All Products
Search

This Product

    ApsaraDB for MongoDB:Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode

    Document Center

    ApsaraDB for MongoDB:Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode

    Last Updated:Jan 26, 2024

    This topic describes how to use the mongo shell to connect to an ApsaraDB for MongoDB database in Secure Sockets Layer (SSL) encryption mode. SSL encryption can encrypt network connections at the transport layer to improve data security and ensure data integrity.

    Prerequisites

    Precautions

    After you enable SSL encryption for an instance, the CPU utilization of this instance is significantly increased. We recommend that you enable it only when necessary. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.

    Note

    In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.

    Procedure

    A local server with a Linux operating system is used in the following example:

    1. Download an SSL CA certificate package. For more information, see Configure SSL encryption for an ApsaraDB for MongoDB instance.

    2. Decompress the package and upload the certificate files to the local server or the ECS instance where the mongo shell is installed.

      Note

      In this example, the .pem file is uploaded to the /test/sslcafile/ directory of the local server.

    3. On the local server or in the ECS instance, run the following command to connect to a database of the ApsaraDB for MongoDB instance: 

      mongo --host <host> -u <username> -p --authenticationDatabase <database> --ssl --sslCAFile <sslCAFile_path> --sslAllowInvalidHostnames
      Note

      • <host>: the connection string (including the port number) of the primary or secondary node in the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance.

        • If you want to connect to a database of the ApsaraDB for MongoDB instance over the Internet, apply for a public endpoint for this instance. For more information, see Apply for a public endpoint.

        • If you want to connect to a database of the ApsaraDB for MongoDB instance over an internal network, make sure that the ApsaraDB for MongoDB instance has the same network type as the ECS instance. If the network type is VPC, make sure that the two instances are in the same VPC.

      • <username>: the database account of the ApsaraDB for MongoDB instance. The initial account is root. We recommend that you do not log on to a database as the root account in the production environment. You can create accounts and grant permissions to the accounts. For more information, see Manage the permissions of MongoDB database users.

      • <database>: the name of the database corresponding to the username if authentication is enabled. If the username is root, enter admin.

      • <sslCAFile_path>: the path of the SSL CA certificate files.

      Example:

      The database account is test and the database is admin. 

      mongo --host dds-bp19f409d7512****-pub.mongodb.rds.aliyuncs.com:3717 -u test -p --authenticationDatabase admin --ssl --sslCAFile /test/sslcafile/ApsaraDB-CA-Chain.pem  --sslAllowInvalidHostnames

    4. When Enter password: is displayed, enter the password for the database account and press Enter.

      Note

      • The password characters are not displayed when you enter the password.

      • If you forget the password of the root account, you can reset it. For more information, see Set a password for a replica set instance.

    Common connection scenarios