全部產品
Search
文件中心

ApsaraDB for MongoDB:MongoDB用戶端SSL串連樣本

更新時間:Feb 28, 2024

ApsaraDB for MongoDB設定了sslAllowConnectionsWithoutCertificates,使用SSL串連用戶端時不需要認證 ,但需要配置Ca驗證伺服器憑證,同時忽略網域名稱檢測。

如何設定SSL加密,請參見設定SSL加密

Node.js SSL串連樣本

相關連結:MongoDB Node.js Driver

範例程式碼

將/?ssl = true添加到用戶端URI的末尾,sslCA指向ca憑證路徑,checkServerIndentity設定為false,忽略網域名稱檢測。

var MongoClient = require('mongodb').MongoClient,
  f = require('util').format,
  fs = require('fs');

// Read the certificate authority
var ca = [fs.readFileSync(__dirname + "/path/to/ca.pem")];

// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true", {
  server: {
      sslValidate:true,
      checkServerIdentity:false,#ignore host name validation
      sslCA:ca
  }
}, function(err, db) {
  db.close();
});

PHP SSL串連樣本

相關連結:MongoDB PHP Driver

範例程式碼

PHP使用MongoDB\Client::__construct建立client執行個體。其包含三組參數:$uri、$uriOptions和$driverOptions。

function __construct($uri = 'mongodb://127.0.0.1/', array $uriOptions = [], array $driverOptions = [])

通過$uriOptions設定SSL為true,啟用SSL串連。通過$driverOptions設定ca_file指向CA憑證路徑。allow_invalid_hostname設定為true,忽略網域名稱檢測。

<?php
$client = new MongoDB\Client(
    'mongodb://host01:27017,host02:27017,host03:27017',
    [   'ssl' => true,
        'replicaSet' => 'myReplicaSet'
    ],
    [
        "ca_file" => "/path/to/ca.pem",
        "allow_invalid_hostname" => true

    ]
);
?>

Java SSL串連樣本

相關連結:MongoDB Java Driver

範例程式碼

將MongoClientOptions的sslEnabled設定為True,啟用SSL串連。將sslInvalidHostNameAllowed設定為true,忽略網域名稱檢測。

import com.mongodb.MongoClientURI;
import com.mongodb.MongoClientOptions;
MongoClientOptions options
= MongoClientOptions.builder().sslEnabled(true).sslInvalidHostNameAllowed(true).build();
MongoClient client = new MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset", options);

Java設定CA認證,需要使用keytool工具:

keytool -importcert -trustcacerts -file <path to certificate authority file> 
        -keystore <path to trust store> -storepass <password>

在程式中設定JVM 系統屬性以指向正確的信任庫和密鑰庫。

System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");

Python SSL串連樣本

相關連結:MongoDB Python Driver

範例程式碼

設定ssl=True啟用SSL串連,ssl_ca_certs參數用來指向ca檔案路徑,ssl_match_hostname設定為false,忽略網域名稱檢測。

import ssl
from pymongo import MongoClient

uri = "mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset"
client = MongoClient(uri,
                     ssl=True,
                     ssl_ca_certs='ca.pem',
                     ssl_match_hostname=False)

C SSL串連樣本

相關連結:MongoDB C Driver

範例程式碼

將/?ssl = true添加到用戶端URI的末尾,C使用mongoc_ssl_opt_t來配置SSL選項,ca_file指向ca憑證路徑。將allow_invalid_hostname設定為false,忽略網域名稱檢測。

mongoc_client_t *client = NULL;
client = mongoc_client_new (
      "mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true");
const mongoc_ssl_opt_t *ssl_default = mongoc_ssl_opt_get_default ();
mongoc_ssl_opt_t ssl_opts = { 0 };

/* optionally copy in a custom trust directory or file; otherwise the default is used. */
memcpy (&ssl_opts, ssl_default, sizeof ssl_opts);
ssl_opts.ca_file = "/path/to/ca.pem"
ssl_opts.allow_invalid_hostname = false
mongoc_client_set_ssl_opts (client, &ssl_opts);

C ++ SSL串連樣本

相關連結:MongoDB C++ Driver

範例程式碼

將/?ssl = true添加到用戶端URI的末尾。C++通過 mongocxx::options::ssl 設定SSL參數,ca_file參數用來指定ca檔案路徑。

說明 mongocxx驅動現不支援忽略網域名稱檢測。
#include <mongocxx/client.hpp>
#include <mongocxx/uri.hpp>
#include <mongocxx/options/client.hpp>
#include <mongocxx/options/ssl.hpp>

mongocxx::options::client client_options;
mongocxx::options::ssl ssl_options;

// If the server certificate is not signed by a well-known CA,
// you can set a custom CA file with the `ca_file` option.
ssl_options.ca_file("/path/to/ca.pem");

client_options.ssl_opts(ssl_options);

auto client = mongocxx::client{
    uri{"mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset&ssl=true"}, client_opts};
                

Scala SSL串連樣本

相關連結:MongoDB Scala Driver

範例程式碼

Scala驅動程式使用Netty提供的SSL底層支援與MongoDB伺服器進行SSL串連。其中,將MongoClientSettings的sslEnabled設定為True,啟用SSL串連;將InvalidHostNameAllowed設定為true,忽略網域名稱檢測。

import org.mongodb.scala.connection.{NettyStreamFactoryFactory, SslSettings}

MongoClientSettings.builder()
                   .sslSettings(SslSettings.builder()
                                           .enabled(true)                 
                                           .invalidHostNameAllowed(true)  
                                           .build())                      
                   .streamFactoryFactory(NettyStreamFactoryFactory())
                   .build()
val client: MongoClient = MongoClient("mongodb://host01:27017,host02:27017,host03:27017/?replicaSet=myreplset")
                

scala設定CA認證與Java相同,同樣需要使用keytool工具。

keytool -importcert -trustcacerts -file <path to certificate authority file> 
        -keystore <path to trust store> -storepass <password>

在程式中設定JVM 系統屬性以指向正確的信任庫和密鑰庫。

System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts");
System.setProperty("javax.net.ssl.trustStorePassword","StorePass");

Golang SSL串連樣本

相關連結:MongoDB Golang DriverCrypto tls package

範例程式碼

Golang驅動程式使用crypto/tls包提供的SSL底層支援與MongoDB伺服器進行SSL串連。其中,Config結構用來配置SSL選項 ;RootCAs用來指定ca認證;InsecureSkipVerify設定為true,忽略網域名稱檢測。

package main

import (
    "context"
    "crypto/tls"
    "crypto/x509"
    "fmt"
    "go.mongodb.org/mongo-driver/bson"
    "go.mongodb.org/mongo-driver/mongo"
    "go.mongodb.org/mongo-driver/mongo/options"
    "go.mongodb.org/mongo-driver/mongo/readpref"
    "go.mongodb.org/mongo-driver/mongo/writeconcern"
    "io/ioutil"
    "log"
)

func main() {
    var filename = "ca.pem"
    rootPEM, err := ioutil.ReadFile(filename)
    roots := x509.NewCertPool()
    if ok := roots.AppendCertsFromPEM([]byte(rootPEM)); !ok {
        fmt.Printf("get certs from %s fail!\n", filename)
        return
    }
    tlsConfig := &tls.Config{
        RootCAs: roots,
        InsecureSkipVerify: true,
    }

    // Create a Client to a MongoDB server and use Ping to verify that the
    // server is running.
    //資料庫帳號為test,所屬資料庫為admin。
    clientOpts := options.Client().ApplyURI("mongodb://test:****@dds-bp*******1.mongodb.rds.aliyuncs.com:3717,dds-bp*******2.mongodb.rds.aliyuncs.com:3717/admin?replicaSet=mgset-XXXXX&ssl=true")
    clientOpts.SetReadPreference(readpref.Secondary())
    clientOpts.SetWriteConcern(writeconcern.New(writeconcern.WMajority(), writeconcern.J(true), writeconcern.WTimeout(1000)))
    clientOpts.SetTLSConfig(tlsConfig)
    client, err := mongo.Connect(context.TODO(), clientOpts)
    if err != nil {
        fmt.Println("connect failed!")
        log.Fatal(err)
        return
    }
    fmt.Println("connect successful!")

    defer func() {
        if err = client.Disconnect(context.TODO()); err != nil {
            fmt.Println("disconnect failed!")
            log.Fatal(err)
        }
        fmt.Println("disconnect successful!")
    }()

    // Call Ping to verify that the deployment is up and the Client was
    // configured successfully. As mentioned in the Ping documentation, this
    // reduces application resiliency as the server may be temporarily
    // unavailable when Ping is called.
    if err = client.Ping(context.TODO(), nil); err != nil {
        fmt.Println("ping failed!")
        log.Fatal(err)
        return
    }
    fmt.Println("ping successful!")

    collection := client.Database("baz").Collection("qux")
    res, err := collection.InsertOne(context.Background(), bson.M{"hello": "world"})
    if err != nil {
        fmt.Println("insert result failed!")
        log.Fatal(err)
        return
    }
    id := res.InsertedID
    fmt.Println("Id: ", id)
    fmt.Printf("insert result: %v\n", res)

    result := bson.M{}
    filter := bson.D{{"_id", res.InsertedID}}
    if err := collection.FindOne(context.Background(), filter).Decode(&result); err != nil {
        fmt.Println("find failed!")
        log.Fatal(err)
        return
    }

    fmt.Printf("result: %v\n", result)
}

.NET Core SSL串連樣本

  1. 安裝.NET,更多資訊,請參見Download .NET
  2. 建立一個專案並進入該專案目錄。
    dotnet new console -o MongoDB
    cd MongoDB
  3. 執行如下命令安裝MongoDB的.NET Core驅動包。
    dotnet add package mongocsharpdriver --version 2.11.5
範例程式碼:
using System;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using MongoDB.Bson;
using MongoDB.Driver;namespace dotnetCase
{
class Program
{
static void Main(string[] args)
{
//Mongo 執行個體資訊。
const string host1 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port1 = 3717;
const string host2 = "dds-***********-pub.mongodb.rds.aliyuncs.com";
const int port2 = 3717;
const string replicaSetName = "mgset-********"; //分區叢集執行個體請刪除這一行。
const string admin = "admin";
//資料庫帳號為test。
const string userName = "test";
const string passwd = "********";        
try
        {
            // 設定串連host資訊。
            MongoClientSettings settings = new MongoClientSettings();
            List<MongoServerAddress> servers = new List<MongoServerAddress>();
            servers.Add(new MongoServerAddress(host1, port1));
            servers.Add(new MongoServerAddress(host2, port2));
            settings.Servers = servers;
            // 設定複本集名稱(分區叢集執行個體請刪除這一行)。
            settings.ReplicaSetName = replicaSetName;
            // 設定逾時時間為3秒。
            settings.ConnectTimeout = new TimeSpan(0, 0, 0, 3, 0);
            // 設定登入使用者/密碼。
            MongoCredential credentials = MongoCredential.CreateCredential(admin, userName, passwd);
            settings.Credential = credentials;
            // 設定SSL資訊。
            SslSettings sslSettings = new SslSettings{
                ClientCertificates = new[] {new X509Certificate("ca.pem")},
            };
            settings.UseTls = true;
            settings.AllowInsecureTls = true;
            settings.SslSettings = sslSettings;
            // 初始化用戶端。
            MongoClient client = new MongoClient(settings);
        }
        catch (Exception e)
        {
            Console.WriteLine("串連異常:"+e.Message);
        }
    }
}
}