User authentication with the wire listener

When connecting to the wire listener, you can authenticate users directly with the database server or through the wire listener with MongoDB SCRAM-SHA-256 authentication.

You can use the following types of authentication methods with the wire listener:

SCRAM-SHA-256 two-step authentication
The wire listener authenticates users with the MongoDB SCRAM-SHA-256 authentication method outside of the HCL OneDB™ database server environment. You create users with the MongoDB API create user commands. User information and privileges are stored in the system.users collection in the admin database. Clients connect to the wire listener as MongoDB users and the wire listener authenticates the users. The wire listener connects to the database server as the user that is specified by the url parameter in the wire listener configuration file. The database server cannot access MongoDB user account information.
Important: SCRAM-SHA-256 two-step authentication is only supported for Mongo listeners. You cannot use SCRAM authentication with the REST API or the MQTT protocol.
Database server authentication with a user and password
The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.
Important: You can use database server user password authentication only with the REST API and MQTT protocol.
Database server authentication with a PAM (UNIX, Linux)
The PAM implements the MONGODB-CR challenge-response method. The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user through PAM. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.

When connecting to the wire listener with MongoDB client drivers, you will need to specify that the authentication mechanism used as MONGODB-CR. For most Mongo drivers, you do this by specifying authMechanism=MONGODB-CR in the MongoDB url. Check the documentation for your MongoDB client driver for more information.

Which type of authentication that you can use depends on the type of client and the mongo.api.version specified in your wire listener configuration file.

MongoDB clients

Table 1. Authentication types for the MongoDB API
Authentication type Supported Details
SCRAM-SHA-256 Yes Follow the instructions for configuring MongoDB authentication.
HCL OneDB user password No Database server authentication with a user and password is not supported for MongoDB clients because of the way MongoDB drivers hash the password.
PAM (MONGODB-CR) Yes Follow the instructions for configuring database server authentication with PAM.

REST API clients

Table 2. Authentication types for the REST API
Authentication type Supported Details
SCRAM-SHA-256 No SCRAM is not supported through REST.
HCL OneDB user password Yes Set db.authentication=onedb-password in your listener properties file. HTTP clients authenticate using the HTTP basic authentication method.
PAM (MONGODB-CR) Yes Follow the instructions for configuring database server authentication with PAM. HTTP clients authenticate using the HTTP basic authentication method.

MQTT clients

Table 3. Authentication types for the MQTT protocol
Authentication type Supported Details
SCRAM-SHA-256 No SCRAM is not supported through MQTT.
OneDB user password Yes Set db.authentication=onedb-password in your listener properties file. The MQTT CONNECT packet must include the database name as a prefix of the user name, in the following format: "database_name.user_name".
PAM (MONGODB-CR) Yes Follow the instructions for configuring database server authentication with PAM. The MQTT CONNECT packet must include the database name as a prefix of the user name, in the following format: "database_name.user_name".