Visão geral
MongoDB Search and Vector Search use two internal communication channels between mongot and mongod:
Sync source connections (
mongot→mongod/mongos):mongotreads data and metadata from the replica set to build and maintain search indexes. You can configure TLS for this connection in thesyncSourcesection of themongotconfiguration file.Query Server connections (
mongod→mongot):mongodforwards MongoDB Search and Vector Search queries and index management commands tomongotover gRPC. You configure TLS for this connection in theserver.grpc.tlssection of themongotconfiguration file.
Configure TLS for Sync Source Connections
mongot connects to the replica set as a MongoDB client to sync data for indexing. To encrypt this connection, configure the scramAuth.tls block in the syncSource.replicaSet section of your mongot configuration file.
syncSource: replicaset: hostAndPort: "localhost:27017" #Replace with the mongod host and port. scramAuth: username: "mongot" passwordFile: "/etc/mongot/secrets/passwordFile" tls: enabled: true tlsCertificateKeyFile: "/path/to/mongot-client.pem" tlsCertificateKeyFilePasswordFile: "etc" caFile: "/path/to/ca.pem"
If you don't specify caFile in the scramAuth.tls configuration, mongot uses the system keystore to verify the server certificate. Specify a CA file to control the certificates that mongot trusts.
If mongot connects to a sharded cluster through a mongos router, you must also set syncSource.router.tls to true.
Configure TLS for the Query Server
mongod connects to mongot over gRPC to send MongoDB Search and Vector Search queries. To encrypt this connection, configure server.grpc.tls in your mongot configuration file.
The Query Server supports the following TLS modes:
Modo | Descrição |
|---|---|
| Disable TLS. |
| Enable TLS. |
| Enable Mutual TLS. Both |
Enable TLS on the Query Server
To enable TLS on the Query Server, set server.grpc.tls.mode to "TLS" and specify the path to the mongot certificate and private key PEM file:
server: grpc: address: "<host>:<port>" tls: mode: "TLS" certificateKeyFile: "/etc/mongot-tls/mongot-combined.pem"
Enable mTLS on the Query Server
To enable mutual TLS on the Query Server, set server.grpc.tls.mode to "mTLS". Specify the certificate key file and CA file so that mongot can authenticate to mongod:
server: grpc: address: "<host>:<port>" tls: mode: "mTLS" certificateKeyFile: "/etc/mongot-tls/mongot-combined.pem" caFile: "/etc/mongot-tls/ca.pem"