This version of the documentation is archived and no longer supported.

Inter-Process Authentication

In most cases, replica set and sharded cluster administrators do not have to keep additional considerations in mind beyond the normal security precautions that all MongoDB administrators must take. However, ensure that:

  • Your network configuration will allow every member of the replica set to contact every other member of the replica set.
  • If you use MongoDB’s authentication system to limit access to your infrastructure, ensure that you configure a keyFile on all members to permit authentication.

For most instances, the most effective ways to control access and to secure the connection between members of a replica set depend on network-level access control. Use your environment’s firewall and network routing to ensure that traffic only from clients and other replica set members can reach your mongod instances. If needed, use virtual private networks (VPNs) to ensure secure connections over wide area networks (WANs.)

Enable Authentication in Replica Sets and Sharded Clusters

New in version 1.8: Added support authentication in replica set deployments.

Changed in version 1.9.1: Added support authentication in sharded replica set deployments.

MongoDB provides an authentication mechanism for mongod and mongos instances connecting to replica sets. These instances enable authentication but specify a shared key file that serves as a shared password.

To enable authentication, add the following option to your configuration file:

keyFile = /srv/mongodb/keyfile


You may chose to set these run-time configuration options using the --keyFile (or mongos --keyFile) options on the command line.

Setting keyFile enables authentication and specifies a key file for the replica set members to use when authenticating to each other. The content of the key file is arbitrary but must be the same on all members of the replica set and on all mongos instances that connect to the set.

The key file must be between 6 and 1024 characters and may only contain characters in the base64 set. The key file must not have group or “world” permissions on UNIX systems. See Generate a Key File for instructions on generating a key file.