MongoDirector now supports enabling SSL for your MongoDB servers. SSL is extremely important to maintain the privacy and validity of your data over untrusted networks. If you are deploying a production database cluster on the internet SSL is definitely something you should consider.
Enabling SSL is now as easy as checking a box in the creation wizard.
So why use SSL with mongodb?
1. Privacy – If you are connecting to your MongoDB server over unsecured networks your data is traveling unencrypted and is susceptible to eavesdropping and tampering. SSL encrypts the data so that only the two endpoints have access to the unencrypted data.
2. Authentication – Use PKI (Private key infrastructure) to ensure that only clients with certificates from an appropriate CA can connect to the Mongodb server. This is an additional step and you can choose to not use your custom certificates or CA – you will still have the benefits of privacy due to end to end encryption.
1. Performance overhead – There is definitely some performance overhead for using SSL. While we are yet to run comprehensive test there is definite overhead due to using SSL.
2. Lack of MongoDB UI – Most of the popular MongoDB UI’s don’t support SSL out of the box. So you might need to go for the paid version or use the mongo console.
Connecting to your SSL enabled MongoDB server
If you connecting to a server with SSL enabled there are several differences in the mongo connection code. Please refer to the documentation of your driver for more details.
1. Mongo shell
The default mongo client does not support connections to a SSL enabled server – you need the SSL enabled build of mongo. You can SSH into the SSL enabled server and then use the mongo client on the server to connect. Here is the syntax to connect using the admin user provided by MongoDirector.
mongo <span style="color: #758e9f;">--ssl --sslCAFile <file.crt></span> -u admin -p <pass> servername/admin </p>
You will need to append the “ssl=true” property to your MongoDB connection string. Also certain platforms (E.g. JDK) will require you to add the public key of the SSL certificate to the trusted path before you can connect to the server. By default a self signed certificate is generated for every cluster. You can download the public key of the SSL cert from the UI or you can download the certificate from /etc/ssl/mongodb-cert.crt on the server. In the UI a link to download the SSL public cert is available in the connection string modal.
For more instructions on how you can ssh into the instance refer to the “VM Credentials” section in this blog post. The crt file is located at /etc/ssl/mongodb-cert.crt on the server. Once you download the public key you will need to add it to your trusted keystone.
keytool -import -alias "MongoDB-cert" -file "/etc/ssl/mongodb-cert.crt" -keystore "/usr/java/default/jre/lib/security/cacerts" -noprompt -storepass "changeit"
The default password for the cacerts store is “changeit”. For security reasons you should change this password to your own. Once you have added the certificate enumerate the certs in the keystone to confirm that the certificate got added
keytool -list -keystore cacerts -storepass changeit
3. Mongo UI : Robomongo
RoboMongo is one of the few mongo UI’s that support connecting with SSL. When creating a connection to your MongoDB server select the SSL option. For the certificate use the .pem file that has both the public key and the private key. This file is located at /etc/ssl on your mongodb server.
As always if you have any questions please reach out to us at firstname.lastname@example.org