This topic describes how to use the mongo shell to connect to an ApsaraDB for MongoDB database in Secure Sockets Layer (SSL) encryption mode. SSL encryption can encrypt network connections at the transport layer to improve data security and ensure data integrity.

Prerequisites

Precautions

After you enable SSL encryption for an instance, the CPU utilization of this instance is significantly increased. We recommend that you enable it only when necessary. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.
Note Internal network connections are more secure than Internet connections and do not need SSL encryption.

Procedure

A local server with a Linux operating system is used in the following example:

  1. Download an SSL CA certificate package. For more information, see Configure SSL encryption for an ApsaraDB for MongoDB instance.
  2. Decompress the package and upload the certificate files to the local server or the ECS instance where the mongo shell is installed.
    Note In this example, the .pem file is uploaded to the /root/sslcafile/ directory of the local server.
  3. On the local server or in the ECS instance, run the following command to connect to a database of the ApsaraDB for MongoDB instance:
    mongo --host <host> -u <username> -p --authenticationDatabase <database> --ssl --sslCAFile <sslCAFile_path> --sslAllowInvalidHostnames
    Note
    • <host>: the connection string (including the port number) of the primary or secondary node in the ApsaraDB for MongoDB instance. For more information, see Overview of replica set instance connections.
      • If you want to connect to a database of the ApsaraDB for MongoDB instance over the Internet, apply for a public endpoint for this instance. For more information, see Apply for a public endpoint for an ApsaraDB for MongoDB instance.
      • If you want to connect to a database of the ApsaraDB for MongoDB instance over an internal network, make sure that the ApsaraDB for MongoDB instance has the same network type as the ECS instance. If the network type is VPC, make sure that the two instances are in the same VPC.
    • <username>: the username you use to log on to a database of the ApsaraDB for MongoDB instance. The initial username is root. We recommend that you do not log on to a database as the root user in a production environment. You can create users and grant permissions to the users as needed. For more information, see Manage user permissions on MongoDB databases.
    • <database>: the name of database corresponding to the username if authentication is enabled. If the username is root, enter admin.
    • <sslCAFile_path>: the path of the SSL CA certificate files.
    Example:
    mongo --host dds-bpxxxxxxxx-pub.mongodb.rds.aliyuncs.com:3717 -u root -p --authenticationDatabase admin --ssl --sslCAFile /root/sslcafile/ApsaraDB-CA-Chain.pem  --sslAllowInvalidHostnames
  4. When Enter password: is displayed, enter the password of the database user and press Enter.
    Note
    • The password characters are not explicitly displayed when you enter the password.
    • If you forget the password of the root user, you can reset the password. For more information, see Set a password.

Common connection scenarios