You can enable Secure Sockets Layer (SSL) encryption to improve connection security. After you enable SSL, you must install an SSL CA certificate on your application. SSL encrypts network connections at the transport layer to enhance data security and ensure data integrity. This topic explains how to manage SSL encryption.
Prerequisites
The instance must be a replica set instance or a sharded cluster instance that uses cloud disks.
Usage notes
You can download the SSL CA certificate only from the ApsaraDB for MongoDB console.
Enabling SSL encryption increases the CPU utilization of your ApsaraDB for MongoDB instance. We recommend that you enable SSL only when encryption is required, such as when connecting to your instance over a public endpoint.
NoteConnections over an internal network are generally secure and do not require encryption.
After you enable SSL, if you modify an instance endpoint or add a new one, such as a node endpoint or public endpoint, the new endpoint will not support SSL connections. To use SSL with the new endpoint, you must update the server certificate.
By default, after you enable SSL, the instance supports both SSL and non-SSL connections. You can enable SSL enforcement to allow only SSL connections.
NoteThe SSL enforcement feature is available only on instances that run version 7.0 (with kernel version 8.0.13 or later) or 8.0 (with kernel version 9.0.5 or later).
Impacts
Enabling, disabling, or updating SSL for an instance triggers a restart. We recommend that you perform these operations during off-peak hours and ensure your application has an automatic reconnection mechanism.
During the restart, each node in the instance restarts in sequence, which causes a transient disconnection of about 30 seconds per node. If the instance contains a large number of collections (more than 10,000), the disconnection may last longer.
Enable SSL encryption
When you enable SSL encryption, your ApsaraDB for MongoDB instance restarts. During this process, each node experiences a transient disconnection of about 30 seconds. We recommend that you schedule this operation accordingly and ensure your application has an automatic reconnection mechanism.
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and a region, and then click the ID of the target instance.
In the left-side navigation pane, choose .
Turn on the switch next to SSL Status.
In the Enable SSL dialog box, choose whether to enable Forced SSL.
If you enable SSL enforcement, the instance rejects non-SSL connections.
NoteSSL enforcement is available only for instances that use cloud disks and run version 7.0 or 8.0, and meet the following kernel version requirements:
Version 7.0: The kernel version must be 8.0.13 or later.
Version 8.0: The kernel version must be 9.0.5 or later.
Click OK.
The instance status changes to Modifying SSL. When the SSL status changes to Enabled and the instance status returns to Running, SSL encryption is enabled.
Download SSL CA certificate
Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select a resource group and a region, and then click the ID of the target instance.
In the left-side navigation pane, choose .
Click Download Certificate to save the SSL CA certificate to your computer.
You can use the downloaded SSL CA certificate to encrypt connections to your database. For more information, see Connect to an instance over SSL by using the mongo shell.
More operations
Update server certificate
The server certificate for an ApsaraDB for MongoDB instance is valid for one year. If the certificate expires, clients cannot connect to the instance by using encrypted connections. Before a certificate expires, Alibaba Cloud notifies you by SMS, email, and the Message Center, and automatically renews the certificate within a specified time window. You can customize the maintenance window by using Schedule Event. For more information, see scheduled events.
After the server certificate is automatically updated, clients that use encrypted connections can connect to the database without re-downloading or re-configuring the CA certificate. During the SSL certificate update, the ApsaraDB for MongoDB instance restarts, which causes a transient disconnection of about 30 seconds for each node. You can use a scheduled event to customize the update time. We recommend that you plan your business operations accordingly and ensure your application has an automatic reconnection mechanism.
Go to the Replica Set Instances page. In the top navigation bar, select a resource group and a region, and then click the ID of the target instance.
In the left-side navigation pane, choose .
Click Update Certificate.
In the Update SSL dialog box, click OK.
The instance status changes to Modifying SSL. When the status returns to Running, the server certificate is successfully updated.
Disable SSL encryption
When you disable SSL encryption, the ApsaraDB for MongoDB instance restarts. During the restart, each node experiences a transient disconnection of about 30 seconds. We recommend that you plan this operation accordingly and ensure your application has an automatic reconnection mechanism.
Go to the Replica Set Instances page. In the top navigation bar, select a resource group and a region, and then click the ID of the target instance.
In the left-side navigation pane, choose .
Turn off the switch next to SSL Status.
In the Disable SSL dialog box, click OK.
The instance status changes to Modifying SSL. When the status returns to Running, SSL encryption is disabled.
API reference
API | Description |
Queries the details of SSL settings for an ApsaraDB for MongoDB instance. | |
Modifies the SSL configuration of an ApsaraDB for MongoDB instance. |