DOCS-11426: Windows and Mac secure store

Author: skerschb

source/includes/option-ssl-clusterCertificateSelector.rst

@@ -0,0 +1,22 @@
+The following selectors are available.
+
+.. list-table::
+   :header-rows: 1
+   :widths: auto
+
+   * - property name
+     - value type
+     - value description
+     
+   * - subject
+     - ASCII string
+     - subject name or common name on certificate
+   * - thumbprint
+     - hex string
+     - certificate thumbprint
+     
+.. note::
+   
+   The term ``thumbprint`` refers to what is also frequently
+   referred to as a ``fingerprint``. It is a short sequence of bytes used
+   to identify a longer public key.

source/includes/options-conf.yaml

@@ -626,6 +626,30 @@ inherit:
   file: options-mongod.yaml
 ---
 program: conf
+name: net.ssl.certificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+inherit:
+  name: sslCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.ssl.clusterCertificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+inherit:
+  name: sslClusterCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
 name: net.ssl.PEMKeyFile
 type: string
 directive: setting

source/includes/options-mongod.yaml

@@ -1216,14 +1216,40 @@ description: |
   Mac system certificate store mechanisms.
   
   This option must be followed by a key value pair indicated by
-  <parameter>=<value>. In this case parameter is the name of the
+  <parameter>=<value>. In this case, <parameter> is the name of the
   selector.
 
   .. include:: /includes/option-ssl-certificateSelector.rst
   
 optional: true
 ---
 program: mongod
+<<<<<<< HEAD
+=======
+name: sslClusterCertificateSelector
+args: <parameter>=<value>
+directive: option
+description: |
+
+  .. versionadded:: 4.0
+
+  Specifies the selector and value to search when using Windows or 
+  Mac system certificate store mechanisms for internal SSL authentication.
+
+  This option must be followed by a key value pair indicated by
+  <parameter>=<value>. In this case, <parameter> is the name of the
+  selector.
+
+  This option is only valid when set in conjuction with a
+  :setting:`~net.ssl.certificateSelector` and associated selector <parameter>=<value>
+  pair to indicate which certificate should be used for non-internal connections.
+
+  .. include:: /includes/option-ssl-clusterCertificateSelector.rst
+  
+optional: true
+---
+program: mongod
+>>>>>>> DOCS-11426: Windows and Mac secure store
 name: sslOnNormalPorts
 args: null
 directive: option

source/includes/options-mongos.yaml

@@ -266,6 +266,13 @@ inherit:
   file: options-mongod.yaml
 ---
 program: mongos
+name: sslClusterCertificateSelector
+inherit:
+  name: sslClusterCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: mongos
 name: sslMode
 inherit:
   name: sslMode

source/reference/configuration-options.txt

@@ -265,6 +265,7 @@ Core Options
       ssl:
          sslOnNormalPorts: <boolean>  # deprecated since 2.6
          certificateSelector: <string>
+         clusterCertificateSelector: <string>
          mode: <string>
          PEMKeyFile: <string>
          PEMKeyPassword: <string>
@@ -329,6 +330,8 @@ Core Options
          mode: <string>
          PEMKeyFile: <string>
          PEMKeyPassword: <string>
+         certificateSelector: <string>
+         clusterCertificateSelector: <string>
          clusterFile: <string>
          clusterPassword: <string>
          CAFile: <string>
@@ -347,6 +350,10 @@ Core Options
 
 .. include:: /includes/option/setting-conf-net.ssl.PEMKeyPassword.rst
 
+.. include:: /includes/option/setting-conf-net.ssl.certificateSelector.rst
+
+.. include:: /includes/option/setting-conf-net.ssl.clusterCertificateSelector.rst
+
 .. include:: /includes/option/setting-conf-net.ssl.clusterFile.rst
 
 .. include:: /includes/option/setting-conf-net.ssl.clusterPassword.rst

source/reference/program/mongod.txt

@@ -263,6 +263,8 @@ TLS/SSL Options
 
 .. include:: /includes/option/option-mongod-sslCertificateSelector.rst
 
+.. include:: /includes/option/option-mongod-sslClusterCertificateSelector.rst
+
 .. include:: /includes/option/option-mongod-sslClusterPassword.rst
 
 .. include:: /includes/option/option-mongod-sslCAFile.rst

source/reference/program/mongos.txt

@@ -131,6 +131,8 @@ TLS/SSL Options
 
 .. include:: /includes/option/option-mongos-sslCertificateSelector.rst
 
+.. include:: /includes/option/option-mongod-sslClusterCertificateSelector.rst
+
 .. include:: /includes/option/option-mongos-sslCRLFile.rst
 
 .. include:: /includes/option/option-mongos-sslAllowConnectionsWithoutCertificates.rst

source/release-notes/4.0.txt

@@ -436,12 +436,19 @@ CA, specify that CA using :setting:`net.ssl.CAFile`.
 Enable System Store for SSL on Windows and Mac
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The :option:`--sslCertificateSelector <mongo --sslCertificateSelector>` option
-(:setting:`net.ssl.certificateSelector` setting) allows
+The :option:`--sslCertificateSelector <mongod --sslCertificateSelector>`
+option (:setting:`~net.ssl.certificateSelector` setting) allows
 :binary:`~bin.mongod`, :binary:`~bin.mongo` shell and
-:binary:`~bin.mongos` to use system ssl certificate stores for Windows
+:binary:`~bin.mongos` to use system SSL certificate stores for Windows
 and Mac.
 
+The :option:`--sslClusterCertificateSelector <mongod
+--sslClusterCertificateSelector>` option
+(:setting:`~net.ssl.clusterCertificateSelector` setting) allows
+:binary:`~bin.mongod` and
+:binary:`~bin.mongos` to use system SSL certificate stores for Windows
+and Mac for internal SSL communication within a cluster.
+
 
 Deprecate MMAPv1
 ----------------

source/tutorial/configure-ssl-clients.txt

@@ -58,6 +58,10 @@ settings, including:
 - :option:`--sslCertificateSelector <mongo --sslCertificateSelector>` option if you
   wish to use the system store for clients running on Mac or Windows.
 
+.. include:: /includes/extracts/mongo-ssl-options-configure.rst
+
+.. include:: /includes/extracts/clients-warning-sslCAFile.rst
+
 For a complete list of the :binary:`~bin.mongo` shell's TLS/SSL settings, see
 :ref:`mongo-shell-ssl`.
 

source/tutorial/upgrade-cluster-to-ssl.txt

@@ -69,6 +69,46 @@ process:
       TLS/SSL with ``certificateSelector``.
 
 
+
+.. versionadded:: 4.0
+
+#. For Windows and Mac instances running with system certificate stores,
+   configure the appropriate selectors. You can use system certificates
+   for communication between
+
+   .. include:: /includes/ssl-trusted-store.rst
+
+   .. code-block:: sh
+
+      mongod --sslMode requireSSL --sslCertificateSelector subject=my.dev.server
+
+   To enable encryption internally, between members of a cluster use
+   :option:`--sslClusterCertificateSelector <mongod
+   --sslClusterCertificateSelector>`. Note that you will likely want to
+   use a different certificate for internal communication.
+
+   .. code-block:: sh
+      mongod --sslMode requireSSL --sslCertificateSelector subject=my.dev.server --sslClusterCertificateSelector subject=my.shard.server
+
+   Alternatively, use the :setting:`~net.ssl.certificateSelector` and/or
+   :setting:`~net.ssl.clusterCertificateSelector`  to configure the
+   certificate storage selector with a config file.
+
+   .. code-block:: yaml
+     
+      net:
+         ssl:
+            clusterCertificateSelector: <parameter>=<value>
+            certificateSelector: <parameter>=<value>
+
+.. tip::    
+
+   If you are using :option:`--sslCertificateSelector <mongod --sslCertificateSelector>` or
+   :setting:`~net.ssl.certificateSelector`, the :option:`--sslPEMKeyFile
+   <mongod --sslPEMKeyFile>` is invalid. OCSP (Online Certificate Status Protocol) is
+   used to validate the revocation status of certificates.
+
+
 #. Switch all clients to use TLS/SSL. See :ref:`ssl-clients`.
 
 #. For each node of a cluster, use the :dbcommand:`setParameter`