Configure mongod and mongos for TLS/SSL为TLS/SSL配置mongodmongos

On this page本页内容

Overview概述

This document helps you to configure a new MongoDB instance to support TLS/SSL. 本文档帮助您配置新的MongoDB实例以支持TLS/SSL。For instructions on upgrading a cluster currently not using TLS/SSL to using TLS/SSL, see Upgrade a Cluster to Use TLS/SSL instead.有关将当前不使用TLS/SSL的群集升级为使用TLS/SSL的说明,请参阅将群集升级为改用TLS/SSL

MongoDB uses the native TLS/SSL OS libraries:MongoDB使用本机TLS/SSL OS库:

PlatformTLS/SSL Library
WindowsSecure Channel (Schannel)
Linux/BSDOpenSSL
macOSSecure Transport
Note注意
  • Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. 从4.0版开始,MongoDB在TLS 1.1+可用的系统上禁用对TLS 1.0加密的支持。For more details, see Disable TLS 1.0.有关详细信息,请参阅禁用TLS 1.0
  • MongoDB's TLS/SSL encryption only allows the use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections.MongoDB的TLS/SSL加密仅允许使用强TLS/SSL密码,所有连接的密钥长度至少为128位。
  • The Linux 64-bit legacy x64 builds of MongoDB do not include support for TLS/SSL.MongoDB的Linux 64位遗留x64版本支持TLS/SSL。

Prerequisites先决条件

Important重要

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. TLS/SSL、PKI(公钥基础设施)证书和证书颁发机构的完整描述超出了本文档的范围。This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.本页假定您事先了解TLS/SSL以及访问有效证书。

Certificate Authorities证书颁发机构

For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. 对于生产使用,MongoDB部署应使用由证书颁发机构生成和签名的有效证书。You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS vendors. 您或您的组织可以生成和维护独立的证书颁发机构,或者使用第三方TLS供应商生成的证书。Obtaining and managing certificates is beyond the scope of this documentation.获取和管理证书超出了本文档的范围。

mongod and mongos Certificate Key File

When establishing a TLS/SSL connection, the mongod/mongos presents a certificate key file to its clients to establish its identity. [1] The certificate key file contains a public key certificate and its associated private key, but only the public component is revealed to the client.

MongoDB can use any valid TLS/SSL certificate issued by a certificate authority, or a self-signed certificate. MongoDB可以使用证书颁发机构颁发的任何有效TLS/SSL证书或自签名证书。If you use a self-signed certificate, although the communications channel will be encrypted to prevent eavesdropping on the connection, there will be no validation of server identity. 如果使用自签名证书,尽管通信信道将被加密以防止窃听连接,但不会验证服务器身份。This leaves you vulnerable to a man-in-the-middle attack. 这会让你容易受到中间人的攻击。Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server's identity.使用由可信证书颁发机构签名的证书将允许MongoDB驱动程序验证服务器的身份。

In general, avoid using self-signed certificates unless the network is trusted.通常,除非网络是可信的,否则避免使用自签名证书。

With regards to certificates for replica set and sharded cluster members, it is advisable to use different certificates on different servers. 关于副本集和分片集群成员的证书,建议在不同的服务器上使用不同的证书。This minimizes exposure of the private key and allows for hostname validation.这最大限度地减少了私钥的暴露,并允许主机名验证。

[1] For FIPS mode, ensure that the certificate is FIPS-compliant (i.e uses a FIPS-compliant algorithm) and the private key meets the PKCS#8 standard. 对于FIPS模式,请确保证书符合FIPS(即使用符合FIPS的算法),并且私钥符合PKCS#8标准。If you need to convert a private key to PKCS#8 format, various conversion tools exist, such as openssl pkcs8 and others.如果需要将私钥转换为PKCS#8格式,则存在各种转换工具,如openssl pkcs8等。

Procedures (Using net.tls Settings)程序(使用net.tls设置)

Note注意

Starting in version 4.2, MongoDB provides net.tls settings (and corresponding command-line options) that corresponds to the net.ssl settings (and their corresponding command-line options). The net.tls settings provide identical functionality as the net.ssl options since MongoDB has always supported TLS 1.0 and later.

The procedures in this section use the net.tls settings. 本节中的过程使用net.tls设置。For procedures using the net.ssl alias, see Procedures (Using net.ssl Settings).

Set Up mongod and mongos with TLS/SSL Certificate and Key

The following section configures mongod/mongos to use TLS/SSL connections. With these TLS/SSL settings, mongod/mongos presents its certificate key file to the client. However, the mongod/mongos does not require a certificate key file from the client to verify the client's identity. To require client's certificate key file, see Set Up mongod and mongos with Client Certificate Validation instead.

Note注意

The procedure uses the net.tls settings (available starting in MongoDB 4.2). For procedures using the net.ssl settings, see Procedures (Using net.ssl Settings).

To use TLS/SSL connections, include the following TLS/SSL settings in your mongod/mongos instance's configuration file:

SettingNotes
net.tls.mode

Set to requireTLS.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details.

net.tls.certificateKeyFile

Set to the path of the file that contains the TLS/SSL certificate and key.

The mongod/mongos instance presents this file to its clients to establish the instance's identity.mongod/mongos实例将此文件呈现给其客户端,以建立实例的身份。

For example, consider the following configuration file for a mongod instance:

net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.tls.certificateSelector instead of specifying the certificate key file.

SettingNotes
net.tls.mode

Set to requireTLS.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details.

net.tls.certificateSelector

Set to the property (either subject or thumbprint) and value.

This setting is used to select the certificate. 此设置用于选择证书。See net.tls.certificateSelector for details.

For example, consider the following configuration file for a mongod instance:

net:
   tls:
      mode: requireTLS
      certificateSelector: subject="<CertificateCommonName>"
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

A mongod instance that uses the above configuration can only use TLS/SSL connections:

mongod --config <path/to/configuration/file>

That is, clients must specify TLS/SSL connections. See Connect to MongoDB Instance Using Encryption (tls Options) for more information on connecting with TLS/SSL.

Tip提示
See also: 参阅:

You can also configure mongod and mongos using command-line options instead of the configuration file:

Set Up mongod and mongos with Client Certificate Validation

The following section configures mongod/mongos to use TLS/SSL connections and perform client certificate validation. With these TLS/SSL settings:

  • mongod/mongos presents its certificate key file to the client for verification.
  • mongod/mongos requires a certificate key file from the client to verify the client's identity.
Note注意

The procedure uses the net.tls settings (available starting in MongoDB 4.2). For procedures using the net.ssl settings, see Procedures (Using net.ssl Settings).

To use TLS/SSL connections and perform client certificate validation, include the following TLS/SSL settings in your mongod/mongos instance's configuration file:

Note注意

Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.

SettingNotes
net.tls.mode

Set to requireTLS.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details.

net.tls.certificateKeyFile

Set to the path of the file that contains the TLS/SSL certificate and key.

The mongod/mongos instance presents this file to its clients to establish the instance's identity.

net.tls.CAFile

Set to the path of the file that contains the certificate chain for verifying client certificates.

The mongod/mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority.

For example, consider the following configuration file for a mongod instance:

net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

A mongod instance that uses the above configuration can only use TLS/SSL connections and requires valid certificate from its clients:

mongod --config <path/to/configuration/file>

That is, clients must specify TLS/SSL connections and presents its certificate key file to the instance. See Connect to MongoDB Instance that Requires Client Certificates (tls Options) for more information on connecting with TLS/SSL.

Tip提示
See also: 参阅:

You can also configure mongod and mongos using command-line options instead of the configuration file:

Block Revoked Certificates for Clients

Note注意

The procedure uses the net.tls settings (available starting in MongoDB 4.2). For procedures using the net.ssl settings, see Procedures (Using net.ssl Settings).

To prevent clients with revoked certificates from connecting to the mongod or mongos instance, you can use:

  • Online Certificate Status Protocol (OCSP)

    Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.

    In versions 4.0 and 4.2, the use of OCSP is available only through the use of system certificate store on Windows or macOS.

  • Certificate Revocation List (CRL)

    To specify a CRL file, include net.tls.CRLFile set to a file that contains revoked certificates.

    For Example:例如:

    net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    CRLFile: /etc/ssl/revokedCertificates.pem

    Clients who presents certificates that are listed in the /etc/ssl/revokedCertificates.pem will not be able to connect.

    Tip提示
    See also: 参阅:

    You can also configure the revoked certificate list using the command-line option.

Validate Only if a Client Presents a Certificate

In most cases, it is important to ensure that clients present valid certificates. However, if you have clients that cannot present a client certificate or are transitioning to using a certificate, you may only want to validate certificates from clients that present a certificate.

Note注意

The procedure uses the net.tls settings (available starting in MongoDB 4.2). For procedures using the net.ssl settings, see Procedures (Using net.ssl Settings).

To bypass client certificate validation for clients that do not present a certificate, include net.tls.allowConnectionsWithoutCertificates set to true.

For Example:例如:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    allowConnectionsWithoutCertificates: true

A mongod/mongos running with these settings allows connection from:

  • Clients that do not present a certificate.
  • Clients that present a valid certificate.
Note注意

If the client presents a certificate, the certificate must be a valid certificate.

All connections, including those that have not presented certificates, are encrypted using TLS/SSL.

See TLS/SSL Configuration for Clients for more information on TLS/SSL connections for clients.

Tip提示
See also: 参阅:

You can also configure using the command-line options:

Disallow Protocols

Note注意

The procedure uses the net.tls settings (available starting in MongoDB 4.2). For procedures using the net.ssl settings, see Procedures (Using net.ssl Settings).

To prevent MongoDB servers from accepting incoming connections that use specific protocols, include net.tls.disabledProtocols set to the disallowed protocols.

For example, the following configuration prevents mongod/mongos from accepting incoming connections that use either TLS1_0 or TLS1_1

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    disabledProtocols: TLS1_0,TLS1_1
Tip提示
See also: 参阅:

You can also configure using the command-line options:

TLS/SSL Certificate Passphrase

If the certificate key files for mongod/mongos are encrypted, include net.tls.certificateKeyFilePassword set to the passphrase.

Tip提示

Starting in MongoDB 4.2, to avoid specifying the passphrase in cleartext, you can use an expansion value in the configuration file.

Tip提示
See also: 参阅:

You can also configure using the command-line options:

Online Certificate Rotation

Starting in MongoDB 5.0, you can rotate the following certificate key files on-demand:

To rotate one or more of these certificates:

  1. Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:

    • Each new certificate must have the same filename and same filepath as the certificate it is replacing.
    • If rotating an encrypted TLS Certificate, its password must be the same as the password for the old certificate (as specified to the certificateKeyFilePassword configuration file setting). Certificate rotation does not support the interactive password prompt.
  2. Connect mongosh to the mongod or mongos instance that you wish to perform certificate rotation on.
  3. Run the rotateCertificates command or the db.rotateCertificates() shell method to rotate the certificates used by the the mongod or mongos instance.

When certificate rotation takes place:

  • Existing connections to the mongod or mongos instance are not terminated, and will continue to use the old certificates.
  • Any new connections will use the new certificates.

Incorrect, expired, revoked, or missing certificate files will cause the certificate rotation to fail, but will not invalidate the existing TLS configuration or terminate the running mongod or mongos process.

Previous to MongoDB 5.0, certificate rotation required downtime, and was typically performed during maintenance windows.

See rotateCertificates or db.rotateCertificates() for additional considerations and full usage instructions.

Run in FIPS Mode

Note注意

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.

See Configure MongoDB for FIPS for more details.

Next Steps

To configure TLS/SSL support for clients, see TLS/SSL Configuration for Clients.

Tip提示

Procedures (Using net.ssl Settings)

Note注意

Starting in version 4.2, MongoDB provides net.tls settings (and corresponding command-line options) that corresponds to the net.ssl settings (and their corresponding command-line options). The net.tls settings provide identical functionality as the net.ssl options since MongoDB has always supported TLS 1.0 and later.

The procedures in this section use the net.ssl settings. For procedures using the net.tls aliases, see Procedures (Using net.tls Settings).

Set Up mongod and mongos with TLS/SSL Certificate and Key

The following section configures mongod/mongos to use TLS/SSL connections. With these TLS/SSL settings, mongod/mongos presents its certificate key file to the client. However, the mongod/mongos does not require a certificate key file from the client to verify the client's identity. To require client's certificate key file, see Set Up mongod and mongos with Client Certificate Validation instead.

To use TLS/SSL connections, include the following TLS/SSL settings in your mongod/mongos instance's configuration file:

SettingNotes
net.ssl.mode

Set to requireSSL.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details.

net.ssl.PEMKeyFile

Set to the .pem file that contains the TLS/SSL certificate and key.

The mongod/mongos instance presents this file to its clients to establish the instance's identity.

If the key is encrypted, specify the passphrase (net.ssl.PEMKeyPassword).

For example, consider the following configuration file for a mongod instance:

net:
   ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/mongodb.pem
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.

SettingNotes
net.ssl.mode

Set to requireSSL.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details.

net.ssl.certificateSelector

Set to the property (either subject or thumbprint) and value.

This setting is used to select the certificate. See net.ssl.certificateSelector for details.

For example, consider the following configuration file for a mongod instance:

net:
   ssl:
      mode: requireSSL
      certificateSelector: subject="<CertificateCommonName>"
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

A mongod instance that uses the above configuration can only use TLS/SSL connections:

mongod --config <path/to/configuration/file>

That is, clients must specify TLS/SSL connections. See Connect to MongoDB Instance Using Encryption (--ssl Options) for more information on connecting with TLS/SSL.

Tip提示
See also: 参阅:

You can also configure mongod and mongos using command-line options instead of the configuration file:

Set Up mongod and mongos with Client Certificate Validation

The following section configures mongod/mongos to use TLS/SSL connections and perform client certificate validation. With these TLS/SSL settings:

  • mongod/mongos presents its certificate key file to the client for verification.
  • mongod/mongos requires a certificate key file from the client to verify the client's identity.

To use TLS/SSL connections, include the following TLS/SSL settings in your mongod/mongos instance's configuration file:

Note注意

Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.

SettingNotes
net.ssl.mode

Set to requireSSL.

This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details.

net.ssl.PEMKeyFile

Set to the .pem file that contains the TLS/SSL certificate and key.

The mongod/mongos instance presents this file to its clients to establish the instance's identity.

If the key is encrypted, specify the passphrase (net.ssl.PEMKeyPassword).

net.ssl.CAFile

Set to the path of the file that contains the certificate chain for verifying client certificates.

The mongod/mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority.

For example, consider the following configuration file for a mongod instance:

net:
   ssl:
      mode: requireSSL
      PEMKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
systemLog:
   destination: file
   path: "/var/log/mongodb/mongod.log"
   logAppend: true
storage:
   dbPath: "/var/lib/mongodb"
processManagement:
   fork: true
net:
   bindIp: localhost,mongodb0.example.net
   port: 27017

A mongod instance that uses the above configuration can only use TLS/SSL connections and requires valid certificate from its clients:

mongod --config <path/to/configuration/file>

That is, clients must specify TLS/SSL connections and presents its certificate key file to the instance. See Connect to MongoDB Instance that Requires Client Certificates (ssl Options) for more information on connecting with TLS/SSL.

Tip提示
See also: 参阅:

You can also configure mongod and mongos using command-line options instead of the configuration file:

Block Revoked Certificates for Clients

To prevent clients with revoked certificates from connecting to the mongod or mongos instance, you can use:

  • Online Certificate Status Protocol (OCSP)

    Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.

    In versions 4.0 and 4.2, the use of OCSP is available only through the use of system certificate store on Windows or macOS.

  • Certificate Revocation List (CRL)

    To specify a CRL file, include net.ssl.CRLFile set to a file that contains revoked certificates.

    For Example:例如:

    net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    CRLFile: /etc/ssl/revokedCertificates.pem

    Clients who presents certificates that are listed in the /etc/ssl/revokedCertificates.pem will not be able to connect.

    Tip提示
    See also: 参阅:

    You can also configure the revoked certificate list using the command-line option.

Validate Only if a Client Presents a Certificate

In most cases, it is important to ensure that clients present valid certificates. However, if you have clients that cannot present a client certificate or are transitioning to using a certificate, you may only want to validate certificates from clients that present a certificate.

To bypass client certificate validation for clients that do not present a certificate, include net.ssl.allowConnectionsWithoutCertificates set to true.

For Example:例如:

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    allowConnectionsWithoutCertificates: true

A mongod/mongos running with these settings allows connection from:

  • Clients that do not present a certificate.
  • Clients that present a valid certificate.
Note注意

If the client presents a certificate, the certificate must be a valid certificate.

All connections, including those that have not presented certificates, are encrypted using TLS/SSL.

See TLS/SSL Configuration for Clients for more information on TLS/SSL connections for clients.

Tip提示
See also: 参阅:

You can also configure using the command-line options:

Disallow Protocols

To prevent MongoDB servers from accepting incoming connections that use specific protocols, include net.ssl.disabledProtocols set to the disallowed protocols.

For example, the following configuration prevents mongod/mongos from accepting incoming connections that use either TLS1_0 or TLS1_1

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/caToValidateClientCertificates.pem
    disabledProtocols: TLS1_0,TLS1_1
Tip提示
See also: 参阅:

You can also configure using the command-line options:

TLS/SSL Certificate Passphrase

If the certificate key files for mongod/mongos are encrypted, include net.ssl.PEMKeyPassword set to the passphrase.

Tip提示
See also: 参阅:

You can also configure using the command-line options:

Run in FIPS Mode

Note注意

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.

See Configure MongoDB for FIPS for more details.

Next Steps

To configure TLS/SSL support for clients, see TLS/SSL Configuration for Clients.

Tip提示
←  TLS/SSL (Transport Encryption)TLS/SSL Configuration for Clients →