Introduction
MongoDB is a widely adopted NoSQL database platform used for building scalable, high-performance applications. In enterprise environments, MongoDB deployments are expected to meet not only performance and availability requirements but also strict security expectations, including encrypted client-server communication. On IBM Power running Red Hat Enterprise Linux (RHEL), administrators often need clear, validated guidance to deploy MongoDB in a secure and supported manner.
The purpose of this tutorial is to guide system administrators, database administrators, and platform engineers through the installation and secure configuration of MongoDB Enterprise Edition 8 on IBM Power architecture. This tutorial focuses on enabling Transport Layer Security (TLS) for MongoDB, validating secure client connectivity, and extending the deployment to container-based environments commonly used in modern application platforms.
This tutorial explains how to install MongoDB Enterprise Edition on Red Hat Enterprise Linux 8 and 9, configure self-signed TLS certificates for encrypted communication, verify secure access using MongoDB client tools, and run MongoDB securely inside a container. The tutorial is designed to help readers build a foundational, production-aligned MongoDB setup that can be adapted to both virtualized and containerized workloads on IBM Power.
Overview and approach
This tutorial presents a practical, end-to-end approach to deploying a secure MongoDB environment on IBM Power architecture. Rather than focusing solely on installation commands, it establishes the context for why certain configuration steps are necessary and how they fit together to form a complete solution.
The tutorial is organized into the following three high-level steps:
- Install MongoDB Enterprise Edition 8 on Red Hat Enterprise Linux: This step explains how to install MongoDB Enterprise Edition 8 on a Red Hat Enterprise Linux 8 or 9 virtual machine running on IBM Power architecture. It walks through repository configuration, package installation, service validation, and basic connectivity checks using the MongoDB shell.
- Secure MongoDB with TLS encryption: The second step builds on the base installation by securing MongoDB using TLS. This step covers the creation of server and client certificates, updates to the MongoDB configuration file, and verification of encrypted client connections. By the end of this step, MongoDB is configured to accept only secure connections.
- Run MongoDB inside a container and connect to the container: The third step extends the same deployment model to a containerized environment. It explains how to run MongoDB inside a Red Hat Universal Base Image (UBI) container, adjust network binding settings, and validate connectivity from outside the container.
These steps help readers to perform a basic MongoDB installation to a secure, flexible deployment that supports both traditional virtual machines and container-based workloads on IBM Power.
Prerequisites
Before installing MongoDB Enterprise Edition on IBM Power architecture, ensure that the target environment meets the following prerequisites. Verifying these requirements in advance helps avoid deployment and runtime issues later in the tutorial.
- A virtual machine running Red Hat Enterprise Linux 8 or RHEL 9 on IBM Power architecture (ppc64le)
- Administrative (root or sudo) access to the virtual machine
- Network connectivity that allows access to external yum repositories
- OpenSSL installed on the system (required later for TLS certificate generation)
- Sufficient disk space to install MongoDB binaries and store database files
This tutorial uses MongoDB Enterprise Edition packages provided by MongoDB’s official repositories. An appropriate MongoDB Enterprise license is assumed.
Step 1: Install MongoDB Enterprise Edition 8 on Red Hat Enterprise Linux.
This section explains how to install MongoDB Enterprise Edition 8 on a virtual machine running Red Hat Enterprise Linux 8 or 9 on IBM Power architecture. The goal of this section is to set up a working MongoDB server, verify that the service starts successfully, and confirm basic client connectivity before securing the deployment with TLS in the next section.
- Configure the MongoDB Enterprise yum repository.
MongoDB Enterprise packages are distributed through MongoDB-hosted yum repositories. To enable package installation, you must first configure the appropriate repository for your RHEL version.
Create the repository definition file, /etc/yum.repos.d/mongodb-enterprise-8.0.repo, with the following content.
For Red Hat Enterprise Linux 8:
[mongodb-enterprise-8.0]
name=MongoDB Enterprise Repository
baseurl=https://repo.mongodb.com/yum/redhat/8/mongodb-enterprise/8.0/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-8.0.asc
For Red Hat Enterprise Linux 9:
[mongodb-enterprise-8.0]
name=MongoDB Enterprise Repository
baseurl=https://repo.mongodb.com/yum/redhat/9/mongodb-enterprise/8.0/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-8.0.asc
If a MongoDB repository file from a previous installation already exists in this directory, ensure that it is removed or updated to avoid version conflicts.
- Install MongoDB Enterprise Edition packages.
After configuring the repository, install the MongoDB Enterprise Edition packages using the yum package manager.
On Red Hat Enterprise Linux 8:
sudo yum install -y \
mongodb-enterprise-8.0.4 \
mongodb-enterprise-database-8.0.4 \
mongodb-enterprise-server-8.0.4 \
mongodb-mongosh \
mongodb-enterprise-mongos-8.0.4 \
mongodb-enterprise-tools-8.0.4
On Red Hat Enterprise Linux 9:
sudo yum install -y \
mongodb-enterprise-8.0.7 \
mongodb-enterprise-database-8.0.7 \
mongodb-enterprise-server-8.0.7 \
mongodb-enterprise-mongos-8.0.7 \
mongodb-enterprise-tools-8.0.7
Important considerations:
- MongoDB Enterprise Server version 8.0.7 or later is required on Red Hat Enterprise Linux 9 for ppc64le systems.
- The mongodb-mongosh client package is currently not available on RHEL 9. To test connectivity, you can copy a compatible mongosh binary from a RHEL 8 system.
By default, yum upgrades MongoDB packages automatically when newer versions become available. To prevent unintended upgrades, you can pin the installed version by adding the following entry to /etc/yum.conf:
exclude=mongodb-enterprise,mongodb-enterprise-database,mongodb-enterprise-server,mongodb-enterprise-shell,mongodb-enterprise-mongos,mongodb-enterprise-tools
- Start and verify the MongoDB service.
After installation, start the MongoDB server using the following systemd:
sudo systemctl start mongod
If the service fails to start and you see an error indicating that the unit file is not found, reload the systemd configuration and restart the service:
sudo systemctl daemon-reload
sudo systemctl restart mongod
Verify that the MongoDB service is running:
sudo systemctl status mongod
The service should appear as active (running).
In case you face the issue shown in the following figure, where the MongoDB service fails with an exit-code error, it typically indicates a stale socket file or an incomplete service initialization.
Run the following commands to resolve the issue:
rm -f /tmp/mongodb-*.sock
sudo systemctl daemon-reload
sudo systemctl restart mongod
# sudo systemctl status mongod
You can review MongoDB logs for additional diagnostics in /var/log/mongodb/mongod.log.
- Test basic connectivity using the MongoDB shell.
After the MongoDB server is running, verify basic connectivity using the MongoDB shell.
Start the MongoDB shell:
mongosh
Run the following commands to confirm normal operation:
db
use myNewDatabase
db
db.myCollection.insertOne({ x: 1 })
.exit
A successful insert confirms that the MongoDB server is operational and is accepting client connections.
- Configure the MongoDB service behavior.
To control the MongoDB service manually, you can stop or restart the service as needed:
sudo systemctl stop mongod
sudo systemctl restart mongod
At this point, MongoDB Enterprise Edition is installed and running with default, non-encrypted client communication.
With a functioning MongoDB server in place, the next step is to secure client-server communication. The following section explains how to enable TLS encryption by generating certificates, updating the MongoDB configuration, and validating secure client connections.
Step 2: Secure MongoDB with TLS encryption.
By default, MongoDB allows client connections without encrypting network traffic. In enterprise environments, unencrypted communication can expose sensitive information to interception and may violate common security and compliance requirements. Enabling Secure Sockets Layer (SSL), which implements TLS, ensures that all data exchanged between MongoDB clients and the server is encrypted.
This section explains how to enable SSL for MongoDB Enterprise Edition by using self‑signed certificates. It covers the generation of certificates for both the server and the client, required updates to the MongoDB configuration file, and verification of secure client connectivity. By the end of this section, MongoDB is configured to accept only SSL‑encrypted connections.
Note: This tutorial uses self-signed certificates to explain the required configuration steps. In production environments, certificates issued by a trusted Certificate Authority (CA) are recommended.
- Generate a server certificate and a key.
To enable SSL, MongoDB requires a certificate and private key that identify the server. Begin by generating a self‑signed server certificate on the MongoDB server.
Run the following command:
# openssl req -new -x509 -days 365 -out mongodb-server.crt -keyout mongodb-server.key
You will be prompted for a passphrase and information to be added to your certificate (refer to the following sample information):
Generating a RSA private key
..............+++++
.............+++++
writing new private key to 'mongodb-client.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) IN
State or Province Name (full name) []:Goa
Locality Name (eg, city) [Default City]:Verna
Organization Name (eg, company) [Default Company Ltd]:PSL
Organizational Unit Name (eg, section) []:CMT
Common Name (eg, your name or your server's hostname) []:ca-mongo1.fyre.ibm.com
Email Address []:sometest@test.com
At the end of this step, the following two files are created:
- mongodb-server.crt
- mongodb-server.key
These files represent the server’s SSL identity and are later referenced by MongoDB during encrypted client connections.
- Generate a client certificate and a key.
MongoDB clients must also present a valid certificate when connecting to an SSL‑enabled MongoDB server. Generate the client certificate and private key by running the following command:
# openssl req -new -x509 -days 365 -out mongodb-client.crt -keyout mongodb-client.key
You will again be prompted for a passphrase and certificate details (refer to the following sample information):
Generating a RSA private key
.............+++++
.............+++++
writing new private key to 'mongodb-client.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) IN
State or Province Name (full name) []:Goa
Locality Name (eg, city) [Default City]:Verna
Organization Name (eg, company) [Default Company Ltd]:PSL
Organizational Unit Name (eg, section) []:CMT
Common Name (eg, your name or your server's hostname) []:ca-mongo1.fyre.ibm.com
Email Address []:sometest@test.com
At the end of this step, the following two files are created:
- mongodb-client.crt
- mongodb-client.key
Note: The pass phrase entered during certificate creation is required later in the MongoDB configuration file.
- Create a server and the client PEM files.
MongoDB expects certificates and private keys to be provided in the PEM format. Create a server PEM file by concatenating the server certificate and key:
# bash -c 'cat mongodb-server.crt mongodb-server.key' > mongodb-server.pem
You should see the mongodb-server.pem file created in the current directory.
Next, create a client PEM file:
# bash -c 'cat mongodb-client.crt mongodb-client.key' > mongodb-client.pem
You should see the mongodb-client.pem file created.
Copy the files mongodb-server.pem and mongodb-client.pem to the /etc/ssl/ directory.
- Update the MongoDB configuration for SSL.
To enforce encrypted communication, update the MongoDB configuration file located at /etc/mongod.conf on the server machine.
Add the following lines:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb-server.pem
CAFile: /etc/ssl/mongodb-client.pem
certificateKeyFilePassword: mymongo123!
bindIp: 127.0.0.1
To allow connections from a remote client, modify the bindIp line to include the fully qualified hostname of the client. For example:
bindIp: 127.0.0.1,ca-mongo1.fyre.ibm.com
Note: To allow clients running on separate hosts to connect, replace the bindIp parameter with bindIpAll: true instead.
Apply the changes by restarting MongoDB:
sudo systemctl stop mongod
sudo systemctl start mongod
sudo systemctl status mongod
Ensure that the MongoDB service is running successfully.
- Verify the SSL enforcement and secure the connectivity.
After SSL is enabled, MongoDB no longer accepts unencrypted client connections. Running the MongoDB shell without SSL options should fail:
mongosh
This failure confirms that the MongoDB server now enforces SSL‑only connections.
Now connect using SSL by running the following command on the client:
# mongosh --tls –tlsCAFile <path to server-PEM-file on host>/mongodb-server.pem --tlsCertificateKeyFile <path to client-PEM-file on host>/mongodb-client.pem --tlsCertificateKeyFilePassword mymongo123! --host ca-mongo1.fyre.ibm.com
Note: To connect to the MongoDB server, the user must have the appropriate client PEM and server PEM files created and available.
A successful connection confirms that MongoDB is correctly configured to accept secure, encrypted client connections.
Step 3: Run MongoDB inside a container and connect to the container.
In modern application deployments, containerizing databases is often useful for development, testing, and CI/CD workflows. Containers provide a lightweight and portable runtime environment that allows MongoDB to run consistently across systems. This section illustrates how to run MongoDB Enterprise Edition inside a container based on Red Hat Universal Base Image (UBI) and verify connectivity to the database.
This section builds on the installation steps described earlier and focuses on running MongoDB inside a container while ensuring that network bindings allow client access.
- Run a Red Hat UBI container.
Start by running a UBI container in the background. The container port is bound to the MongoDB default port on the host to allow external connectivity.
Run the following command:
# docker run -it -d -p 27017:27017 --privileged=true --name MongoDB_test2 docker.io/redhat/ubi8:latest /sbin/init
Note: For a Red Hat Enterprise Linux 9–based container, use the corresponding ubi9 image.
- Verify that the container is running.
Confirm that the container is up and running:
# docker container ls -a
- Connect to the container.
After the container is running, connect to it using an interactive shell session:
# docker exec -it /bin/bash
After connecting to the container shell, follow the instructions described in Section 1 to install MongoDB Enterprise Edition inside the container.
In the /etc/mongod.conf file inside the container, update the bindIp value as shown below:
bindIp: 0.0.0.0
Alternatively, replace the bindIp parameter with the following:
bindIpAll: true
These settings allow MongoDB to accept connections from outside the container through the mapped host port.
- Restart MongoDB inside the container.
Apply the configuration changes by restarting the MongoDB service:
# systemctl restart mongod
Verify that MongoDB is running:
# systemctl status mongod
- Verify the MongoDB connectivity.
To verify connectivity to the MongoDB server running inside the container, install the MongoDB shell (mongosh) on a Power virtual machine or copy the mongosh binary from the container to the local virtual machine.
Run the following command:
# ./mongosh
A successful connection confirms that MongoDB is reachable and running correctly inside the container.
With this step, MongoDB Enterprise Edition is successfully running inside a container and is accessible over the network. At this point, the tutorial has explained MongoDB deployment on a virtual machine, SSL enablement for secure communication, and container-based deployment for flexible runtime environments.
Conclusion
This tutorial explained how to deploy MongoDB Enterprise Edition 8 on IBM Power architecture in a structured and secure manner. It covered installing MongoDB on Red Hat Enterprise Linux virtual machines, securing client-server communication using SSL, validating encrypted connectivity, and extending the deployment to a containerized environment using Red Hat Universal Base Images.
By following the steps outlined in this tutorial, users gain a solid foundation for running MongoDB securely on IBM Power systems across both traditional and container-based deployments. The concepts and procedures explained in the tutorial can be extended to meet broader enterprise requirements, including integration with trusted certificate authorities and more advanced operational configurations.