This topic describes how to configure Secure Sockets Layer (SSL) encryption for an ApsaraDB for MongoDB instance. SSL encryption can encrypt network connections at the transport layer to improve data security and ensure data integrity. After enabling SSL encryption, you must install SSL CA certificates on your application. CA is short for certification authority.

Prerequisites

  • The instance is a replica set instance.
  • The database version of the instance is 3.4, 4.0, or 4.2.

IMPACT

When you enable or disable SSL encryption or update SSL CA certificates for an instance, the instance is restarted. Plan your operations in advance and make sure that your application is configured to reconnect to the instance after it is disconnected.

Note When an instance is restarted, all its nodes are restarted in turn and each node has a brief disconnection of about 30 seconds. If the instance houses more than 10,000 collections, the brief disconnections last longer.

Precautions

  • You can only download SSL CA certificates files from the ApsaraDB for MongoDB console.
  • After you enable SSL encryption for an instance, the CPU utilization of the instance is significantly increased. We recommend that you enable it only when necessary. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet.
    Note Internal network connections are more secure than Internet connections and do not need SSL encryption.
  • After SSL is enabled, both SSL and non-SSL connections are supported.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the region where the target instance resides.
  3. In the left-side navigation pane, click Replica Set Instances.
  4. Find the target instance and click its ID.
  5. In the left-side navigation pane, choose Data Security > SSL.
  6. Perform one of the following operations as needed.
    Note When you enable or disable SSL encryption or update SSL CA certificates for an instance, the instance is restarted. Plan your operations in advance and make sure that your application is configured to reconnect to the instance after it is disconnected.
    Operation Prerequisites Step
    Enable SSL encryption The SSL encryption status is Disabled. Turn on SSL Status. In the message that appears, click OK.
    Update an SSL CA certificate The SSL encryption status is Enabled. Click Update Certificate. In the message that appears, click OK.
    Download an SSL CA certificate file The SSL encryption status is Enabled. Click Download Certificate and download an SSL CA certificate file to your computer.
    Disable SSL encryption The SSL encryption status is Enabled. Turn off SSL Status. In the message that appears, click OK.

References

Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode