This topic describes how to enable SSL encryption for an ApsaraDB for MongoDB instance to enhance link security. After you enable SSL encryption, you must install SSL certificates that are issued by certificate authorities (CAs) on your application. SSL encryption can encrypt connections at the transport layer to increase data security and ensure data integrity. This topic describes operations related to SSL encryption.

Prerequisites

The instance is a replica set instance that runs MongoDB 3.4 or later.

Precautions

  • You can download SSL certificates only from the ApsaraDB for MongoDB console.
  • After you enable SSL encryption for an instance, the CPU utilization of the instance is significantly increased. We recommend that you enable SSL encryption only when encryption needs arise. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.
    Note In most cases, connections that use an internal endpoint are secure and do not require SSL encryption.
  • After you enable SSL encryption for an instance, both SSL and non-SSL connections are supported.

Notes

When you enable or disable SSL encryption or update SSL certificates for an instance, the instance is restarted. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
Note When an instance is restarted, all its nodes are restarted in turn and each node goes through a transient connection of about 30 seconds. If the instance contains more than 10,000 collections, the transient connections last longer.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the resource group and region to which the instance belongs.
  3. In the left-side navigation pane, click Replica set instances.
  4. On the page that appears, find the instance that you want to manage and click its ID.
  5. In the left-side navigation pane, choose Data Security > SSL.
  6. On the SSL page, perform operations based on your needs.
    • Enable SSL encryption when it is disabled
      Note When you enable SSL encryption, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
      1. Turn on the switch next to SSL Status.
      2. In the Enable SSL message, click Confirm.

      The instance state changes to Modifying SSL. When the SSL state changes to Enabled and the instance state changes to Running, SSL encryption is enabled.

    • Disable SSL encryption when it is enabled
      Note When you disable SSL encryption, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
      1. Turn off the switch next to SSL Status.
      2. In the Close SSL message, click Confirm.

      The instance state changes to Modifying SSL. When the instance state changes to Running, SSL encryption is disabled.

    • Update an SSL certificate when SSL encryption is enabled
      View the time next to SSL Certificate Validity Period to check whether the SSL certificate is valid.
      Note You can also view the SSL Certificate Validity value to check whether the SSL certificate is valid.
      • Valid: The SSL certificate is valid.
      • Invalid: The SSL certificate is invalid.
      • If the SSL certificate is valid, we recommend that you check the SSL certificate validity on a regular basis and update the certificate before it expires.
      • If the SSL certificate is invalid, you can perform the following steps to update the SSL certificate:
        Note When you update an SSL certificate, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
        1. Click Update Certificate next to SSL Certificate Validity Period.
        2. In the Update SSL message, click Confirm.

        The instance state changes to Modifying SSL. When the instance state changes to Running, the update is complete.

    • Download an SSL certificate
      Click Download Certificate to download an SSL certificate to your computer.
      Note The downloaded SSL certificate can be used to encrypt database connections. For more information, see Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode.

Related API operations

OperationDescription
DescribeDBInstanceSSLQueries the SSL settings of an ApsaraDB for MongoDB instance.
ModifyDBInstanceSSLModifies the SSL settings of an ApsaraDB for MongoDB instance.