- Security >
- Security Concepts >
- Inter-Process Authentication
Inter-Process Authentication¶
In most cases, replica set and sharded cluster administrators do not have to keep additional considerations in mind beyond the normal security precautions that all MongoDB administrators must take. However, ensure that:
- Your network configuration will allow every member of the replica set to contact every other member of the replica set.
- If you use MongoDB’s authentication system to limit access to your
infrastructure, ensure that you configure a
keyFile
on all members to permit authentication.
For most instances, the most effective ways to control access and to
secure the connection between members of a replica set depend
on network-level access control. Use your environment’s firewall and
network routing to ensure that traffic only from clients and other
replica set members can reach your mongod
instances. If
needed, use virtual private networks (VPNs) to ensure secure
connections over wide area networks (WANs.)
Enable Authentication in Replica Sets and Sharded Clusters¶
New in version 1.8: Added support authentication in replica set deployments.
Changed in version 1.9.1: Added support authentication in sharded replica set deployments.
MongoDB provides an authentication mechanism for mongod
and
mongos
instances connecting to replica sets. These instances
enable authentication but specify a shared key file that serves as a
shared password.
To enable authentication, add the following option to your configuration file:
Note
You may chose to set these run-time configuration options using the
--keyFile
(or mongos --keyFile
)
options on the command line.
Setting keyFile
enables authentication and specifies a key
file for the replica set members to use when authenticating to each
other. The content of the key file is arbitrary but must be the same
on all members of the replica set and on all mongos
instances that connect to the set.
The key file must be between 6 and 1024 characters and may only contain characters in the base64 set. The key file must not have group or “world” permissions on UNIX systems. See Generate a Key File for instructions on generating a key file.