Home > database >  Mongodb TLS encryption
Mongodb TLS encryption

Time:10-13

I have implemented MongoDB TLS encryption on the server side (using self signed certs), with the following configuration.

systemLog:
      destination: file
      path: "/var/log/mongodb/mongod.log"
      logAppend: true
    storage:
      dbPath: "/data/db"
      journal:
        enabled: true
    net:
      bindIpAll: true
      port: 27017
      tls:
          mode: requireTLS
          certificateKeyFile: /etc/ssl/mongod.pem

How do I connect to this instance from client and verify that the TLS encryption is successful?

CodePudding user response:

Verification is simple, because you set requireTLS. If you can connect to the MongoDB, then TLS encryption is also successful, otherwise you cannot connect.

When you enable TLS, I assume you would also like to enable authorization. You would need to add.

security:
   authorization: enabled

If you authenticate user by username/password then you have to set allowConnectionsWithoutCertificates

net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongod.pem
    allowConnectionsWithoutCertificates: true

Connection would be like this:

mongosh 'mongodb://user:password@hostname/?authSource=admin&tls=true&tlsCAFile=/etc/ssl/certs/ca-bundle.crt'

Note, if you use the legacy mongo shell, then you cannot use TLS setting in URI, instead use

mongo 'mongodb://user:password@hostname/?authSource=admin' --tls --tlsCAFile /etc/ssl/certs/ca-bundle.crt

Without allowConnectionsWithoutCertificates you would need also a certificate on the client, see Use x.509 Certificates to Authenticate Clients

If you just like to verify the TLS settings, I recommend openssl tool:

openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-bundle.crt -brief -connect your_hostname:27017 <<< "Q"
  • Related