Docs Menu
Docs Home
/ /

Configure Transport Layer Security (TLS)

In this guide, you can learn how to use the TLS protocol to secure your connection to a MongoDB deployment. TLS is a cryptographic protocol that secures communication between your application and MongoDB. To configure your connection to use TLS, enable the TLS option and provide your certificates for validation when creating a client.

Note

This page assumes prior knowledge of TLS/SSL and access to valid certificates. A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authorities (CAs) is beyond the scope of this documentation. To learn more about TLS, see the Wikipedia entry for Transport Layer Security.

When you enable TLS for a connection, the Scala driver performs the following actions:

  • Uses TLS to connect to the MongoDB deployment

  • Verifies the deployment's certificate

To learn how to configure your MongoDB deployment for TLS, see the TLS configuration guide in the MongoDB Server manual.

By default, the driver supports TLS/SSL connections to MongoDB servers using the underlying support for TLS/SSL provided by the JDK. This can be changed either by using the Netty API or the extensibility of the Java SE API.

Tip

Prefer Netty for Asynchronous Apps

We recommend using Netty for asychronous applications because it supports asynchronous I/O and handles high connection volumes effectively. To learn about using Netty to configure your TLS settings, see the Configure TLS/SSL by Using Netty SslContext section of this guide.

You can enable TLS for the connection to your MongoDB deployment in the following ways:

  • Use the enabled() method from the SslSettings.Builder class when creating a MongoClientSettings instance

  • Set the tls parameter in your connection URI

Select the MongoClientSettings or Connection URI tab to see corresponding code that enables TLS:

val tlsUri = "mongodb://localhost:27017/"
val tlsSettings = MongoClientSettings.builder()
.applyConnectionString(ConnectionString(tlsUri))
.applyToSslSettings(builder => builder.enabled(true))
.build()
val tlsClient1 = MongoClient(tlsSettings)
val tlsClient2 = MongoClient("mongodb://localhost:27017/?tls=true")

Tip

If your connection string includes the +srv modification, which specifies the SRV connection format, TLS is enabled on your connection by default.

To learn more about the SRV connection format, see SRV Connection Format in the MongoDB Server documentation.

Note

The instructions in these sections are based on the documentation for Oracle JDK. They might not apply to your JDK or to your custom TLS/SSL implementation.

Scala applications that initiate TLS requests require access to cryptographic certificates that prove the application's identity and verify other applications with which the Scala application interacts. You can configure access to these certificates in your application in the following ways:

  • Use a JVM trust store and JVM key store

  • Use a client-specific trust store and key store

The JVM trust store saves certificates that securely identify other applications with which your Scala application interacts. By using these certificates, your application can prove that the connection to another application is genuine and secure from tampering by third parties.

The Java Runtime Environment (JRE) provides a default certificate store, which includes commonly used public certificates from signing authorities. If your MongoDB deployment uses a certificate signed by an authority that is not present in the JRE's default certificate store, your application must configure the following system properties to initiate TLS requests:

  • javax.net.ssl.trustStore: The path to a trust store containing the certificate of the signing authority

  • javax.net.ssl.trustStorePassword: The password to access the trust store defined by the javax.net.ssl.trustStore property

You can use the keytool command line tool to define the preceding properties. The following example runs the keytool command to specify the certificate authority file path, the trust store path, and the trust store password:

keytool -importcert -trustcacerts -file <path to certificate authority file>
-keystore <path to trust store> -storepass <trust store password>

Note

By default, MongoDB instances do not perform client certificate validation. You must configure the key store if you configured your MongoDB instance to validate client certificates.

An application that initiates TLS requests must set the following JVM system properties to ensure that the client presents a TLS certificate to the MongoDB server:

  • javax.net.ssl.keyStore: The path to a key store containing the client's TLS/SSL certificates

  • javax.net.ssl.keyStorePassword: The password to access the key store defined in javax.net.ssl.keyStore

You can create a key store by using the keytool or openssl command line tool.

To learn more about configuring a Scala application to use TLS, see the JSSE Reference Guide in the Java language documentation.

You can configure a client-specific trust store and key store by using the init() method of the SSLContext class.

To view an example that configures a client to use an SSLContext instance, see the Customize Configuration with SSLContext section of this guide.

By default, the driver ensures that the hostname included in the server's TLS certificates matches the hostnames provided when constructing a MongoClient. You can disable hostname verification in the following ways:

  • Use the invalidHostNameAllowed() method from the SslSettings.Builder class when creating a MongoClientSettings instance

  • Set the tlsAllowInvalidHostnames parameter in your connection URI

Select the MongoClientSettings or Connection URI tab to see corresponding code that disables hostname verification:

val invalidHostUri = "mongodb://localhost:27017/"
val invalidHostSettings = MongoClientSettings.builder()
.applyConnectionString(ConnectionString(invalidHostUri))
.applyToSslSettings(builder => builder
.enabled(true)
.invalidHostNameAllowed(true)
)
.build()
val invalidHostClient1 = MongoClient(invalidHostSettings)
val invalidHostClient2 = MongoClient("mongodb://localhost:27017/?tls=true&tlsAllowInvalidHostnames=true")

Warning

Disabling hostname verification makes your application insecure and potentially vulnerable to expired certificates and foreign processes posing as valid client instances.

To restrict your application to use only the TLS 1.2 protocol, set the jdk.tls.client.protocols system property to "TLSv1.2".

Note

Java Runtime Environments (JREs) before Java 8 enabled only the TLS 1.2 protocol in update releases. If your JRE has not enabled the TLS 1.2 protocol, upgrade to a later release to use TLS 1.2.

Include the following import statements:

import io.netty.handler.ssl.SslContextBuilder
import io.netty.handler.ssl.SslProvider
import org.mongodb.scala.connection.TransportSettings

Note

Netty Package Version

The driver tests with Netty package version io.netty:netty-all:4.1.87.Final

To instruct the driver to use io.netty.handler.ssl.SslContext, configure NettyTransportSettings when you define your MongoClientSettings.

Use MongoClientSettings.Builder.transportSettings() and NettyTransportSettings.Builder.sslContext() to build your settings:

val sslContext = SslContextBuilder.forClient()
.sslProvider(SslProvider.OPENSSL)
.build()
val nettySettings = MongoClientSettings.builder()
.applyToSslSettings {
builder => builder.enabled(true)
}
.transportSettings(
TransportSettings.nettyBuilder()
.sslContext(sslContext)
.build()
)
.build()
val mongoClient = MongoClient(nettySettings);

If your TLS configuration requires customization, you can set the sslContext property of your MongoClient object. Pass an SSLContext object to the context() method builder in the applyToSslSettings() block, as shown in the following code:

val sslContext = SSLContext.getDefault()
val contextSettings = MongoClientSettings.builder()
.applyToSslSettings(builder => builder
.enabled(true)
.context(sslContext)
)
.build()
val mongoClient = MongoClient(contextSettings);

For more information on the SSLContext class, see the API documentation for SSL Context.

OCSP is a standard used to check whether X.509 certificates have been revoked. A certificate authority (CA) can add an X.509 certificate to the Certificate Revocation List (CRL) before the expiry time to invalidate the certificate. When a client sends an X.509 certificate during the TLS handshake, the CA's revocation server checks the CRL and returns a status of good, revoked, or unknown.

The driver supports the following variations of OCSP:

  • Client-Driven OCSP

  • OCSP Stapling

The following sections describe these variations and show how to enable them for your application.

Note

The Scala driver uses the JVM arguments configured for the application, which cannot be overridden for a specific MongoClient instance.

In client-driven OCSP, the client receives the certificate from the server and sends this certificate in an OCSP request to an OCSP responder. The OCSP responder checks the status of the certificate with a CA and sends a report about its validity to the client.

To enable client-driven OCSP for your application, set the following JVM system properties:

Property
Description

com.sun.net.ssl.checkRevocation

Set this property to true to enable revocation checking.

ocsp.enable

Set this property to true to enable client-driven OCSP.

Warning

If the OCSP responder is unavailable, the TLS support provided by the JDK reports a "hard fail". This differs from the "soft fail" behavior of the MongoDB Shell and some other drivers.

OCSP stapling is a mechanism in which the server must obtain the signed certificate from the CA and include it in a time-stamped OCSP response to the client.

To enable OCSP stapling for your application, set the following JVM system properties:

Property
Description

com.sun.net.ssl.checkRevocation

Set this property to true to enable revocation checking.

jdk.tls.client.enableStatusRequestExtension

Set this property to true to enable OCSP stapling.

If unset or set to false, the connection can proceed regardless of the presence or status of the certificate revocation response.

To learn more about OCSP, view the following resources:

For more information about any of the types discussed in this guide, see the following API documentation:

Back

Limit Execution Time

Next

AWS Lambda

On this page