To improve connection security, you can enable Secure Sockets Layer (SSL) encryption and install an SSL CA certificate on your application service. SSL encryption encrypts network connections at the transport layer to improve data security and ensure data integrity. This topic describes the operations related to SSL encryption.
Prerequisites
The instance must be a replica set instance or a sharded cluster instance that uses cloud disks.
Usage notes
You can download SSL CA certificates only from the ApsaraDB for MongoDB console.
Enabling SSL encryption increases the CPU utilization of your ApsaraDB for MongoDB instance. Enable SSL encryption only when you need to encrypt data during transmission, such as when you connect to an ApsaraDB for MongoDB instance over the public network.
NoteInternal network connections are relatively secure and generally do not require encryption.
After you enable SSL encryption for an instance, if you modify the endpoint of the instance or apply for a new endpoint, such as a new node endpoint or public endpoint, the new endpoint does not support SSL-encrypted connections. If you want to use SSL-encrypted connections for the new endpoint, you must update the server certificate.
After SSL is enabled, both SSL and non-SSL connections are supported. To allow only SSL connections, you must enable mandatory SSL encryption.
Impacts
When you enable or disable SSL encryption, or update an SSL certificate, the instance restarts. Plan your business in advance and ensure your application has a reconnection mechanism.
When an instance restarts, its nodes are restarted in a rolling manner. A transient disconnection of about 30 seconds occurs for each node. If the instance has many collections, such as more than 10,000, the transient disconnection lasts longer.
Enable SSL encryption
When you enable SSL encryption, the ApsaraDB for MongoDB instance restarts. During the restart, a transient disconnection of about 30 seconds occurs for each node. Plan your business in advance and ensure your application has a reconnection mechanism.
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and a region. Then, click the ID of the target instance.
In the navigation pane on the left, click .
Turn on the switch next to SSL Status.
In the Enable SSL dialog box, select whether to enable Forced SSL.
NoteIf you enable mandatory SSL encryption, non-SSL connections are rejected.
Click OK.
The instance state changes to Modifying SSL. When the SSL status changes to Enabled and the instance state changes to Running, SSL encryption is enabled.
Download an SSL CA certificate
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and a region. Then, click the ID of the target instance.
In the navigation pane on the left, click .
Click Download Certificate to download the SSL CA certificate to your computer.
The downloaded SSL CA certificate can be used to encrypt database connections. For more information, see Use the mongo shell to connect to a database over an SSL-encrypted connection.
Other operations
Update the server certificate
A MongoDB server certificate is valid for one year. If the certificate is not updated after it expires, client programs that use encrypted connections cannot connect to the instance. When the certificate is about to expire, Alibaba Cloud notifies you by text message, email, and internal message in the Event Center. The certificate is also automatically updated within a specific time period. You can configure Schedule Event to customize the certificate update time. For more information, see Scheduled events. You can also manually update the validity period of the server certificate.
After the server certificate is automatically updated, client programs that use encrypted connections can connect to the database without having to download and reconfigure the CA certificate. When you update the SSL certificate, the ApsaraDB for MongoDB instance restarts. During the restart, a transient disconnection of about 30 seconds occurs for each node. You can configure Schedule Event to customize the certificate update time. Plan your business in advance and ensure your application has a reconnection mechanism.
Go to the Replica Set Instances page. In the top navigation bar, select a resource group and a region. Then, click the ID of the target instance.
In the navigation pane on the left, click .
Click Update Certificate.
In the Update SSL dialog box, click OK.
The instance state changes to Modifying SSL. When the instance state changes to Running, the server certificate is updated.
Disable SSL encryption
When you disable SSL encryption, the ApsaraDB for MongoDB instance restarts. During the restart, a transient disconnection of about 30 seconds occurs for each node. Plan your business in advance and ensure your application has a reconnection mechanism.
Go to the Replica Set Instances page. In the top navigation bar, select a resource group and a region. Then, click the ID of the target instance.
In the navigation pane on the left, click .
Turn off the switch next to SSL Status.
In the Disable SSL dialog box, click OK.
The instance state changes to Modifying SSL. When the instance state changes to Running, SSL encryption is disabled.
Related API operations
API | Description |
Queries the SSL settings of an ApsaraDB for MongoDB instance. | |
Modifies the SSL settings of an ApsaraDB for MongoDB instance. |