SSL Transport Encryption
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are cryptographic protocols designed to secure data transmission over a network. MongoDB supports SSL/TLS to encrypt the data that flows over the network between MongoDB clients and instances, adding an extra layer of security.
Enabling SSL/TLS
To enable SSL/TLS encryption, you'll need to start the MongoDB server (mongod) and the MongoDB shell (mongo) with the appropriate SSL options.
For MongoDB Server (mongod)
You can start the MongoDB server with SSL enabled by using the --sslMode and --sslPEMKeyFile options:
mongod --sslMode requireSSL --sslPEMKeyFile /path/to/ssl.pem
In this example, requireSSL forces the use of SSL for all connections. The ssl.pem file contains the SSL certificate and key.
For MongoDB Shell (mongo)
To connect to an SSL-enabled MongoDB server, you can use the --ssl option:
mongo --ssl --host hostname --port port_number
Configuration File
You can also specify SSL settings in the MongoDB configuration file (mongod.conf):
net:
ssl:
mode: requireSSL
PEMKeyFile: /path/to/ssl.pem
SSL Modes
MongoDB supports various SSL modes:
disabled: SSL is not enabled.allowSSL: Connections can be either SSL or non-SSL.preferSSL: Allows both, but prefers SSL connections over non-SSL.requireSSL: Only SSL connections are allowed.
Certificate Validation
MongoDB allows you to enforce client certificate validation by setting the --sslCAFile option:
mongod --sslMode requireSSL --sslPEMKeyFile /path/to/ssl.pem --sslCAFile /path/to/ca.pem
Considerations
Performance: SSL/TLS encryption can add some overhead to the network latency. However, the impact is generally minimal and often outweighed by the security benefits.
Compatibility: Ensure that the MongoDB drivers and clients you're using support SSL/TLS.
Certificate Management: Properly manage your SSL certificates, keeping them updated and secure.
Firewall Rules: Make sure your firewall allows traffic on the SSL port.
Creating SSL for drivers
Creating a self-signed certificate and key using OpenSSL and using them with MongoDB involves several steps. Below is a guide to walk you through the process.
Step 1: Install OpenSSL
First, make sure you have OpenSSL installed on your system. If not, you can install it using a package manager. For example, on Ubuntu:
sudo apt-get install openssl
Or on macOS with Homebrew:
brew install openssl
Step 2: Generate a Private Key
Generate a private key using the following command:
openssl genpkey -algorithm RSA -out mongodb-key.pem
This will create a private key (mongodb-key.pem) using the RSA algorithm.
Step 3: Create a Self-Signed Certificate
Generate a self-signed certificate using the private key:
openssl req -new -key mongodb-key.pem -out mongodb-csr.pem
You'll be prompted to enter details like country, state, organization, etc. This will create a Certificate Signing Request (CSR) file (mongodb-csr.pem).
Now, generate the self-signed certificate:
openssl x509 -req -in mongodb-csr.pem -signkey mongodb-key.pem -out mongodb-cert.pem
Step 4: Combine the Key and Certificate
MongoDB expects the key and the certificate to be in the same PEM file. You can concatenate them as follows:
cat mongodb-key.pem mongodb-cert.pem > mongodb.pem
Step 5: Configure MongoDB to Use SSL
Now you can configure MongoDB to use this SSL certificate. Edit your mongod.conf file to include the SSL settings:
net:
ssl:
mode: requireSSL
PEMKeyFile: /path/to/mongodb.pem
Or you can start MongoDB from the command line with SSL enabled:
mongod --sslMode requireSSL --sslPEMKeyFile /path/to/mongodb.pem
Step 6: Connect Using SSL
To connect to this MongoDB instance using the MongoDB shell, you can use:
mongo --ssl --sslCAFile /path/to/mongodb-cert.pem
Considerations
Self-signed certificates are generally not recommended for production environments. They are useful for testing and development purposes.
For production, it's advisable to use certificates signed by a trusted Certificate Authority (CA).
Make sure to secure your private key and certificate files appropriately.