Connect to an ApsaraDB for MongoDB database using the mongo shell with SSL encryption to secure data in transit.
Prerequisites
Before you begin, ensure that you have:
A replica set instance or a sharded cluster instance that uses cloud disks
If your instance runs an older major version, upgrade it first. See Upgrade the major version of an instance.
SSL encryption enabled for the instance. See Configure SSL encryption for an instance.
mongo shell 3.0 or later installed on the local server or Elastic Compute Service (ECS) instance. See Install MongoDB.
The IP address of the local server or ECS instance added to the IP address whitelist of the ApsaraDB for MongoDB instance. See Modify an IP address whitelist for an instance.
When to use SSL encryption
Internet connections: Enable SSL encryption when connecting over the Internet. Internal endpoint connections are generally secure and do not require SSL.
CPU impact: Enabling SSL encryption significantly increases CPU utilization. Enable it only when necessary.
New endpoints: After enabling SSL encryption, any new endpoint you add (such as a new node endpoint or public endpoint) does not support SSL encryption. To enable SSL for the new endpoint, update the SSL certificate. See Update an SSL certificate.
Connect using SSL
The following steps use a local Linux server as an example.
SSL connection parameters
The following table lists all SSL-related parameters for the mongo shell connection command.
| Parameter | Description |
|---|---|
--ssl | Enables SSL/TLS encryption for the connection. |
--sslCAFile <path> | Path to the SSL CA certificate file (.pem). |
--sslAllowInvalidHostnames | Skips hostname verification in the TLS/SSL CA certificate. Omit this parameter if your SSL setup requires hostname verification. |
Steps
Download the SSL CA certificate. See Configure SSL encryption for an instance.
Decompress the downloaded package and upload the certificate files to your local server or ECS instance.
In this example, the
.pemfile is uploaded to/test/sslcafile/on the local server.Run the following command to connect to the database:
mongo --host <host> -u <username> -p --authenticationDatabase <database> --ssl --sslCAFile <sslCAFile_path> --sslAllowInvalidHostnamesReplace the placeholders with your actual values:
Placeholder Description <host>Connection string (including port number) of the primary or secondary node. See Connect to a replica set instance. For Internet connections, use the public endpoint. For internal network connections, make sure the instance and ECS instance share the same network type — if Virtual Private Cloud (VPC), they must be in the same VPC. <username>Database account. The initial account is root. Avoid usingrootin production — create dedicated accounts with appropriate permissions instead. See Manage the permissions of MongoDB database users.<database>Authentication database. Enter adminif the username isroot.<sslCAFile_path>Path to the SSL CA certificate file. Example (username:
test, authentication database:admin):mongo --host dds-bp19f409d7512****-pub.mongodb.rds.aliyuncs.com:3717 -u test -p --authenticationDatabase admin --ssl --sslCAFile /test/sslcafile/ApsaraDB-CA-Chain.pem --sslAllowInvalidHostnamesWhen
Enter passwordappears, type the password for the database account and press Enter.The password is not displayed as you type. If you forget the
rootpassword, reset it. See (Optional) Reset a password.