This topic describes how to use the mongo shell to connect to an ApsaraDB for MongoDB database in Secure Sockets Layer (SSL) encryption mode. SSL encryption can encrypt network connections at the transport layer to improve data security and ensure data integrity.

Prerequisites

  • The ApsaraDB for MongoDB instance is a replica set instance, and the database version of the instance is 3.4 or 4.0.
    Note If the database version of the instance is earlier than required versions, you must upgrade the database version. For more information, see Upgrade the database version of an ApsaraDB for MongoDB instance.
  • SSL encryption is enabled for the instance. For more information, see Configure SSL encryption for an ApsaraDB for MongoDB instance.
  • Mongo shell 3.0 or later is installed on the local server or ECS instance from which you want to connect to the database. For more information about the installation procedure, visit Install MongoDB.
  • The IP address of the local server or the ECS instance is added to a whitelist of the ApsaraDB for MongoDB instance. For more information, see Configure a whitelist.

Precautions

After you enable SSL encryption for an instance, the CPU utilization of this instance is significantly increased. We recommend that you enable it only when necessary. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.
Note Internal network connections are more secure than Internet connections and do not need SSL encryption.

Procedure

The following example uses a Linux system.

  1. Download an SSL CA certificate package. For more information, see Configure SSL encryption for an ApsaraDB for MongoDB instance.
  2. Decompress the package and upload the certificate files to the local server or the ECS instance with the mongo shell installed.
    Note For this example, upload the .pem file to the /root/sslcafile/ directory of the local server.
  3. On the local server or in the ECS instance, run the following command to connect to a database of the ApsaraDB for MongoDB instance:
    mongo --host <host> -u <username> -p --authenticationDatabase <database> --ssl --sslCAFile <sslCAFile_path> --sslAllowInvalidHostnames
    Note
    • <host>: the connection string (including the port number) of the primary or secondary node in the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance through the mongo shell.
      • If you want to connect to a database of the ApsaraDB for MongoDB instance over the Internet, apply for a public endpoint for this instance. For more information, see Apply for a public endpoint for an ApsaraDB for MongoDB instance.
      • If you want to connect to a database of the ApsaraDB for MongoDB instance over an internal network, make sure that the ApsaraDB for MongoDB instance has the same network type as the ECS instance. If the network type is VPC, make sure that the two instances are in the same VPC.
    • <username>: the username you use to log on to a database of the ApsaraDB for MongoDB instance. The initial username is root. We recommend that you do not log on to a database as the root user in a production environment. You can create users and grant permissions to the users as needed. For more information, see Manage MongoDB users though DMS.
    • <database>: the name of the authentication database. It is the database where the database user is created. If the database username is root, enter admin.
    • <sslCAFile_path>: the path of the SSL CA certificate files.
    Example:
    mongo --host dds-bpxxxxxxxx-pub.mongodb.rds.aliyuncs.com:3717 -u root -p --authenticationDatabase admin --ssl --sslCAFile /root/sslcafile/ApsaraDB-CA-Chain.pem  --sslAllowInvalidHostnames
  4. When Enter password: is displayed, enter the password of the database user and press Enter.
    Note
    • The password characters are not explicitly displayed when you enter the password.
    • If you forget the password of the root user, you can reset the password. For more information, see Set a password.

Common connection scenarios