority: 2 }, { _id: 2, host: "<Mongo Node 3 IP>:27017", priority: 2 } ] }; rs.initiate(rsconf) rs.conf(); exit
Note: Make sure the secondary MongoDB nodes are reachable, and their host names are resolvable from the primary MongoDB node. - Initiate the configuration by entering the following command on MongoDB node 1’s
shell:
/opt/pingidentity/mongo# mongo --port 27017 < abs_rs.js
- Verify that all the MongoDB nodes are running. On each MongoDB node, enter the following:
/opt/pingidentity/mongo# mongo --port 27017
The primary node will display the following prompt:
absrs01:PRIMARY>
The secondary nodes will display the following prompt:
absrs01:SECONDARY>
- Create User and initialize the database using abs_init.js file
after making necessary modifications.
On the primary node (node 1) Enter the following command:
# mongo --host <mongo node 1 IP> --port 27017 < abs_init.js
Note: user name and password should be changed from the default values. - Generate a MongoDB key
file.
/opt/pingidentity/mongo# openssl rand -base64 741 >key/mongodb-keyfile
- Change the key file
permission.
/opt/pingidentity/mongo# chmod 600 key/mongodb-keyfile
- Copy the key file generated in step 11 on each node of the replica set
- Shutdown MongoDB using the following
command:
# mongod --dbpath ./data --shutdown
- Restart all the MongoDB nodes with a key file and enable MongoDB authentication.
/opt/pingidentity/mongo# mongod --auth --dbpath ./data/ --logpath \ ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0
Note:-
bind_ip
is required for MongoDB to accept connections coming from machines other than the local host. - The MongoDB cache size should be restricted to 25% of system memory. You
can configure this by using MongoDB's
wiredTigerCacheSizeGB
option.
-
Starting MongoDB with SSL
- Using CA-signed certificate: To add a CA-signed certificate, create a new
PEM file by concatenating the certificate and its private key. Copy the resulting
PEM file to the /opt/pingidentity/mongo/key/ directory
created in Step
1.
cat mongo-node-private-key mongo-node-certificate > /opt/pingidentity/mongo/key/mongodb.pem
- Using self-signed certificate: To use a self-signed certificate then as a
first-step generate a self-signed certificate and keys. Complete the following
steps:
- Change directory to
key
directory:cd /opt/pingidentity/mongo/key
- Generate a self-signed certificate and
key:
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
- Concatenate the certificate and the key:
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
- Change directory to
key
directory, shut down MongoDB and restart with
--tlsMode
flag. - Shut down MongoDB:
# mongod --dbpath ./data --shutdown
- Restart MongoDB with
-tlsMode
flag:mongod --auth --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0 --tlsMode requireTLS --tlsCertificateKeyFile ./key/mongodb.pem
The --tlsMode flag can take the following three values:
- allowTLS
- preferTLS
- requireTLS