Docs Menu
Docs Home
/ /
/ / /

Connect to a TLS-Enabled Replica Set

This tutorial shows you how to connect mongosh to a TLS-enabled self-managed replica set.

Before you start, verify that you have the following:

  • A replica set that you configured to use TLS using the steps in Configure TLS on Self-Managed Deployments.

  • MongoDB access control enabled on your deployment and at least one admin user created. To set up access control, see Enable Access Control on Self-Managed Deployments. This user must have clusterMonitor privileges.

  • If you want to connect to your deployment using X.509 authentication, ensure that you have OpenSSL installed to generate a client certificate.

  • Access to mongosh.

If you do not want to use mutual TLS or X.509 client authentication, follow this procedure. If you set allowConnectionsWithoutCertificates to true in your server configuration, clients can connect without presenting a certificate and authenticate with SCRAM instead.

1

Connect mongosh to your replica set using the following options:

mongosh "mongodb://mongo0.example.com:27017,mongo1.example.com:27017,mongo2.example.com:27017" \
--tls --tlsCAFile /etc/ssl/mongodb/ca.pem
  • --tls enables TLS encryption for the connection.

  • --tlsCAFile is set to the CA certificate that signed the server certificates so that mongosh can verify the server's certificates.

Connecting without a client certificate establishes a TLS-encrypted session but does not authenticate you. To run most commands, you must authenticate with a mechanism such as SCRAM.

2

Use the db.auth() method to authenticate with your admin username and password.

3

Run the following to confirm your authentication state:

db.adminCommand({ connectionStatus: 1 })

Confirm that authInfo.authenticatedUsers includes the expected user.

If you want to use mutual TLS and X.509 client authentication when connecting to your deployment, follow this procedure to create and authenticate with a client certificate.

1

Warning

Do not use the same certificate as your server nodes. You must generate a new client certificate for X.509 authentication, even if your server certificates are valid for client authentication.

Generate a client certificate using the process described in Obtain TLS Server Certificates. Make the following adjustments:

  • In your configuration file, set extendedKeyUsage = clientAuth instead of serverAuth.

  • The CA that signed your node client-authentication certificates must also sign your client certificate. Generally, this is ca.pem. However, if you obtained separate certificates for client authentication, you might have a different CA for client certificates.

  • Name your output files client.key, client.crt, and client.pem instead of the node-specific names used in the certificate tutorial.

After completing the process, copy client.pem to a secure location on the machine where you run mongosh:

cp client.pem /etc/ssl/mongodb/client.pem
2

Identify the subject of your client certificate. You need this value to confirm that you authenticated with the expected client certificate after connecting.

To view the subject, run the following command:

openssl x509 -in /etc/ssl/mongodb/client.pem -noout -subject

Take note of the output, which looks similar to the following:

subject=C=US, ST=New-York, L=New York City, O=MongoDB, CN=myUser

Save the subject name to use later in this tutorial. In this example, the subject name is C=US, ST=New-York, L=New York City, O=MongoDB, CN=myUser.

3

Connect mongosh to your replica set using the following options:

mongosh "mongodb://mongo0.example.com:27017,mongo1.example.com:27017,mongo2.example.com:27017" \
--tls \
--tlsCAFile /etc/ssl/mongodb/ca.pem \
--tlsCertificateKeyFile /etc/ssl/mongodb/client.pem
  • --tls enables TLS encryption for the connection.

  • --tlsCAFile is set to the CA certificate that signed the server certificates so that mongosh can verify the server connection.

  • --tlsCertificateKeyFile presents the client certificate and private key which the server uses to authenticate your connection with X.509.

This connects you to your MongoDB deployment over TLS.

4

Use the db.auth() method to authenticate with your admin username and password.

5

Create a user in the $external database that corresponds to your client certificate's subject name with the db.createUser() method. Replace the username with the subject of your client certificate that you identified previously:

db.getSiblingDB("$external").runCommand({
createUser: "C=US, ST=New-York, L=New York City, O=MongoDB, CN=myUser",
roles: [
{ role: "readWriteAnyDatabase", db: "admin" }
]
})

After you create a user, use the db.auth() method to authenticate to the $external database using X.509:

db.getSiblingDB("$external").auth({
mechanism: "MONGODB-X509",
user: "C=US, ST=New-York, L=New York City, O=MongoDB, CN=myUser"
})
6

Run the following to confirm your authentication state:

db.adminCommand({ connectionStatus: 1 })

Confirm that authInfo.authenticatedUsers includes the expected user.

After completing this tutorial, mongosh is connected to your replica set over an encrypted TLS connection, authenticated with either SCRAM or X.509.

Back

Configure On Your Deployment

On this page