This topic describes how to enable SSL encryption for an ApsaraDB for MongoDB instance to enhance link security. After you enable SSL encryption, install SSL certificates that are issued by certificate authorities (CAs) on your application. SSL encryption can encrypt connections at the transport layer to increase data security and ensure data integrity. This topic also describes operations related to SSL encryption.
Prerequisites
The instance is a replica set instance or a sharded cluster instance that uses cloud disks.
Usage notes
You can download SSL certificates only in the ApsaraDB for MongoDB console.
After you enable SSL encryption for an ApsaraDB for MongoDB instance, the CPU utilization of the instance is significantly increased. We recommend that you enable SSL encryption only when you need to encrypt data during transmission. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.
NoteIn most cases, connections that are established to the internal endpoint of your instance are secure and do not require SSL encryption.
After you enable SSL encryption for an ApsaraDB for MongoDB instance, if you modify the endpoint of the instance or apply for a new endpoint for the instance such as a new node endpoint or public endpoint, the new endpoint does not support SSL encryption. If you want to enable SSL encryption for the new endpoint, update an SSL certificate. For more information, see Update an SSL certificate.
After you enable SSL encryption for an ApsaraDB for MongoDB instance, both SSL and non-SSL connections are supported.
Impacts
When you enable or disable SSL encryption or update SSL certificates for an ApsaraDB for MongoDB instance, the instance is restarted. Plan your business in advance and make sure that your applications can automatically reconnect to the instance.
When an ApsaraDB for MongoDB instance is restarted, all nodes in the instance are restarted in turn and a 30-second disconnection occurs for every node in the instance. If the instance houses more than 10,000 collections, transient disconnections last longer.
Enable SSL encryption
When you enable SSL encryption for an ApsaraDB for MongoDB instance, the instance is restarted. During the restart, a 30-second disconnection occurs for every node in the instance. Plan your business in advance and make sure that your applications can automatically reconnect to the instance.
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select the region in which the instance resides. Then, find the instance and click the ID of the instance.
In the left-side navigation pane of the instance details page, choose .
Turn on the switch next to SSL Status.
In the Enable SSL message, click OK.
The instance state changes to Modifying SSL. When the SSL state changes to Enabled and the instance state changes to Running, SSL encryption is enabled.
Download an SSL certificate
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select the region in which the instance resides. Then, find the instance and click the ID of the instance.
In the left-side navigation pane of the instance details page, choose .
Click Download Certificate to download an SSL certificate to your computer.
The downloaded SSL certificate can be used to encrypt database connections. For more information, see Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode.
More operations
Update an SSL certificate
An SSL certificate for an ApsaraDB for MongoDB instance is valid for one year. If the certificate is not renewed after it expires, clients that use encrypted connections cannot connect to the instance. When the certificate is about to expire, Alibaba Cloud will notify you by text messages, emails, and internal messages (event center), and will automatically renew the certificate within a specific period of time. You can configure Schedule Event to customize the certificate update time. For more information, see View and manage scheduled events. You can also perform the following steps to manually update the validity period of an SSL certificate.
After the SSL certificate is automatically updated, the client that uses encrypted connections can connect to the database without the need to re-download and re-configure the SSL certificate. When you update an SSL certificate, the instance is restarted. During the restart, a 30-second disconnection occurs for every node in the instance. You can configure Schedule Event to customize the certificate, update time. Plan your business in advance and make sure that your applications can automatically reconnect to the instance.ApsaraDB for MongoDB
Go to the Replica Set Instances page. In the top navigation bar, select the region in which the instance resides. Then, find the instance and click the ID of the instance.
In the left-side navigation pane of the instance details page, choose .
Click Update Certificate.
In the Update SSL message, click OK.
The instance state changes to Modifying SSL. When the instance state changes to Running, the update is complete.
Disable SSL encryption
When you disable SSL encryption, the instance is restarted. During the restart, a 30-second disconnection occurs for every node in the instance. Plan your business in advance and make sure that your applications can automatically reconnect to the instance.ApsaraDB for MongoDB
Go to the Replica Set Instances page. In the top navigation bar, select the region in which the instance resides. Then, find the instance and click the ID of the instance.
In the left-side navigation pane of the instance details page, choose .
Turn off the switch next to SSL Status.
In the Disable SSL message, click OK.
The instance state changes to Modifying SSL. When the instance state changes to Running, SSL encryption is disabled.
Related API operations
Operation | Description |
Queries the SSL settings of an ApsaraDB for MongoDB instance. | |
Modifies the SSL settings of an ApsaraDB for MongoDB instance. |