Connect to a replica set cluster
In Splunk DB Connect, connecting to a replica set cluster is straightforward, unless you use TLS with self-signed certificates.
JDBC Connection String:
jdbc:standalone-mongodb://<host-1>:<port-1>,<host-2>:<port-2>,<host-3>:<port-3>/<database>?authSource=<auth-database>&replicaSet=<replica-set-group>
TLS with self-signed certificates
In case MongoDB server uses self-signed certificate, we will need to create a TrustStore and add the trusted certificate, then specify it as JVM option.
Create TrustStore
Splunk DB Connect has a default KeyStore used to store trusted certificate but also private keys, as we will need to add the KeyStore password as plain text to JVM options, for safety we should created an additional TrustStore.
1. Create TrustStore with dummy private key entry
keytool -genkeypair -alias dbx -keyalg RSA -keystore truststore.jks -storetype JKS -keysize 2048 -storepass changeme -keypass changeme
2. Delete the dummy private key entry (Optional)
keytool -delete -alias dbx -keystore truststore.jks -storepass changeme
3. Add the trusted certificate.
keytool -importcert -alias mongo -file ca.pem -keystore truststore.jks -storetype JKS -storepass changeme
4. Make sure the trusted certificate has been added.
keytool -list -keystore truststore.jks -storepass changeme
Configure TrustStore in JVM options
Add to Task Server JVM Options and Query Server JVM Options
-Djavax.net.ssl.trustStore=<path-to-truststore> -Djavax.net.ssl.trustStorePassword=<truststore-password>
JDBC Connection String
When creating the connection use the JDBC Connection String as bellow.
jdbc:standalone-mongodb://<host-1>:<port-1>,<host-2>:<port-2>,<host-3>:<port-3>/<database>?authSource=<auth-database>&replicaSet=<replica-set-group>&ssl=true&sslinvalidhostnameallowed=true
Mutual TLS (mTLS)
Splunk DB Connect does not support mTLS to connect to MongoDB. It requires set KeyStore information as JVM option (among others settings), what have high security risks, as the password is exposed in plain text.
Troubleshooting
Hostname validation
Timed out after 30000 ms while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=REPLICA_SET, servers=[{address=localhost:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: No name matching localhost found}, caused by {java.security.cert.CertificateException: No name matching localhost found}}]
To skip hostname validation, you will need to add sslinvalidhostnameallowe=true
to the connection string.
Prematurely reached end of stream
Timed out after 30000 ms while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=REPLICA_SET, servers=[{address=localhost:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}, {address=localhost:27018, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}, {address=localhost:27019, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketReadException: Prematurely reached end of stream}}]
The most common scenario is when only Client Certificate Authentication is supported, make sure you allow user/password authentication using sslAllowConnectionsWithoutCertificate
.
Unable to find valid certification path
Timed out after 30000 ms while waiting for a server that matches ReadPreferenceServerSelector{readPreference=primary}. Client view of cluster state is {type=REPLICA_SET, servers=[{address=localhost:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}]
The most common scenario is when MongoDB server use self-signed certificate and the client can not validate it. Make sure javax.net.ssl.trustStore
and javax.net.ssl.trustStorePassword
are defined as JVM option.
Extract fields from JSON column values | Release notes for the JDBC Driver for MongoDB |
This documentation applies to the following versions of Splunk® DB Connect: 4.0.0
Feedback submitted, thanks!