This topic describes how to establish an SSL connection from a client to an ApsaraDB for MongoDB database. This ensures data privacy and security during transmission.
When you establish an SSL connection to access an ApsaraDB for MongoDB database for which the sslAllowConnectionsWithoutCertificates parameter is set to true, the client does not provide a certification authority (CA) certificate. However, you must configure the CA to verity the server certificate and ignore hostname verification.
For more information about how to configure SSL encryption, see Configure SSL encryption for an ApsaraDB for MongoDB instance.
Node.js
For more information about how to use Node.js to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB Node.js Driver.
Sample code
Add /?ssl = true to the end of the MongoDB client URI, set sslCA to the path of the CA certificate, and then set checkServerIndentity to false to ignore hostname verification.
var MongoClient = require('mongodb').MongoClient,
f = require('util').format,
fs = require('fs');
// Read the certificate authority
var ca = [fs.readFileSync(__dirname + "/path/to/ca.pem")];
// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true", {
server: {
sslValidate:true,
checkServerIdentity:false,#ignore host name validation
sslCA:ca
}
}, function(err, db) {
db.close();
});PHP
For more information about how to use PHP to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB PHP Driver.
Sample code
Use MongoDB\Client::__construct to create a client instance, with the following groups of parameters: $uri, $uriOptions, and $driverOptions.
function __construct($uri = 'mongodb://127.0.0.1/', array $uriOptions = [], array $driverOptions = [])In $uriOptions, set ssl to true to enable SSL connection. In $driverOptions, set ca_file to the path of the CA certificate. Set allow_invalid_hostname to true to ignore hostname verification. In $uriOptions, set ssl to true to enable SSL connection. In $driverOptions, set ca_file to the path of the CA certificate. Set allow_invalid_hostname to true to ignore hostname verification.
<?php
$client = new MongoDB\Client(
'mongodb://host01:27017,host02:27017,host03:27017',
[ 'ssl' => true,
'replicaSet' => 'myReplicaSet'
],
[
"ca_file" => "/path/to/ca.pem",
"allow_invalid_hostname" => true
]
);
?>Java
For more information about how to use Java to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB Node.js Driver.
Sample code
In MongoClientOptions, set sslEnabled to true to enable SSL connection. Set sslInvalidHostNameAllowed to true to ignore hostname verification.
import com.mongodb.MongoClientURI;
import com.mongodb.MongoClientOptions;
MongoClientOptions options
= MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(true).build();
MongoClient client = new MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset", options);Run a keytool command to specify the CA certificate.
keytool -importcert -trustcacerts -file <path to certificate authority file>
-keystore <path to trust store> -storepass <password>Set Java Virtual Machine (JVM) system properties to specify the correct trust store and password store.
System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");Python
For more information about how to use Python to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB Python Driver.
Sample code
Set ssl to True to enable SSL connection, set ssl_ca_certs to the path of the CA certificate, and then set ssl_match_hostname to False to ignore hostname verification.
import ssl
from pymongo import MongoClient
uri = "mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset"
client = MongoClient(uri,
ssl=True,
ssl_ca_certs='ca.pem',
ssl_match_hostname=False)C
For more information about how to use C to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB C Driver.
Sample code
Add /?ssl = true to the end of the MongoDB client URI. Use mongoc_ssl_opt_t to set SSL options and set ca_file to the path of the CA certificate. Set allow_invalid_hostname to false to ignore hostname verification.
mongoc_client_t *client = NULL;
client = mongoc_client_new (
"mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true");
const mongoc_ssl_opt_t *ssl_default = mongoc_ssl_opt_get_default ();
mongoc_ssl_opt_t ssl_opts = { 0 };
/* optionally copy in a custom trust directory or file; otherwise the default is used. */
memcpy (&ssl_opts, ssl_default, sizeof ssl_opts);
ssl_opts.ca_file = "/path/to/ca.pem"
ssl_opts.allow_invalid_hostname = false;
mongoc_client_set_ssl_opts (client, &ssl_opts);C++
For more information about how to use C++ to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB C++ Driver.
Sample code
Add /?ssl = true to the end of the MongoDB client URI. Use mongocxx::options::ssl to set SSL parameters and set ca_file to the path of the CA certificate.
You cannot ignore hostname verification for the MongoDB C++ driver.
#include <mongocxx/client.hpp>
#include <mongocxx/uri.hpp>
#include <mongocxx/options/client.hpp>
#include <mongocxx/options/ssl.hpp>
mongocxx::options::client client_options;
mongocxx::options::ssl ssl_options;
// If the server certificate is not signed by a well-known CA,
// you can set a custom CA file with the `ca_file` option.
ssl_options.ca_file("/path/to/ca.pem");
client_options.ssl_opts(ssl_options);
auto client = mongocxx::client{
uri{"mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true"}, client_opts};
Scala
For more information about how to use Scala to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB Scala Driver.
Sample code
The MongoDB Scala driver uses the underlying SSL provided by Netty to support SSL connections to MongoDB servers. In MongoClientSettings, set sslEnabled to true to enable SSL connection and set sslInvalidHostNameAllowed to true to ignore hostname verification.
import org.mongodb.scala.connection.{NettyStreamFactoryFactory, SslSettings}
MongoClientSettings.builder()
.sslSettings(SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
.streamFactoryFactory(NettyStreamFactoryFactory())
.build()
val client: MongoClient = MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset")
Run a keytool command to specify the CA certificate, which is the same as the method for Java.
keytool -importcert -trustcacerts -file <path to certificate authority file>
-keystore <path to trust store> -storepass <password>Set Java Virtual Machine (JVM) system properties to specify the correct trust store and password store.
System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");Golang
For more information about how to use Golang to establish an SSL connection to an ApsaraDB for MongoDB database, see MongoDB Golang Driver and Crypto tls package.
Sample code
The MongoDB Golang driver uses the underlying SSL provided by Netty to support SSL connections to MongoDB servers. Use Config to set SSL options. Set RootCAs to specify the CA certificate and set InsecureSkipVerify to true to ignore hostname verification.
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"go.mongodb.org/mongo-driver/bson"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
"go.mongodb.org/mongo-driver/mongo/readpref"
"go.mongodb.org/mongo-driver/mongo/writeconcern"
"io/ioutil"
"log"
)
func main() {
var filename = "ca.pem"
rootPEM, err := ioutil.ReadFile(filename)
roots := x509.NewCertPool()
if ok := roots.AppendCertsFromPEM([]byte(rootPEM)); !ok {
fmt.Printf("get certs from %s fail!\n", filename)
return
}
tlsConfig := &tls.Config{
RootCAs: roots,
InsecureSkipVerify: true,
}
// Create a Client to a MongoDB server and use Ping to verify that the
// server is running.
// Set the database account to test and the database to admin.
clientOpts := options.Client().ApplyURI("mongodb://test:****@dds-bp*******1.mongodb.rds.aliyuncs.com:3717,dds-bp*******2.mongodb.rds.aliyuncs.com:3717/admin?replicaSet=mgset-XXXXX&ssl=true")
clientOpts.SetReadPreference(readpref.Secondary())
clientOpts.SetWriteConcern(writeconcern.New(writeconcern.WMajority(), writeconcern.J(true), writeconcern.WTimeout(1000)))
clientOpts.SetTLSConfig(tlsConfig)
client, err := mongo.Connect(context.TODO(), clientOpts)
if err != nil {
fmt.Println("connect failed!")
log.Fatal(err)
return
}
fmt.Println("connect successful!")
defer func() {
if err = client.Disconnect(context.TODO()); err != nil {
fmt.Println("disconnect failed!")
log.Fatal(err)
}
fmt.Println("disconnect successful!")
}()
// Call Ping to verify that the deployment is up and the Client was
// configured successfully. As mentioned in the Ping documentation, this
// reduces application resiliency as the server may be temporarily
// unavailable when Ping is called.
if err = client.Ping(context.TODO(), nil); err != nil {
fmt.Println("ping failed!")
log.Fatal(err)
return
}
fmt.Println("ping successful!")
collection := client.Database("baz").Collection("qux")
res, err := collection.InsertOne(context.Background(), bson.M{"hello": "world"})
if err != nil {
fmt.Println("insert result failed!")
log.Fatal(err)
return
}
id := res.InsertedID
fmt.Println("Id: ", id)
fmt.Printf("insert result: %v\n", res)
result := bson.M{}
filter := bson.D{{"_id", res.InsertedID}}
if err := collection.FindOne(context.Background(), filter).Decode(&result); err != nil {
fmt.Println("find failed!")
log.Fatal(err)
return
}
fmt.Printf("result: %v\n", result)
}.NET Core
Install .NET. For more information, visit Download .NET.
Create a project and go to the project directory.
dotnet new console -o MongoDB cd MongoDBRun the following command to install the driver package of .NET Core for MongoDB.
dotnet add package mongocsharpdriver --version 2.11.5
Sample code:
using System;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using MongoDB.Bson;
using MongoDB.Driver;namespace dotnetCase
{
class Program
{
static void Main(string[] args)
{
// Specify the instance information.
const string host1 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port1 = 3717;
const string host2 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port2 = 3717;
const string replicaSetName = "mgset-********"; // Delete this row for a sharded cluster instance.
const string admin = "admin";
// Set the database account to test.
const string userName = "test";
const string passwd = "********";
try
{
// Set the host information for connection.
MongoClientSettings settings = new MongoClientSettings();
List<MongoServerAddress> servers = new List<MongoServerAddress>();
servers.Add(new MongoServerAddress(host1, port1));
servers.Add(new MongoServerAddress(host2, port2));
settings.Servers = servers;
// Set the replica set instance name. Delete this row for a sharded cluster instance.
settings.ReplicaSetName = replicaSetName;
// Set the timeout period to 3 seconds.
settings.ConnectTimeout = new TimeSpan(0, 0, 0, 3, 0);
// Set the logon user and password.
MongoCredential credentials = MongoCredential.CreateCredential(admin, userName, passwd);
settings.Credential = credentials;
// Set the SSL information.
SslSettings sslSettings = new SslSettings{
ClientCertificates = new[] {new X509Certificate("ca.pem")},
};
settings.UseTls = true;
settings.AllowInsecureTls = true;
settings.SslSettings = sslSettings;
// Initialize the client.
MongoClient client = new MongoClient(settings);
}
catch (Exception e)
{
Console.WriteLine("connection failed:"+e.Message);
}
}
}
}