MongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265946	SRG-APP-000427-DB-000385	MD7X-00-008400	SV-265946r1028723_rule	2024-09-27	1

Description
Only DOD-approved external PKIs have been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. The authoritative list of DOD-approved PKIs is published at https://public.cyber.mil/pki-pke/. This requirement focuses on communications protection for MongoDB session rather than for the network packet.

Description

Only DOD-approved external PKIs have been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. The authoritative list of DOD-approved PKIs is published at https://public.cyber.mil/pki-pke/. This requirement focuses on communications protection for MongoDB session rather than for the network packet.

ℹ️ Check
To run MongoDB in TLS mode, obtain a valid certificate singed by a single CA. Before starting the MongoDB database in TLS mode, verify the certificate used is issued by a valid DOD CA (openssl x509 -in <path_to_certificate_pem_file> -text \| grep -i "issuer"). The certificates (pem files) used by MongoDB will be in the MongoDB configuration file net.tls section as shown below (default location: /etc/mongod.conf). Each of these must be inspected, when present, to make sure they comply with a DOD Issuer for the certificate. net: tls: CAFile: <PEM file> certificateKeyFile: <PEM file> clusterFile: <PEM file> clusterCAFile: <PEM file> CRLFile: <PEM file> When using MongoDBs native encryption at rest, the following must also be inspected in the security.kmip section of the MongoDB configuration file: security: kmip: clientCertificateFile: <PEM file> serverCAFile: <PEM file> net.tls.CAFile The .pem file that contains the root certificate chain from the CA. Specify the file name of the .pem file using relative or absolute paths. net.tls.certificateKeyFile The .pem file that contains both the TLS certificate and key. net.tls.clusterFile The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set. If there is any issuer present in the certificates being used that is not a DOD approved certificate authority, this is a finding. net.tls.clusterCAFile The .pem file that contains the root certificate chain from the CA used to validate the certificate presented by a client establishing a connection. Specify the file name of the .pem file using relative or absolute paths. net.tls.clusterCAFile requires that net.tls.CAFile is set. net.tls.CRLFile The .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths. security.kmip.clientCertificateFile Path to the .pem file used to authenticate MongoDB to the KMIP server. The specified .pem file must contain both the TLS/SSL certificate and key. security.kmip.serverCAFile Path to CA File. Used for validating secure client connection to KMIP server.

ℹ️ Check

To run MongoDB in TLS mode, obtain a valid certificate singed by a single CA. Before starting the MongoDB database in TLS mode, verify the certificate used is issued by a valid DOD CA (openssl x509 -in <path_to_certificate_pem_file> -text | grep -i "issuer"). The certificates (pem files) used by MongoDB will be in the MongoDB configuration file net.tls section as shown below (default location: /etc/mongod.conf). Each of these must be inspected, when present, to make sure they comply with a DOD Issuer for the certificate. net: tls: CAFile: <PEM file> certificateKeyFile: <PEM file> clusterFile: <PEM file> clusterCAFile: <PEM file> CRLFile: <PEM file> When using MongoDBs native encryption at rest, the following must also be inspected in the security.kmip section of the MongoDB configuration file: security: kmip: clientCertificateFile: <PEM file> serverCAFile: <PEM file> net.tls.CAFile The .pem file that contains the root certificate chain from the CA. Specify the file name of the .pem file using relative or absolute paths. net.tls.certificateKeyFile The .pem file that contains both the TLS certificate and key. net.tls.clusterFile The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set. If there is any issuer present in the certificates being used that is not a DOD approved certificate authority, this is a finding. net.tls.clusterCAFile The .pem file that contains the root certificate chain from the CA used to validate the certificate presented by a client establishing a connection. Specify the file name of the .pem file using relative or absolute paths. net.tls.clusterCAFile requires that net.tls.CAFile is set. net.tls.CRLFile The .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths. security.kmip.clientCertificateFile Path to the .pem file used to authenticate MongoDB to the KMIP server. The specified .pem file must contain both the TLS/SSL certificate and key. security.kmip.serverCAFile Path to CA File. Used for validating secure client connection to KMIP server.

✔️ Fix
Remove any certificate referenced that was not issued by an approved DOD certificate authority. Contact the organization's certificate issuer and request a new certificate that is issued by a valid DOD certificate authorities.