ApsaraDB for MongoDB設定了sslAllowConnectionsWithoutCertificates,使用SSL串連用戶端時不需要認證 ,但需要配置Ca驗證伺服器憑證,同時忽略網域名稱檢測。
如何設定SSL加密,請參見設定SSL加密。
Node.js SSL串連樣本
相關連結:MongoDB Node.js Driver。
範例程式碼
將/?ssl = true添加到用戶端URI的末尾,sslCA指向ca憑證路徑,checkServerIndentity設定為false,忽略網域名稱檢測。
var MongoClient = require('mongodb').MongoClient,
f = require('util').format,
fs = require('fs');
// Read the certificate authority
var ca = [fs.readFileSync(__dirname + "/path/to/ca.pem")];
// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true", {
server: {
sslValidate:true,
checkServerIdentity:false,#ignore host name validation
sslCA:ca
}
}, function(err, db) {
db.close();
});
PHP SSL串連樣本
相關連結:MongoDB PHP Driver。
範例程式碼
PHP使用MongoDB\Client::__construct建立client執行個體。其包含三組參數:$uri、$uriOptions和$driverOptions。
function __construct($uri = 'mongodb://127.0.0.1/', array $uriOptions = [], array $driverOptions = [])
通過$uriOptions設定SSL為true,啟用SSL串連。通過$driverOptions設定ca_file指向CA憑證路徑。allow_invalid_hostname設定為true,忽略網域名稱檢測。
<?php
$client = new MongoDB\Client(
'mongodb://host01:27017,host02:27017,host03:27017',
[ 'ssl' => true,
'replicaSet' => 'myReplicaSet'
],
[
"ca_file" => "/path/to/ca.pem",
"allow_invalid_hostname" => true
]
);
?>
Java SSL串連樣本
相關連結:MongoDB Java Driver。
範例程式碼
將MongoClientOptions的sslEnabled設定為True,啟用SSL串連。將sslInvalidHostNameAllowed設定為true,忽略網域名稱檢測。
import com.mongodb.MongoClientURI;
import com.mongodb.MongoClientOptions;
MongoClientOptions options
= MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(true).build();
MongoClient client = new MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset", options);
Java設定CA認證,需要使用keytool工具:
keytool -importcert -trustcacerts -file <path to certificate authority file>
-keystore <path to trust store> -storepass <password>
在程式中設定JVM 系統屬性以指向正確的信任庫和密鑰庫。
System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");
Python SSL串連樣本
相關連結:MongoDB Python Driver。
範例程式碼
設定ssl=True啟用SSL串連,ssl_ca_certs參數用來指向ca檔案路徑,ssl_match_hostname設定為false,忽略網域名稱檢測。
import ssl
from pymongo import MongoClient
uri = "mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset"
client = MongoClient(uri,
ssl=True,
ssl_ca_certs='ca.pem',
ssl_match_hostname=False)
C SSL串連樣本
相關連結:MongoDB C Driver。
範例程式碼
將/?ssl = true添加到用戶端URI的末尾,C使用mongoc_ssl_opt_t來配置SSL選項,ca_file指向ca憑證路徑。將allow_invalid_hostname設定為false,忽略網域名稱檢測。
mongoc_client_t *client = NULL;
client = mongoc_client_new (
"mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true");
const mongoc_ssl_opt_t *ssl_default = mongoc_ssl_opt_get_default ();
mongoc_ssl_opt_t ssl_opts = { 0 };
/* optionally copy in a custom trust directory or file; otherwise the default is used. */
memcpy (&ssl_opts, ssl_default, sizeof ssl_opts);
ssl_opts.ca_file = "/path/to/ca.pem"
ssl_opts.allow_invalid_hostname = false
mongoc_client_set_ssl_opts (client, &ssl_opts);
C ++ SSL串連樣本
相關連結:MongoDB C++ Driver。
範例程式碼
將/?ssl = true添加到用戶端URI的末尾。C++通過 mongocxx::options::ssl 設定SSL參數,ca_file參數用來指定ca檔案路徑。
#include <mongocxx/client.hpp>
#include <mongocxx/uri.hpp>
#include <mongocxx/options/client.hpp>
#include <mongocxx/options/ssl.hpp>
mongocxx::options::client client_options;
mongocxx::options::ssl ssl_options;
// If the server certificate is not signed by a well-known CA,
// you can set a custom CA file with the `ca_file` option.
ssl_options.ca_file("/path/to/ca.pem");
client_options.ssl_opts(ssl_options);
auto client = mongocxx::client{
uri{"mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true"}, client_opts};
Scala SSL串連樣本
相關連結:MongoDB Scala Driver。
範例程式碼
Scala驅動程式使用Netty提供的SSL底層支援與MongoDB伺服器進行SSL串連。其中,將MongoClientSettings的sslEnabled設定為True,啟用SSL串連;將InvalidHostNameAllowed設定為true,忽略網域名稱檢測。
import org.mongodb.scala.connection.{NettyStreamFactoryFactory, SslSettings}
MongoClientSettings.builder()
.sslSettings(SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
.streamFactoryFactory(NettyStreamFactoryFactory())
.build()
val client: MongoClient = MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset")
scala設定CA認證與Java相同,同樣需要使用keytool工具。
keytool -importcert -trustcacerts -file <path to certificate authority file>
-keystore <path to trust store> -storepass <password>
在程式中設定JVM 系統屬性以指向正確的信任庫和密鑰庫。
System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");
Golang SSL串連樣本
相關連結:MongoDB Golang Driver、Crypto tls package 。
範例程式碼
Golang驅動程式使用crypto/tls包提供的SSL底層支援與MongoDB伺服器進行SSL串連。其中,Config結構用來配置SSL選項 ;RootCAs用來指定ca認證;InsecureSkipVerify設定為true,忽略網域名稱檢測。
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"go.mongodb.org/mongo-driver/bson"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
"go.mongodb.org/mongo-driver/mongo/readpref"
"go.mongodb.org/mongo-driver/mongo/writeconcern"
"io/ioutil"
"log"
)
func main() {
var filename = "ca.pem"
rootPEM, err := ioutil.ReadFile(filename)
roots := x509.NewCertPool()
if ok := roots.AppendCertsFromPEM([]byte(rootPEM)); !ok {
fmt.Printf("get certs from %s fail!\n", filename)
return
}
tlsConfig := &tls.Config{
RootCAs: roots,
InsecureSkipVerify: true,
}
// Create a Client to a MongoDB server and use Ping to verify that the
// server is running.
//資料庫帳號為test,所屬資料庫為admin。
clientOpts := options.Client().ApplyURI("mongodb://test:****@dds-bp*******1.mongodb.rds.aliyuncs.com:3717,dds-bp*******2.mongodb.rds.aliyuncs.com:3717/admin?replicaSet=mgset-XXXXX&ssl=true")
clientOpts.SetReadPreference(readpref.Secondary())
clientOpts.SetWriteConcern(writeconcern.New(writeconcern.WMajority(), writeconcern.J(true), writeconcern.WTimeout(1000)))
clientOpts.SetTLSConfig(tlsConfig)
client, err := mongo.Connect(context.TODO(), clientOpts)
if err != nil {
fmt.Println("connect failed!")
log.Fatal(err)
return
}
fmt.Println("connect successful!")
defer func() {
if err = client.Disconnect(context.TODO()); err != nil {
fmt.Println("disconnect failed!")
log.Fatal(err)
}
fmt.Println("disconnect successful!")
}()
// Call Ping to verify that the deployment is up and the Client was
// configured successfully. As mentioned in the Ping documentation, this
// reduces application resiliency as the server may be temporarily
// unavailable when Ping is called.
if err = client.Ping(context.TODO(), nil); err != nil {
fmt.Println("ping failed!")
log.Fatal(err)
return
}
fmt.Println("ping successful!")
collection := client.Database("baz").Collection("qux")
res, err := collection.InsertOne(context.Background(), bson.M{"hello": "world"})
if err != nil {
fmt.Println("insert result failed!")
log.Fatal(err)
return
}
id := res.InsertedID
fmt.Println("Id: ", id)
fmt.Printf("insert result: %v\n", res)
result := bson.M{}
filter := bson.D{{"_id", res.InsertedID}}
if err := collection.FindOne(context.Background(), filter).Decode(&result); err != nil {
fmt.Println("find failed!")
log.Fatal(err)
return
}
fmt.Printf("result: %v\n", result)
}
.NET Core SSL串連樣本
- 安裝.NET,更多資訊,請參見Download .NET。
- 建立一個專案並進入該專案目錄。
dotnet new console -o MongoDB cd MongoDB
- 執行如下命令安裝MongoDB的.NET Core驅動包。
dotnet add package mongocsharpdriver --version 2.11.5
using System;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using MongoDB.Bson;
using MongoDB.Driver;namespace dotnetCase
{
class Program
{
static void Main(string[] args)
{
//Mongo 執行個體資訊。
const string host1 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port1 = 3717;
const string host2 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port2 = 3717;
const string replicaSetName = "mgset-********"; //分區叢集執行個體請刪除這一行。
const string admin = "admin";
//資料庫帳號為test。
const string userName = "test";
const string passwd = "********";
try
{
// 設定串連host資訊。
MongoClientSettings settings = new MongoClientSettings();
List<MongoServerAddress> servers = new List<MongoServerAddress>();
servers.Add(new MongoServerAddress(host1, port1));
servers.Add(new MongoServerAddress(host2, port2));
settings.Servers = servers;
// 設定複本集名稱(分區叢集執行個體請刪除這一行)。
settings.ReplicaSetName = replicaSetName;
// 設定逾時時間為3秒。
settings.ConnectTimeout = new TimeSpan(0, 0, 0, 3, 0);
// 設定登入使用者/密碼。
MongoCredential credentials = MongoCredential.CreateCredential(admin, userName, passwd);
settings.Credential = credentials;
// 設定SSL資訊。
SslSettings sslSettings = new SslSettings{
ClientCertificates = new[] {new X509Certificate("ca.pem")},
};
settings.UseTls = true;
settings.AllowInsecureTls = true;
settings.SslSettings = sslSettings;
// 初始化用戶端。
MongoClient client = new MongoClient(settings);
}
catch (Exception e)
{
Console.WriteLine("串連異常:"+e.Message);
}
}
}
}