TLS/SSL Configuration for Clients (original) (raw)

Clients must have support for TLS/SSL to connect to amongod or a mongos instance that requireTLS/SSL connections.

Note

• The Linux 64-bit legacy x64 binaries of MongoDB do not include support for TLS/SSL.
• MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.

Important

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.

mongosh provides various TLS/SSL settings, including:

For a complete list of mongosh's tlsoptions, see TLS options.

For TLS/SSL connections, mongosh validates the certificate presented by the mongod ormongos instance:

• mongosh verifies that the certificate is from the specified Certificate Authority (--tlsCAFile. If the certificate is not from the specified CA,mongosh will fail to connect.
• mongosh verifies that the hostname (specified in --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod ormongos. If SAN is present, mongoshdoes not match against the CN. If the hostname does not match the SAN (or CN), mongosh will fail to connect.
  Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.
  To connect mongosh to a mongod ormongos that requires TLS/SSL, specify the--host option or use a connection string to specify the hostname. All other TLS/SSL options must be specified using the command-line options.

To connect to a mongod or mongos instance that requires encrypted communication, start mongosh with:

• --tls
• --host and --tlsCAFile to validate the server certificate.

For example, consider a mongod instance running onhostname.example.com with the following options:

mongod --tlsMode requireTLS --tlsCertificateKeyFile <pem>

To connect to the instance, start mongosh with the following options:

mongosh --tls --host hostname.example.com --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem

mongosh verifies the certificate presented by the mongod instance against the specified hostname and the CA file.

To connect to a mongod or mongos that requires CA-signed client certificates, start mongosh with:

• --tls
• --host and the --tlsCAFile to validate the server certificate,
• --tlsCertificateKeyFile option to specify the client certificate to present to the server.

For example, consider a mongod instance running onhostname.example.com with the following options:

mongod --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/caToValidateClientCertificates.pem

To connect to the instance, start mongosh with the following options:

mongosh --tls --host hostname.example.com --tlsCertificateKeyFile /etc/ssl/client.pem --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem

To specify a client certificate from the system certificate store, use the --tlsCertificateSelector option instead of--tlsCertificateKeyFile.

If the CA file is also in the system certificate store, you can omit the--tlsCAFile option.

For example, if a certificate with the CN (Common Name) ofmyclient.example.net and the accompanying CA file are both in the macOS system certificate store, you can connect like this:

mongosh --tls  --host hostname.example.com --tlsCertificateSelector subject="myclient.example.net"

There are available in mongosh, but you should use the tlsalternatives instead.

Warning

MongoDB Atlas uses TLS/SSL to encrypt the connections to your databases.

The MongoDB Cloud Manager and Ops Manager Monitoring agents use encrypted communication to gather its statistics. Because the agents already encrypt communications to the MongoDB Cloud Manager/Ops Manager servers, this is just a matter of enabling TLS/SSL support in MongoDB Cloud Manager/Ops Manager on a per host basis.

For more information, see:

• MongoDB Atlas documentation
• MongoDB Cloud Manager documentation
• MongoDB Ops Manager documentation.

The MongoDB Drivers support encrypted communication. For details, see:

• C Driver
• C++ Driver
• C# Driver
• Java Driver
• Node.js Driver
• PHP Driver
• Python Driver
• Ruby Driver
• Scala Driver

Various MongoDB utility programs support encrypted communication. These tools include:

• mongodump
• mongoexport
• mongofiles
• mongoimport
• mongorestore
• mongostat
• mongotop

To use encrypted communication with these tools, use the same tls options asmongosh. See MongoDB Shell.

See also: