Create a MongoDB record in order to authenticate to a MongoDB database instance running on a Unix host. Unix authentication is required so you'll also need a Unix record for the host running the database. Make sure the IP addresses you define in your MongoDB records are also defined in Unix records.
MongoDB authentication is supported for vulnerability scans and compliance scans using Qualys apps VM, PC, SCA. We strongly recommend you create one or more dedicated user accounts to be used solely by the Qualys Cloud Platform to authenticate to MongoDB instances.
Did you know? You can allow the system to create MongoDB authentication records for auto-discovered instances and scan them. This is supported for Unix installations only. To enable this feature, you must first create MongoDB System Record Templates.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
- Go to Scans > Authentication.
- Check that you have a Unix record already defined for the host running the database.
- Create a MongoDB record for the same host. Go to New > Databases > MongoDB.
Tell me about user permissionsTell me about user permissions
Managers can add authentication records. Unit Managers must be granted the Create/edit authentication records/vaults permission.
You’ll need to tell us the user account to be used for authentication, the database instance to authenticate to, and the port where the database is installed. The type of authentication method you use depends on your server settings and how you've configured client authentication.
There are two type of credential types - Local authentication and External LDAP authentication.
For Local authentication, basic, vault based and Private key/certificate based authentication type is supported.
You can use one of these options for basic & vault:
- a password (enter it on the Login Credentials tab or get it from a password vault) .
-You can pass private key, passphrase and certificate content along with password. (Select Require Certificate option to yes.)
For Private key/certificate authentication type:
- a client certificate (Enter the private key, passphrase and certificate content. You can get private key and passphrase from vault.)
For external LDAP authentication, 'Use clear text password' check-box enables to send cleartext password over unencrypted channel. To authenticate a MongoDB server using an LDAP account, the password must be sent in the cleartext over the unencrypted channel. This cleartext password is then used by the MongoDB server to send a separate authentication request to the configured LDAP server.
For External LDAP authentication, only basic and vault based authentication type is supported.
You can use one of these options:
- a password (enter it on the Login Credentials tab or get it from a password vault)
-You can pass private key, passphrase and certificate content along with password. (Select Require Certificate option to yes.)
On the Unix tab, tell us the full path to the MongoDB configuration file on your Unix hosts. The file must be in the same location on all IPs listed in the record. If the file is in a different location for some hosts you must create additional records for those hosts.
