All Products
Search

This Product

    ApsaraDB for MongoDB:Use the mongo shell to connect to a database in SSL encryption mode

    Document Center

    ApsaraDB for MongoDB:Use the mongo shell to connect to a database in SSL encryption mode

    Last Updated:Nov 12, 2024

    This topic describes how to use the mongo shell to connect to an ApsaraDB for MongoDB database in Secure Sockets Layer (SSL) encryption mode. SSL encryption can encrypt network connections at the transport layer to improve data security and ensure data integrity.

    Prerequisites

    • The instance is a replica set instance or a sharded cluster instance that uses cloud disks.

      Note

      If the instance runs an earlier major version, upgrade the major version of the instance. For more information, see Upgrade the major version of an instance.

    • SSL encryption is enabled for the instance. For more information, see Configure SSL encryption for an instance.

    • Mongo shell 3.0 or later is installed on the local server or Elastic Compute Service (ECS) instance from which you want to connect to the database. For more information about the installation procedure, visit Install MongoDB.

    • The IP address of the local server or ECS instance that you want to connect to the instance is added to the whitelist of the instance. For more information, see Modify an IP address whitelist for an instance.

    Usage notes

    • After you enable SSL encryption for an ApsaraDB for MongoDB instance, the CPU utilization of this instance is significantly increased. We recommend that you enable SSL encryption only when necessary. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.

      Note

      In most cases, connections that are established to the internal endpoint of your instance are secure and do not require SSL encryption.

    • After you enable SSL encryption for an ApsaraDB for MongoDB instance, if you modify the endpoint of the instance or apply for a new endpoint for the instance such as a new node endpoint or public endpoint, the new endpoint does not support SSL encryption. If you want to enable SSL encryption for the new endpoint, update the SSL certificate. For more information, see Update an SSL certificate.

    Procedure

    A local server with a Linux operating system is used in the following example:

    1. Download the SSL CA certificate. For more information, see Configure SSL encryption for an instance.

    2. Decompress the package and upload the certificate files to the local server or the ECS instance where the mongo shell is installed.

      Note

      In this example, the .pem file is uploaded to the /test/sslcafile/ directory of the local server.

    3. On the local server or in the ECS instance, run the following command to connect to a database of the ApsaraDB for MongoDB instance: 

      mongo --host <host> -u <username> -p --authenticationDatabase <database> --ssl --sslCAFile <sslCAFile_path> --sslAllowInvalidHostnames
      Note

      • <host>: the connection string (including the port number) of the primary or secondary node in the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance.

        • If you want to connect to a database of the instance over the Internet, apply for a public IP address for the instance. For more information, see Apply for a public IP address.

        • If you want to connect to a database of the ApsaraDB for MongoDB instance over an internal network, make sure that the instance has the same network type as the ECS instance. If the network type is Virtual Private Cloud (VPC), make sure that the two instances are in the same VPC.

      • <username>: the database account of the ApsaraDB for MongoDB instance. The initial account is root. We recommend that you do not connect to a database in the production environment by using the root account. You can create accounts and grant permissions to the accounts. For more information, see Manage the permissions of MongoDB database users.

      • <database>: the name of the authentication database to which the database account belongs. If the username is root, enter admin.

      • <sslCAFile_path>: the path of the SSL CA certificate files.

      • --sslAllowInvalidHostnames: specifies that the hostname in the Transport Layer Security (TLS) or SSL CA certificate is not verified and the server that does not match the specified hostname can be connected. If SSL encryption requires hostname verification, do not configure this parameter.

      Example:

      In the following sample command, the username is test and the database is admin. 

      mongo --host dds-bp19f409d7512****-pub.mongodb.rds.aliyuncs.com:3717 -u test -p --authenticationDatabase admin --ssl --sslCAFile /test/sslcafile/ApsaraDB-CA-Chain.pem  --sslAllowInvalidHostnames

    4. If Enter password is displayed, enter the password for the database account and press Enter.

      Note

      • The password characters are not displayed when you enter the password.

      • If you forget the password of the root account, you can reset it. For more information, see (Optional) Reset a password.

    Common connection scenarios