Mongodb and Entrust KeyControl Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

This document describes the integration of MongoDB with the Entrust KeyControl Key Management Solution (KMS). Entrust KeyControl can serve as a KMS in MongoDB using the open standard Key Management Interoperability Protocol (KMIP).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in MondoDB.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Also refer to the MongoDB online documentation .

Requirements

Entrust KeyControl version 5.4 or later

An Entrust KeyControl license is required for the installation. You can obtain this license from your Entrust KeyControl and IBM DB2 account team or through Entrust KeyControl customer support.
MongoDB Enterprise Edition 5.0.0 or later

High-availability considerations

Entrust KeyControl uses an active-active deployment, which provides high-availability capability to manage encryption keys. Entrust recommends this deployment configuration. In an active-active cluster, changes made to any KeyControl node in the cluster are automatically reflected on all nodes in the cluster. For information about Entrust KeyControl, see the HyTrust KeyControl Product Overview .

Product configuration

The integration between the MongoDB Enterprise Edition, Entrust KeyControl, and nShield HSM has been successfully tested in the following configurations:

Product	Version
MongoDB Enterprise Edition	5.0.0
Entrust KeyControl	5.4
nShield client software	12.60.11
nShield Connect XC	12.50.11 image version 12.60.10

Procedures

Installation overview

Install MongoDB Enterprise Edition.
Install the Entrust KeyControl server.
Configure the KeyControl Server.
Configure the nShield HSM in the KeyControl Server.
Configure the KeyControl Server as a KMIP server.
Generate a KMIP certificate for each controller/cluster.
Extract the signing certificates from the KeyControl server.
Configure MongoDB Server Security options to use KMIP
Verify that the encryption is working and that MongoDB is using KeyControl to manage the keys.

Install the MongoDB Enterprise Edition

Installing the MongoDB depends on the operating system on which you are installing it. See the MongoDB documentation for details on how to install MongoDB in your environment. The steps below were used to install and configure MongoDB on an Ubuntu 20 Linux server. sudo privileges are required to run the commands below.

Open a terminal window if you do not already have one open.
Run apt-get upgrade to fetch and install the newest versions of all Linux packages that are currently on the system.
```
% sudo apt-get upgrade
```

Import the public key used by the package management system.

% wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | sudo apt-key add -

OK

Create a /etc/apt/sources.list.d/mongodb-enterprise.list file for MongoDB

% echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-enterprise.list


deb [ arch=amd64,arm64 ] http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0 multiverse

Run apt-get update to reload local package database.

% sudo apt-get update

Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Ign:4 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0 InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:6 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0 Release [5,384 B]
Get:7 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0 Release.gpg [801 B]
Get:8 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse arm64 Packages [4,076 B]
Get:9 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 Packages [4,337 B]
Fetched 14.6 kB in 1s (16.2 kB/s)
Reading package lists... Done

Install the MongoDB Enterprise packages.

% sudo apt-get install -y mongodb-enterprise

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfprint-2-tod1 libllvm10
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  mongodb-database-tools mongodb-enterprise-cryptd mongodb-enterprise-database mongodb-enterprise-database-tools-extra mongodb-enterprise-mongos
  mongodb-enterprise-server mongodb-enterprise-shell mongodb-enterprise-tools mongodb-mongosh snmp
The following NEW packages will be installed:
  mongodb-database-tools mongodb-enterprise mongodb-enterprise-cryptd mongodb-enterprise-database mongodb-enterprise-database-tools-extra mongodb-enterprise-mongos
  mongodb-enterprise-server mongodb-enterprise-shell mongodb-enterprise-tools mongodb-mongosh snmp
0 upgraded, 11 newly installed, 0 to remove and 3 not upgraded.
Need to get 192 MB of archives.
After this operation, 627 MB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 snmp amd64 5.8+dfsg-2ubuntu2.3 [168 kB]
Get:2 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-database-tools amd64 100.4.0 [46.4 MB]
Get:3 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-shell amd64 5.0.0 [17.4 MB]
Get:4 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-server amd64 5.0.0 [26.5 MB]
Get:5 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-mongos amd64 5.0.0 [18.5 MB]
Get:6 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-database-tools-extra amd64 5.0.0 [26.9 MB]
Get:7 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-cryptd amd64 5.0.0 [16.8 MB]
Get:8 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-database amd64 5.0.0 [3,556 B]
Get:9 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise-tools amd64 5.0.0 [2,904 B]
Get:10 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-mongosh amd64 1.0.0 [38.9 MB]
Get:11 http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/5.0/multiverse amd64 mongodb-enterprise amd64 5.0.0 [2,948 B]
Fetched 192 MB in 18s (10.7 MB/s)
Selecting previously unselected package mongodb-database-tools.
(Reading database ... 191803 files and directories currently installed.)
Preparing to unpack .../00-mongodb-database-tools_100.4.0_amd64.deb ...
Unpacking mongodb-database-tools (100.4.0) ...
Selecting previously unselected package mongodb-enterprise-shell.
Preparing to unpack .../01-mongodb-enterprise-shell_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-shell (5.0.0) ...
Selecting previously unselected package snmp.
Preparing to unpack .../02-snmp_5.8+dfsg-2ubuntu2.3_amd64.deb ...
Unpacking snmp (5.8+dfsg-2ubuntu2.3) ...
Selecting previously unselected package mongodb-enterprise-server.
Preparing to unpack .../03-mongodb-enterprise-server_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-server (5.0.0) ...
Selecting previously unselected package mongodb-enterprise-mongos.
Preparing to unpack .../04-mongodb-enterprise-mongos_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-mongos (5.0.0) ...
Selecting previously unselected package mongodb-enterprise-database-tools-extra.
Preparing to unpack .../05-mongodb-enterprise-database-tools-extra_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-database-tools-extra (5.0.0) ...
Selecting previously unselected package mongodb-enterprise-cryptd.
Preparing to unpack .../06-mongodb-enterprise-cryptd_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-cryptd (5.0.0) ...
Selecting previously unselected package mongodb-enterprise-database.
Preparing to unpack .../07-mongodb-enterprise-database_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-database (5.0.0) ...
Selecting previously unselected package mongodb-enterprise-tools.
Preparing to unpack .../08-mongodb-enterprise-tools_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise-tools (5.0.0) ...
Selecting previously unselected package mongodb-mongosh.
Preparing to unpack .../09-mongodb-mongosh_1.0.0_amd64.deb ...
Unpacking mongodb-mongosh (1.0.0) ...
Selecting previously unselected package mongodb-enterprise.
Preparing to unpack .../10-mongodb-enterprise_5.0.0_amd64.deb ...
Unpacking mongodb-enterprise (5.0.0) ...
Setting up mongodb-mongosh (1.0.0) ...
Setting up mongodb-enterprise-shell (5.0.0) ...
Setting up snmp (5.8+dfsg-2ubuntu2.3) ...
Setting up mongodb-enterprise-mongos (5.0.0) ...
Setting up mongodb-enterprise-database-tools-extra (5.0.0) ...
Setting up mongodb-enterprise-cryptd (5.0.0) ...
Setting up mongodb-database-tools (100.4.0) ...
Setting up mongodb-enterprise-server (5.0.0) ...
Adding system user `mongodb' (UID 127) ...
Adding new user `mongodb' (UID 127) with group `nogroup' ...
Not creating home directory `/home/mongodb'.
Adding group `mongodb' (GID 133) ...
Done.
Adding user `mongodb' to group `mongodb' ...
Adding user mongodb to group mongodb
Done.
Setting up mongodb-enterprise-tools (5.0.0) ...
Setting up mongodb-enterprise-database (5.0.0) ...
Setting up mongodb-enterprise (5.0.0) ...
Processing triggers for man-db (2.9.1-1) ...

By default, MongoDB instance stores:
1. data files in /var/lib/mongodb
2. log files in /var/log/mongodb
MongoDB runs using the mongodb user account.

Validate the MongoDB installation

Start MongoDB.
```
% sudo systemctl start mongod
```

Verify that MongoDB has started successfully.

% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-07-19 16:27:45 EDT; 46s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 2947 (mongod)
     Memory: 62.8M
     CGroup: /system.slice/mongod.service
             └─2947 /usr/bin/mongod --config /etc/mongod.conf

Jul 19 16:27:45 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.

Stop MongoDB.
```
% sudo systemctl stop mongod
```
Restart MongoDB.
```
% sudo systemctl restart mongod
```
View the log file used by MongoDB at /var/log/mongodb/mongod.log .

You can follow the state of the process for errors or important messages by watching the output in the /var/log/mongodb/mongod.log file.

Begin using MongoDB.

Start a mongosh session on the host machine where mongod is running. You can run mongosh without any command-line options to connect to a mongod that is running on your localhost with default port 27017 :

% mongosh

Current Mongosh Log ID: 60f5e17a21539927be5d0f9d
Connecting to:          mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000
Using MongoDB:          5.0.0
Using Mongosh:          1.0.0

See: https://docs.mongodb.com/mongodb-shell/.


To help improve our products, anonymous usage data is collected and sent to MongoDB periodically (https://www.mongodb.com/legal/privacy-policy).
You can opt-out by running the disableTelemetry() command.

------
   The server generated these startup warnings when booting:
   2021-07-19T16:27:45.890-04:00: Using the XFS file system is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
   2021-07-19T16:27:46.427-04:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------

Enterprise test>

Create a test database;

% Enterprise test> use mydb1;

switched to db mydb1

% Enterprise mydb1> db

mydb1

Insert an entry into the database.

% Enterprise mydb1> db.movie.insertOne({"name":"tutorials point"})

{
  acknowledged: true,
  insertedId: ObjectId("60f73d77d932673cb91de215")
}

List the databases.

> Enterprise mydb1> show dbs

admin     41 kB
config  73.7 kB
local     41 kB
mydb1     41 kB

Drop the test database.

% Enterprise mydb1> db.dropDatabase()

{ ok: 1, dropped: 'mydb1' }

If you were able to create the database and perform the commands above, the installation is validated.

Install and configure Entrust KeyControl

Follow the installation and setup instructions in the Entrust KeyControl nshield HSM Integration Guide . You can access this in the Entrust Document Library.

Make sure the Entrust KeyControl tenant gets created and KMIP certificates are generated for MongoDB. These certificates are used in the configuration of the KMS described below.

Configure MongoDB Server Security options to use KMIP

Add Key Management Security Options to /etc/mongod.conf . The MongoDB configuration file contains a security section. In this section the server name, certificate details, KMIP port number and encryption cipher information must be updated to use KeyControl as a key management service.

Copy the certificate files to a location on the server that they can be used by mongodb.

The assumption is that these files are located in your home directory.

% sudo mkdir -p /opt/mongodb/security
% sudo cp ~/MONGODB.pem /opt/mongodb/security
% sudo cp ~/cacert.pem /opt/mongodb/security
% sudo chmod 644 /opt/mongodb/security/*

Open the /etc/mongod.conf file and add the key management configuration options described below:
```
security:
  enableEncryption: true
  encryptionCipherMode: AES256-GCM
  kmip:
    serverName: keycontrol54-1.interop.com,keycontrol54-2.interop.com
    port: 5696
    clientCertificateFile: /opt/mongodb/security/MONGODB.pem
    serverCAFile: /opt/mongodb/security/cacert.pem
```
enableEncryption

Sets the flag to enable encryption to the database.

encryptionCipherMode

Sets the cipher used. If you are using Linux, select either AES256-GCM or AES256-CBC. For other OSs, only AES256-CBC is available.

serverName

Hostname of KeyControl operating as the KMS KMIP server. This hostname must match the hostname used in the /etc/hosts file and cannot be an IP address. The hostname must also contain the subdomain. You can specify multiple KMIP servers as a comma-separated list: server1.example.com,server2.example.com . On startup, the mongod will attempt to establish a connection to each server in the order listed, and will select the first server to which it can successfully establish a connection. KMIP server selection occurs only at startup.

port

Contains the KMIP port number. Port 5696 is the default port assignment for KMIP communication and is the KMIP port used by KeyControl.

clientCertificateFile

Contains the directory/file location of the client certificate used for authenticating MongoDB to the KMIP server.

serverCAFile

Contains the directory/file location of the KeyControl root CA certificate.

Add information to the /etc/hosts file

When you added the security section to the mongod.conf file, add the KeyControl hostname.domainname to the /etc/hosts file to resolve the IP address of the KMIP server to the hostname. The hostname must match the hostname used in the mongod.conf and cannot be an IP address. The hostname must also contain the subdomain.

Test configuration

Once you have finished configuring the mongod.conf and hosts files, start MongoDB. When started, MongoDB will attempt to retrieve an encryption key stored on KeyControl. If MongoDB does not find a key, it creates one and stores it in KeyControl.

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 10:35:24 EDT; 5s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 15251 (mongod)
     Memory: 60.7M
     CGroup: /system.slice/mongod.service
             └─15251 /usr/bin/mongod --config /etc/mongod.conf

If you try enable encryption on an existing instance of MongoDB and data already exists in the MongoDB data directory /var/lib/mongodb , you will get an error when you start the mongod service. You can only have encryption enabled in a blank data directory. See Enable encryption on an existing MongoDB instance for instructions on how to get around the issue.

To confirm that the master key was successfully created, log in to KeyControl and look at KMIP Configuration Settings > Objects .

You should see the master key that you have just created.

Verify that the encryption is working and that MongoDB is using KeyControl to manage the keys

Here are some scenarios that have been tested to validate encryption was working and that KeyControl was being used by MongoDB.

Test access only when KeyControl is available

Stop the network services on the MongoDB server and try to restart the mongod service.

The mongod service will not start because it can’t connect to one of the KeyControl servers.

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2021-07-21 11:28:36 EDT; 1min 42s ago
       Docs: https://docs.mongodb.org/manual
    Process: 16120 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=exited, status=14)
   Main PID: 16120 (code=exited, status=14)

Jul 21 11:28:35 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 11:28:36 mongodb-ubuntu-20 systemd[1]: mongod.service: Main process exited, code=exited, status=14/n/a
Jul 21 11:28:36 mongodb-ubuntu-20 systemd[1]: mongod.service: Failed with result 'exit-code'.

Restart the network services and try again and you will see that mongod starts successfully.

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 11:32:49 EDT; 8s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 16297 (mongod)
     Memory: 165.0M
     CGroup: /system.slice/mongod.service
             └─16297 /usr/bin/mongod --config /etc/mongod.conf

Jul 21 11:32:49 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.

When MongoDB is encrypted, it is only accessible when KeyControl is available and master key is found.

Validate access only when a KeyControl node in the cluster is not available

Bring down one of the KeyControl nodes and check that you can access MongoDB.

Attempt to start up mongod when one of the KeyControl nodes in the cluster is down.

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 11:57:47 EDT; 10s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 16922 (mongod)
     Memory: 166.9M
     CGroup: /system.slice/mongod.service
             └─16922 /usr/bin/mongod --config /etc/mongod.conf

When one of its nodes is down, the KeyControl cluster goes out of Healthy status. New keys can only be created when the cluster is in Healthy status. Therefore, rotating keys should not be attempted when one of the nodes in the cluster is down.

Rotate the master key in KeyControl with MongoDB

You can rotate the master key, the only externally managed key. With the new master key, the internal keystore will be re-encrypted but the database keys will be otherwise left unchanged. This obviates the need to re-encrypt the entire data set.

Add the following to /etc/mongod.conf under the kmip settings:
```
  kmip:
    rotateMasterKey: true
```
Restart the mongod service:
```
% sudo systemctl restart mongod
```

When the master key has been rotated and the database keystore has been re-encrypted, mongod exits and restarts with the new key. This is visible when you check the status of mongod .

% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: https://docs.mongodb.org/manual

Jul 21 11:32:49 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 11:57:47 mongodb-ubuntu-20 systemd[1]: Stopping MongoDB Database Server...
Jul 21 11:57:47 mongodb-ubuntu-20 systemd[1]: mongod.service: Succeeded.
Jul 21 11:57:47 mongodb-ubuntu-20 systemd[1]: Stopped MongoDB Database Server.
Jul 21 11:57:47 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 12:07:53 mongodb-ubuntu-20 systemd[1]: Stopping MongoDB Database Server...
Jul 21 12:07:53 mongodb-ubuntu-20 systemd[1]: mongod.service: Succeeded.
Jul 21 12:07:53 mongodb-ubuntu-20 systemd[1]: Stopped MongoDB Database Server.
Jul 21 12:07:53 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 12:07:56 mongodb-ubuntu-20 systemd[1]: mongod.service: Succeeded.

Remove the kmip rotateMasterKey setting from the /etc/mongod.conf file by commenting it out.
```
  kmip:
#    rotateMasterKey: true
```
When the key is rotated, check on KeyControl if the master key is rotated.

To confirm that the new master key was successfully created, log in to KeyControl, look at the Objects tab under KMIP Configuration Settings as shown below.

You will find a new key created in KeyControl. You should also be able to see the creation of the key in the KeyControl Audit Logs.

Configure the nShield HSM in the KeyControl Server and test if the HSM is used

If for some reason you have not yet configured a HSM to be used with KeyControl, it has to be configured now.

Initialize the HSM on KeyControl

Log in to the KeyControl web user interface using an account with Security Admin privileges.
In the top menu bar, select Settings > HSM Server Settings .
In Actions , select nCipher nShield Connect HSM .
In nCipher Clients , select Copy IP address and key hashes to clipboard .
Paste the contents of the clipboard into a file. Your HSM administrator will need the IP address and hash pairs to add the KeyControl nodes as an HSM clients.

The following is an example data file for a 2-node KeyControl cluster:
```
10.194.148.159, 4dc3acd8763a80ceac412d1c4aadb382e41ab073
10.194.148.161, 4dba62cbbbe2f5a21f121e7132558db8aa592596
```

Add the KeyControl node(s) to the HSM

Send the IP address and hash pair for each KeyControl node in the cluster to the HSM administrator. The HSM administrator adds each KeyControl node as a client to the HSM and sends back the following information:

A zipped file that contains the nShield Security World and HSM module files.
The FQDN of the HSM.
The IP address of the HSM.
The Electronic Serial Number (ESN) and the key hash of the HSM. This can be obtained by running the following command on the nShield RFS server:
```
% anonkneti <HSM IP address>
```
The network port number that the HSM uses.

Set up the nShield HSM Server

After you have copied the IP address and key hashes, and added the KeyControl nodes as clients to the HSM, select OK in the nCipher Clients dialog.
In the nShield HSM Server Setup dialog, select Continue .
In the Enrollment step of the configuration:
1. Enter the server FQDN of the HSM in the Server Name field.
2. Enter the IP address of the HSM in the Server IP field.
3. Enter the ESN of the HSM in the ESN field.
4. Enter the port in the Port field if it is different from 9004 .
5. Enter the key hash of the HSM in the Key Hash field.
Select Enroll and Continue .
In the Security World step of the configuration, select Browse , then browse to the zipped file that you received from the HSM administrator.
Select Upload and Continue .
In the Create Softcard step:
1. Enter a unique name in the Softcard Label field. This value is user-defined.
2. Enter a password in the Softcard Password field. This value is user-defined.
Select Complete Setup .
The nShield Connect HSM is now configured to work with Entrust KeyControl.

Enable KMIP service and KMIP key wrapping

In the top menu bar, select KMIP > Basic .
1. In the KMIP Key Wrapping field, select System HSM (nShield Connect HSM: xxx.xxx.xxx.xxx) .
2. In the HSM Root Key Label field, enter a unique name for the HSM Root Key.
3. In the KEK Cache Timeout field, enter how long you want KeyControl to cache the HSM-derived Key Encryption Keys (KEKs). The maximum length is 24 hours. During integration, it was set to 0 so no cache is used and KeyControl has to use the HSM every time.
Select Apply .

Test the HSM usage

Restart the mongod service (It should restart without any issues).

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 12:30:59 EDT; 2s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 17090 (mongod)
     Memory: 164.8M
     CGroup: /system.slice/mongod.service
             └─17090 /usr/bin/mongod --config /etc/mongod.conf

Jul 21 12:30:59 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.

Disable the HSM in KeyControl
1. Go to HSM Server Settings , under Setting in the top bar.
2. Change the nCipher State to DISABLED and select Apply .

Go back to the MongoDB server and restart mongod .

This time it should fail as the HSM state in KeyControl is disabled. This means KeyControl will not be able to get to the keys stored in the HSM.

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2021-07-21 12:34:25 EDT; 2s ago
       Docs: https://docs.mongodb.org/manual
    Process: 17190 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=exited, status=14)
   Main PID: 17190 (code=exited, status=14)

Jul 21 12:34:23 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 12:34:25 mongodb-ubuntu-20 systemd[1]: mongod.service: Main process exited, code=exited, status=14/n/a
Jul 21 12:34:25 mongodb-ubuntu-20 systemd[1]: mongod.service: Failed with result 'exit-code'.

Re-enable the HSM in KeyControl
1. Go to HSM Server Settings , under Setting in the top bar.
2. Change the nCipher State to ENABLED and select Apply .

Go back to the MongoDB server and restart mongod .

This time it should work as the HSM state in KeyControl is enabled.

% sudo systemctl restart mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 12:37:10 EDT; 2s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 17205 (mongod)
     Memory: 164.8M
     CGroup: /system.slice/mongod.service
             └─17205 /usr/bin/mongod --config /etc/mongod.conf

Jul 21 12:37:10 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.

Enable encryption on an existing MongoDB instance

If you try enable encryption on an existing instance of MongoDB and data already exists in the MongoDB data directory /var/lib/mongodb, you should get an error like this when you start the mongod service:

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2021-07-21 10:30:49 EDT; 1s ago
       Docs: https://docs.mongodb.org/manual
    Process: 15206 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=exited, status=14)
   Main PID: 15206 (code=exited, status=14)

Jul 21 10:30:48 mongodb-ubuntu-20 systemd[1]: Started MongoDB Database Server.
Jul 21 10:30:49 mongodb-ubuntu-20 systemd[1]: mongod.service: Main process exited, code=exited, status=14/n/a
Jul 21 10:30:49 mongodb-ubuntu-20 systemd[1]: mongod.service: Failed with result 'exit-code'.

When you look in /var/log/mongodb/mongod.log for what may be causing the failure, you should see errors like this:

{"t":{"$date":"2021-07-21T10:31:57.183-04:00"},"s":"E",  "c":"STORAGE",  "id":24248,   "ctx":"initandlisten","msg":"Unable to retrieve key","attr":{"keyId":".system","error":{"code":2,"codeName":"BadValue","errmsg":"There are existing data files, but no valid keystore could be located."}}}

The error clearly states that the data files are present in the db path without any key store. This translates to how it works with mongodb - you can only have encryption enabled in a blank data directory. You can achieve this by taking the backup, stopping the mongod instance, clearing the data directory, restarting by enabling encryption and then restore from backup.

Comment out the security section in /etc/mongod.conf .

If you already added the security section to /etc/mongod.conf , comment it out.

#security:
#  enableEncryption: true
#  encryptionCipherMode: AES256-GCM
#  kmip:
#    serverName: htkeycontrol54-1.interop.com,htkeycontrol54-2.interop.com
#    port: 5696
#    clientCertificateFile: /opt/mongodb/security/MONGODB.pem
#    serverCAFile: /opt/mongodb/security/cacert.pem

Restart the mongod service.

% sudo systemctl start mongod
% sudo systemctl status mongod

mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-07-21 13:58:34 EDT; 2s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 17392 (mongod)
     Memory: 158.6M
     CGroup: /system.slice/mongod.service
             └─17392 /usr/bin/mongod --config /etc/mongod.conf

Make a backup of the data.

% sudo mkdir -p /data/backup
% sudo mongodump --out=/data/backup

2021-07-21T14:22:13.433-0400    writing admin.system.version to /data/backup/admin/system.version.bson
2021-07-21T14:22:13.434-0400    done dumping admin.system.version (1 document)
2021-07-21T14:22:13.435-0400    writing mydb1.movie to /data/backup/mydb1/movie.bson
2021-07-21T14:22:13.435-0400    done dumping mydb1.movie (1 document)

Put the security section back in /etc/mongod.conf .

security:
  enableEncryption: true
  encryptionCipherMode: AES256-GCM
  kmip:
    serverName: htkeycontrol54-1.interop.com,htkeycontrol54-2.interop.com
    port: 5696
    clientCertificateFile: /opt/mongodb/security/MONGODB.pem
    serverCAFile: /opt/mongodb/security/cacert.pem

Clean up the data directory /var/lib/mongodb and remove all files and directories.
```
% cd /var/lib
% cp -rp mongodb mongodb.backup
% rm -rf mongodb/*
```