Set Up MongoDB authentication

Create a MongoDB record in order to authenticate to a MongoDB database instance running on a Unix host. Unix authentication is required so you'll also need a Unix record for the host running the database. Make sure the IP addresses you define in your MongoDB records are also defined in Unix records.

MongoDB authentication is supported for vulnerability scans and compliance scans using Qualys apps VM, PC, SCA. We strongly recommend you create one or more dedicated user accounts to be used solely by the Qualys Cloud Platform to authenticate to MongoDB instances.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: 

Authentication Technologies Matrix

How do I get started?

- Go to Scans > Authentication.

- Check that you have a Unix record already defined for the host running the database.

- Create a MongoDB record for the same host. Go to New > Databases > MongoDB.

Tell me about user permissionsTell me about user permissions

Managers can add authentication records. Unit Managers must be granted the Create/edit authentication records/vaults permission.

Your record settings

You’ll need to tell us the user account to be used for authentication, the database instance to authenticate to, and the port where the database is installed. The type of authentication method you use depends on your server settings and how you've configured client authentication.

There are two type of credential types - Local authentication and External LDAP authentication.

Local authentication

You can use one of these options:

- a password (enter it on the Login Credentials tab or get it from a password vault)

- a client certificate (select Private key/certificate based as authentication type on the Login Credentials tab. Enter the private key, passphrase and certificate content. You can get private key and passphrase from vault.)

External LDAP authentication

For external LDAP authentication, 'Use clear text password' check-box enables to send cleartext password over unencrypted channel. To authenticate a MongoDB server using an LDAP account, the password must be sent in the cleartext over the unencrypted channel. This cleartext password is then used by the MongoDB server to send a separate authentication request to the configured LDAP server.

For External LDAP authentication, only basic and vault based authentication type is supported.

You can use one of these options:

- a password (enter it on the Login Credentials tab or get it from a password vault)

Configuration file on Unix

On the Unix tab, tell us the full path to the MongoDB configuration file on your Unix hosts. The file must be in the same location on all IPs listed in the record. If the file is in a different location for some hosts you must create additional records for those hosts.

Quick Links

Why use host authentication

Vault Support Matrix

MongoDB Auth PDF Icon