Secure your Mongo Clusters with SSL

SSL is extremely important to maintain the privacy and validity of your data over untrusted networks. If you’re deploying a production database cluster on the internet, SSL is definitely something you should consider. ScaleGrid now supports enabling SSL for your MongoDB servers.

Enabling SSL is now as easy as checking a box in the MongoDB creation wizard:

MongodB with ssl

So Why Use SSL with MongoDB?

  1. Privacy

    If you’re connecting to your MongoDB server over unsecured networks, your data is traveling unencrypted and is susceptible to both eavesdropping and tampering. SSL encrypts the data so only the two endpoints have access to the unencrypted data.

  2. Authentication

    Use  PKI (private key infrastructure) to ensure that only clients with certificates from an appropriate CA can connect to the MongoDB server. This is an additional step and you can choose to not use your custom certificates or CA – you’ll still have the benefits of privacy due to end-to-end encryption.

MongoDB SSL Drawbacks

  • Performance Overhead

    There’s definitely some performance overhead for using SSL. While we’re yet to run comprehensive tests, there is definite overhead due to using SSL.

  • Lack of MongoDB UI

    Most of the popular MongoDB UI’s don’t support SSL out of the box. So, you might need to go for the paid version or use the mongo console.

Connecting to your SSL Enabled MongoDB Server

If you’re connecting to a MongoDB server with SSL enabled, there are several differences in the MongoDB connection code. Please refer to the documentation of your driver for more details.

  1. Mongo Shell

    The default mongo client does not support connections to an SSL enabled server – you need the SSL enabled-build of MongoDB. You can SSH into the SSL enabled server and then use the mongo client on the server to connect. Here is the syntax to connect using the admin user provided by ScaleGrid:

    mongo <span style="color: #758e9f;">--ssl --sslCAFile <file.crt></span> -u admin -p <pass> servername/admin 
  2. Code

    You’ll need to append the “ssl=true” property to your MongoDB connection string. Also, certain platforms (E.g. JDK) will require you to add the public key of the SSL certificate to the trusted path before you can connect to the server. By default, a self signed certificate is generated for every cluster. You can download the public key of the SSL certificate from the UI or you can download the certificate from /etc/ssl/mongodb-cert.crt on the server. In the UI, a link to download the SSL public cert is available in the connection string modal:

    Mongodb ssl connection steps

    For more instructions on how you can SSH into the instance, refer to the “VM Credentials” section in this blog post. The crt file is located at /etc/ssl/mongodb-cert.crt on the server. Once you’ve download the public key, you’ll need to add it to your trusted keystone:

    keytool -import -alias "MongoDB-cert" -file "/etc/ssl/mongodb-cert.crt"
    -keystore "/usr/java/default/jre/lib/security/cacerts"
    -noprompt -storepass "changeit"

    The default password for the cacerts store is “changeit”. For security reasons, you should change this password to your own. Once you’ve added the certificate, enumerate the certs in the keystone to confirm that the certificate got added:

    keytool -list -keystore cacerts -storepass changeit
  3. Mongo UI: Robo 3T

    Robo 3T (formerly Robomongo) is one of the few MongoDB UI’s that support connecting with SSL. When creating a connection to your MongoDB server, select the SSL option. For the certificate, use the .pem file that has both the public key and the private key. This file is located at /etc/ssl on your MongoDB server. Check out our Robo 3T MongoDB Connection Guide for more details.
    Connect to Mongodb with ssl using Robomongo

As always, if you have any questions, please reach out to us at [email protected].