This topic describes how to enable SSL encryption for an ApsaraDB for MongoDB instance to enhance link security. After you enable SSL encryption, you must install SSL certificates that are issued by certificate authorities (CAs) on your application. SSL encryption can encrypt connections at the transport layer to increase data security and ensure data integrity. This topic describes operations related to SSL encryption.
Prerequisites
The instance is a replica set instance that runs MongoDB 3.4 or later.
Precautions
- You can download SSL certificates only from the ApsaraDB for MongoDB console.
- After you enable SSL encryption for an instance, the CPU utilization of the instance is significantly increased. We recommend that you enable SSL encryption only when encryption needs arise. For example, you can enable SSL encryption when you connect to an ApsaraDB for MongoDB instance over the Internet. Note In most cases, connections that use an internal endpoint are secure and do not require SSL encryption.
- After you enable SSL encryption for an instance, both SSL and non-SSL connections are supported.
Notes
Procedure
- Log on to the ApsaraDB for MongoDB console.
- In the upper-left corner of the page, select the resource group and region to which the instance belongs.
- In the left-side navigation pane, click Replica set instances.
- On the page that appears, find the instance that you want to manage and click its ID.
- In the left-side navigation pane, choose .
- On the SSL page, perform operations based on your needs.
- Enable SSL encryption when it is disabledNote When you enable SSL encryption, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
- Turn on the switch next to SSL Status.
- In the Enable SSL message, click Confirm.
The instance state changes to Modifying SSL. When the SSL state changes to Enabled and the instance state changes to Running, SSL encryption is enabled.
- Disable SSL encryption when it is enabledNote When you disable SSL encryption, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
- Turn off the switch next to SSL Status.
- In the Close SSL message, click Confirm.
The instance state changes to Modifying SSL. When the instance state changes to Running, SSL encryption is disabled.
- Update an SSL certificate when SSL encryption is enabledView the time next to SSL Certificate Validity Period to check whether the SSL certificate is valid.Note You can also view the SSL Certificate Validity value to check whether the SSL certificate is valid.
- Valid: The SSL certificate is valid.
- Invalid: The SSL certificate is invalid.
- If the SSL certificate is valid, we recommend that you check the SSL certificate validity on a regular basis and update the certificate before it expires.
- If the SSL certificate is invalid, you can perform the following steps to update the SSL certificate:Note When you update an SSL certificate, the instance is restarted. During the restart, a transient connection of about 30 seconds occurs for every node in the instance. Plan your operations in advance and make sure that your applications are configured to automatically re-establish a connection.
- Click Update Certificate next to SSL Certificate Validity Period.
- In the Update SSL message, click Confirm.
The instance state changes to Modifying SSL. When the instance state changes to Running, the update is complete.
- Download an SSL certificateClick Download Certificate to download an SSL certificate to your computer.Note The downloaded SSL certificate can be used to encrypt database connections. For more information, see Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode.
- Enable SSL encryption when it is disabled
Related API operations
Operation | Description |
---|---|
DescribeDBInstanceSSL | Queries the SSL settings of an ApsaraDB for MongoDB instance. |
ModifyDBInstanceSSL | Modifies the SSL settings of an ApsaraDB for MongoDB instance. |