- Security >
- Encryption >
- Transport Encryption >
- Upgrade a Cluster to Use TLS/SSL
Upgrade a Cluster to Use TLS/SSL¶
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.
The MongoDB server supports listening for both TLS/SSL encrypted and unencrypted connections on the same TCP port. This allows upgrades of MongoDB clusters to use TLS/SSL encrypted connections.
To upgrade from a MongoDB cluster using no TLS/SSL encryption to one using only TLS/SSL encryption, use the following rolling upgrade process:
For each node of a cluster, start the node with the option
--sslMode
set toallowSSL
. The--sslMode allowSSL
setting allows the node to accept both TLS/SSL and non-TLS/non-SSL incoming connections. Its connections to other servers do not use TLS/SSL. Include other TLS/SSL options as well as any other options that are required for your specific configuration. For example:Upgrade all nodes of the cluster to these settings.
You may also specify these options in the configuration file. If using a YAML format configuration file, specify the following settings in the file:
Or, if using the older configuration file format:
Switch all clients to use TLS/SSL. See TLS/SSL Configuration for Clients.
For each node of a cluster, use the
setParameter
command to update thesslMode
topreferSSL
. [1] WithpreferSSL
as itsnet.ssl.mode
, the node accepts both TLS/SSL and non-TLS/non-SSL incoming connections, and its connections to other servers use TLS/SSL. For example:Upgrade all nodes of the cluster to these settings.
At this point, all connections should be using TLS/SSL.
For each node of the cluster, use the
setParameter
command to update thesslMode
torequireSSL
. [1] WithrequireSSL
as itsnet.ssl.mode
, the node will reject any non-TLS/non-SSL connections. For example:After the upgrade of all nodes, edit the configuration file with the appropriate TLS/SSL settings to ensure that upon subsequent restarts, the cluster uses TLS/SSL.
[1] | (1, 2) As an alternative to using the
setParameter command, you can also
restart the nodes with the appropriate TLS/SSL options and values. |