Overview
Now that MongoDB is integral to Sitecore deployments, it's important to plan for how Sitecore will connect to it. During your deployment, you'll have to account for security features, from firewall rules to authentication. This will require a basic understanding of what Sitecore needs to know to reach your MongoDB instance.
Considerations
MongoDB is an enterprise platform, and it offers a lot of features. The features leveraged by your instance will dictate how you configure Sitecore to talk to it. While many of the features of MongoDB our outside the scope of this discussion, the ones we will focus on right now include use of replica sets, authentication mechanisms such as MONGODB-CR or Kerberos, as well as security concerns like SSL or firewall rules.
Firewall Rules
This isn't a MongoDB configuration issue per se, but it is something you probably need to account for, depending on your network infrastructure and server hardening guidelines. At the simplest, MongoDB will be listening on port 27017 by default, and you'll need to make sure any firewall on the MongoDB server allows traffic to that port.
In addition, if you have your Sitecore servers isolated from the MongoDB server, the firewall between them will need to allow that traffic to flow through.
Connection Strings
If you haven't done so yet, check out the MongoDB documentation on connection strings. We're going to run through some common scenarios, but you can find out more about these options by checking that page.
Let's start by looking at your ConnectionStrings.config file, located in your Sitecore\App_Config folder. By default, your MongoDB connection string will look like this:
In production, you will probably host MongoDB on a different server than Sitecore. Whether that is an on-premise installation or a cloud based one, you'll need to tell Sitecore about it using a more specific hostname. For this example, our MongoDB instance is located on MongoData1.MyDomain.com.
You can see just how easy it was to change the hostname. While the options you are going to use here are different than what you might use for something like a SQL Server connection string, the way you pass these options will be very similar.
For brevity's sake, I'll only show one connection string from here on out and let you extrapolate how you'd update the others.
SSL
Adding support for SSL is pretty straight forward. You will need to pass the "ssl" option to the MongoDB driver.
You can see here that passing options to the MongoDB driver looks a lot like a query string. You'll use a "?" symbol to denote you are passing an option. We'll talk more about passing additional options in a moment.
Replica Sets
Now, what if your MongoDB instance was using a replica set? You need to specify the name of the replica set whenever you connect.You'll also want to update your connection string so that if one of the hosts goes down, Sitecore, by way of the MongoDB driver, is able to talk to other members of the replica set. Note that you could send all of your traffic to one server, but then you'd lose the failover redundancy that probably influenced your decision to use a replica set to begin with.
For this example, our MongoDB instance is on a replica set named "rsSitecore". It is comprised of a primary, MongoData1.MyDomain.com, a secondary, MongoData2.MyDomain.com, and an arbiter, MongoArbiter.MyDomain.com.
You can see that we are now passing the "replicaSet" option to identify the name of our replica set. This is a required option.
Optionally, we've chose to use a comma delimited list of hostnames. You have probably noticed that we only supplied the list of data members. This was on purpose. You will not include the name of the arbiter member.
MongoDB-CR Authentication
Now let's see what happens if you turn on authentication for MongoDB. You've configured MongoDB to use it and have picked a username and password for Sitecore to use.For this example, we're using the default authentication for MongoDB (MONGODB-CR is the default for MongoDB 2.6.10). We also have picked a username of "SCUser" and a password of "mongo!!".
Here you can see we're passing the username and password, using a ":" as the delimiter between them. You should also notice the use of a "@", which separates the username/password combo from the hostname.
A quick note about authentication here. By default, if you have not specified otherwise, when the MongoDB driver sees this connection string, it's going to assume that the user you have specified exists in the database you are trying to connect to. It is possible to have your user defined in a different database than the one you are connecting to, but that would require using the "authSource" option.
Kerberos Authentication
For Kerberos, please see my previous post, which will show an example connection string. The most important thing to remember here is that the "@" symbol is used to separate the username/password combo from the hostname. However, with Kerberos, your username will contain the "@" symbol. This is solved by escaping the "@" in the Keberos principal name.
Additional Options
When you want to add an additional key-value pair to your connection string, you won't be able to use the "&" symbol directly. Since your config file is XML, the "&" is a reserved character. You'll need to escape it.Here's an example with a replica set named "rsSitecore" that requires SSL:
No comments:
Post a Comment