- Administration >
- Use MongoDB with SSL Connections
Use MongoDB with SSL Connections¶
On this page
This document outlines the use and operation of MongoDB’s SSL
support. SSL allows MongoDB clients to support encrypted connections
to mongod
instances.
Note
The default distribution of MongoDB does not contain support for SSL.
As of the current release, to use SSL you must either: build
MongoDB locally passing the “--ssl
” option to scons
, or use
the MongoDB subscriber build.
These instructions outline the process for getting started with SSL and assume that you have already installed a build of MongoDB that includes SSL support and that your client driver supports SSL.
mongod
and mongos
SSL Configuration¶
Add the following command line options to your mongod
invocation:
Replace “<pem>
” with the path to your SSL certificate .pem
file, and “<pass>
” with the password you used to encrypt the
.pem
file.
You may also specify these options in your “mongodb.conf
” file, as in
the following:
Modify these values to reflect the location of your actual .pem
file and its password.
You can specify these configuration options in a configuration file
for mongos
, or start mongos
with the following
invocation:
You can use any existing SSL certificate, or you can generate your own SSL certificate using a command that resembles the following:
To create the combined .pem
file that contains the .key
file
and the .pem
certificate, use the following command:
Clients¶
Clients must have support for SSL to work with a mongod
instance that has SSL support enabled. The current versions of the
Python, Java, Ruby, Node.js, and .NET drivers have support for SSL, with
full support coming in future releases of other drivers.
mongo
¶
The mongo
shell built with ssl support distributed with the
subscriber build also supports SSL. Use the “--ssl
” flag as
follows:
MMS¶
The MMS agent will also have to connect via SSL in order to gather its stats. Because the agent already utilizes SSL for its communications to the MMS servers, this is just a matter of enabling SSL support in MMS itself on a per host basis.
Please see the MMS Manual for more information about MMS configuration.
PyMongo¶
Add the “ssl=True
” parameter to a PyMongo
MongoClient
to create a MongoDB connection to an SSL MongoDB instance:
To connect to a replica set, use the following operation:
PyMongo also supports an “ssl=true
” option for the MongoDB URI:
Java¶
Consider the following example “SSLApp.java
” class file:
Ruby¶
The recent versions of the Ruby driver have support for connections to SSL servers. Install the latest version of the driver with the following command:
Then connect to a standalone instance, using the following form:
Replace connection
with the following if you’re connecting to a
replica set:
Here, mongod
instance run on “localhost:27017
” and
“localhost:27018
”.
Node.JS (node-mongodb-native
)¶
In the node-mongodb-native driver, use the following invocation to
connect to a mongod
or mongos
instance via SSL:
To connect to a replica set via SSL, use the following form:
.NET¶
As of release 1.6, the .NET driver supports SSL connections with
mongod
and mongos
instances. To connect using
SSL, you must add an option to the connection string, specifying
ssl=true
as follows:
The .NET driver will validate the certificate against the local
trusted certificate store, in addition to providing encryption of the
server. This behavior may produce issues during testing, if the server
uses a self-signed certificate. If you encounter this issue, add the
sslverifycertificate=false
option to the connection string to
prevent the .NET driver from validating the certificate, as follows: