- Security >
- TLS/SSL (Transport Encryption) >
- Configure
mongod
andmongos
for TLS/SSL
Configure mongod
and mongos
for TLS/SSL¶
On this page
Overview¶
This document helps you to configure a new MongoDB instance to support TLS/SSL. For instructions on upgrading a cluster currently not using TLS/SSL to using TLS/SSL, see Upgrade a Cluster to Use TLS/SSL instead.
Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:
Windows | Secure Channel (Schannel) |
Linux/BSD | OpenSSL |
macOS | Secure Transport |
Note
- Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
- MongoDB’s TLS/SSL encryption only allows use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections.
- The Linux 64-bit legacy x64 builds of MongoDB do not include support for TLS/SSL.
Prerequisites¶
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.
Certificate Authorities¶
For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS/SSL vendors. Obtaining and managing certificates is beyond the scope of this documentation.
Certificate Key File¶
When establishing a TLS/SSL connection,
mongod
/mongos
presents a certificate key
file to its clients to establish its identity. [1] The certificate
key file contains a public key certificate and its associated private
key, but only the public component is revealed to the client.
MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. If you use a self-signed certificate, although the communications channel will be encrypted, there will be no validation of server identity. Although such a situation will prevent eavesdropping on the connection, it leaves you vulnerable to a man-in-the-middle attack. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity.
In general, avoid using self-signed certificates unless the network is trusted.
Additionally, with regards to authentication among replica set/sharded cluster members, it is advisable to use different certificates on different servers. This minimizes exposure of the private key and allow hostname validation.
[1] | For FIPS mode, ensure that the certificate is FIPS-compliant (i.e
use of FIPS-compliant algorithms) and the private key meets the
PKCS#8 standard. If you need to convert a private key to PKCS#8
format, various conversion tools exist, such as openssl pkcs8
and others. |
Procedures¶
Set Up mongod
and mongos
with TLS/SSL Certificate and Key¶
The following section configures
mongod
/mongos
to use TLS/SSL connections.
With these TLS/SSL settings,
mongod
/mongos
presents its certificate
key file to the client. However, the
mongod
/mongos
does not require a
certificate key file from the client to verify the client’s identity.
To require client’s certificate key file, see
Set Up mongod and mongos with Client Certificate Validation instead.
To use TLS/SSL connections, include the following TLS/SSL settings in
your mongod
/mongos
instance’s
configuration file:
- PEMKeyFile (Linux/Windows/macOS)
- System SSL Certificate Store(Windows/macOS)
Setting | Notes |
---|---|
net.ssl.mode |
Set to This setting restricts each server to use only TLS/SSL encrypted
connections. You can also specify |
net.ssl.PEMKeyFile |
Set to the The If the key is encrypted, specify the passphrase
( |
For example, consider the following configuration file for a mongod
instance:
Starting in MongoDB 4.0, you can use system SSL certificate stores for
Windows and macOS. To use the system SSL certificate store, specify
net.ssl.certificateSelector
instead of specifying the
certificate key file.
Setting | Notes |
---|---|
net.ssl.mode |
Set to This setting restricts each server to use only TLS/SSL encrypted
connections. You can also specify |
net.ssl.certificateSelector |
Set to the property (either This setting is used to select the certificate. See
|
For example, consider the following configuration file for a mongod
instance:
A mongod
instance that uses the above configuration
can only use TLS/SSL connections:
That is, clients must specify TLS/SSL connections. See Connect to MongoDB Instance Using Encryption for more information on connecting with TLS/SSL.
See also
You can also configure mongod
and mongos
using command-line options instead of the configuration file:
- For
mongod
, see:--sslMode
;--sslPEMKeyFile
; and--sslCertificateSelector
. - For
mongos
, see:--sslMode
;--sslPEMKeyFile
; and--sslCertificateSelector
.
Set Up mongod
and mongos
with Client Certificate Validation¶
The following section configures
mongod
/mongos
to use TLS/SSL connections
and perform client certificate validation. With these TLS/SSL settings:
mongod
/mongos
presents its certificate key file to the client for verification.mongod
/mongos
requires a certificate key file from the client to verify the client’s identity.
To use TLS/SSL connections and perform client certificate validation,
include the following TLS/SSL settings in
your mongod
/mongos
instance’s
configuration file:
Note
Starting in MongoDB 4.0, you can use system SSL certificate stores for
Windows and macOS. To use the system SSL certificate store, specify
net.ssl.certificateSelector
instead of specifying the
certificate key file.
Setting | Notes |
---|---|
net.ssl.mode |
Set to This setting restricts each server to use only TLS/SSL encrypted
connections. You can also specify |
net.ssl.PEMKeyFile |
Set to the The If the key is encrypted, specify the passphrase
( |
net.ssl.CAFile |
Set to the path of the file that contains the certificate chain for verifying client certificates. The |
For example, consider the following configuration file for a mongod
instance:
A mongod
instance that uses the above configuration
can only use TLS/SSL connections and requires valid certificate from
its clients:
That is, clients must specify TLS/SSL connections and presents its certificate key file to the instance. See Connect to MongoDB Instance that Requires Client Certificates for more information on connecting with TLS/SSL.
See also
You can also configure mongod
and
mongos
using command-line options instead of the
configuration file:
- For
mongod
, see--sslMode
,--sslPEMKeyFile
, and--sslCAFile
. - For
mongos
, see--sslMode
,--sslPEMKeyFile
, and--sslCAFile
.
Block Revoked Certificates for Clients¶
To prevent clients with revoked certificates from connecting, include
net.ssl.CRLFile
set to a file that contains revoked
certificates.
For example:
Clients who presents certificates that are listed in the
/etc/ssl/revokedCertificates.pem
will not be able to connect.
See also
You can also configure the revoked certificate list using the command-line option.
- For
mongod
, see--sslCRLFile
. - For
mongos
, see--sslCRLFile
.
Validate Only if a Client Presents a Certificate¶
In most cases, it is important to ensure that clients present valid certificates. However, if you have clients that cannot present a client certificate or are transitioning to using a certificate, you may only want to validate certificates from clients that present a certificate.
To bypass client certificate validation for clients that do not present
a certificate, include
net.ssl.allowConnectionsWithoutCertificates
set to true
.
For example:
A mongod
/mongos
running with these
settings allows connection from:
- Clients that do not present a certificate.
- Clients that present a valid certificate.
Note
If the client presents a certificate, the certificate must be a valid certificate.
All connections, including those that have not presented certificates, are encrypted using TLS/SSL.
See TLS/SSL Configuration for Clients for more information on TLS/SSL connections for clients.
See also
You can also configure using the command-line options:
- For
mongod
, see--sslAllowConnectionsWithoutCertificates
. - For
mongos
, see--sslAllowConnectionsWithoutCertificates
.
Disallow Protocols¶
New in version 3.0.7.
To prevent MongoDB servers from accepting incoming connections that use
specific protocols, include net.ssl.disabledProtocols
set to
the disallowed protocols.
For example, the following configuration prevents
mongod
/mongos
from accepting incoming
connections that use either TLS1_0
or TLS1_1
See also
You can also configure using the command-line options:
- For
mongod
, see--sslDisabledProtocols
. - For
mongos
, see--sslDisabledProtocols
.
TLS/SSL Certificate Passphrase¶
The PEM files for PEMKeyfile
and
ClusterFile
may be encrypted. With encrypted PEM files,
you must specify the passphrase at startup with a command-line or a
configuration file option or enter the passphrase when prompted.
To specify the passphrase in clear text on the command line or in a
configuration file, use the PEMKeyPassword
and/or the
clusterPassword
option.
To have MongoDB prompt for the passphrase at the start of
mongod
or mongos
and avoid specifying the
passphrase in clear text, omit the PEMKeyPassword
and/or
the clusterPassword
option. MongoDB will prompt for each
passphrase as necessary.
Run in FIPS Mode¶
Note
FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.
See Configure MongoDB for FIPS for more details.