TLS/SSL Configuration for Clients客户端的TLS/SSL配置

On this page本页内容

Clients must have support for TLS/SSL to connect to a mongod or a mongos instance that require TLS/SSL connections.客户端必须支持TLS/SSL才能连接到需要TLS/SSL连接mongodmongos实例。

Note注意
  • The Linux 64-bit legacy x64 binaries of MongoDB do not include support for TLS/SSL.MongoDB的Linux 64位旧x64二进制文件不支持TLS/SSL。
  • Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. 从4.0版开始,MongoDB在提供TLS 1.1+的系统上禁用TLS 1.0加密支持。For more details, see Disable TLS 1.0.有关更多详细信息,请参阅禁用TLS 1.0
Important重要

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. TLS/SSL、PKI(公钥基础设施)证书和证书颁发机构的完整描述超出了本文档的范围。This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.本页假定您已经了解TLS/SSL以及访问有效证书。

mongosh Configuration (Using tls Options)配置(使用tls选项)

Note注意

Starting in version 4.2, MongoDB provides tls options that corresponds to the ssl options. 从4.2版开始,MongoDB提供了与ssl选项相对应的tls选项。The tls options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.tls选项提供与ssl选项相同的功能,因为MongoDB始终支持tls 1.0和更高版本。

The procedures in this section use the tls options. 本节中的过程使用tls选项。For procedures using their ssl aliases, see mongosh Configuration (Using ssl Options).有关使用ssl别名的过程,请参阅mongosh配置(使用ssl选项)。

mongosh provides various TLS/SSL settings, including:提供了各种TLS/SSL设置,包括:

TLS Option (New in 4.2)Notes
--tlsEnables TLS/SSL connection.启用TLS/SSL连接。
--tlsCertificateKeyFile

Specifies the .pem file that contains mongosh's certificate and key to present to the mongod or mongos instance. 指定包含mongosh证书和密钥的.pem文件,以提供给mongodmongos实例。This option is mutually exclusive with --tlsCertificateSelector此选项与--tlsCertificateSelector互斥

Changed in version 4.4.在版本4.4中更改

mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间的30天内过期,则会记录一条连接警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关详细信息,请参阅x.509证书接近到期触发器警告

--tlsCertificateKeyFilePasswordIf mongosh's certificate key file is encrypted.如果mongosh的证书密钥文件已加密。
--tlsCAFileSpecifies the Certificate Authority (CA) .pem file for verification of the certificate presented by the mongod or the mongos instance.指定证书颁发机构(CA).pem文件,用于验证mongodmongos实例提供的证书。
--tlsCertificateSelector

If running on Windows or macOS, use a certificate from the system certificate store. (New in version 4.0)如果在Windows或macOS上运行,请使用系统证书存储中的证书。(4.0版中的新增功能

This option is mutually exclusive with --tlsCertificateKeyFile.

Changed in version 4.4.在版本4.4中更改

mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间的30天内过期,则会记录一条连接警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关详细信息,请参阅x.509证书接近到期触发器警告

For a complete list of mongosh's tls options, see TLS Options.有关mongoshtls选项的完整列表,请参阅tls选项

For TLS/SSL connections, mongosh validates the certificate presented by the mongod or mongos instance:对于TLS/SSL连接,mongosh验证mongodmongos实例提供的证书:

  • mongosh verifies that the certificate is from the specified Certificate Authority (--tlsCAFile. 验证证书是否来自指定的证书颁发机构(--tlsCAFile)。If the certificate is not from the specified CA, mongosh will fail to connect.如果证书不是来自指定的CA,mongosh将无法连接。

  • mongosh verifies that the hostname (specified in --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod or mongos. mongosh验证主机名(在--host选项或连接字符串中指定)是否与mongodmongos提供的证书中的SAN(如果SAN不存在,则为CN)匹配。If SAN is present, mongosh does not match against the CN. 如果存在SAN,则mongoshCN不匹配。If the hostname does not match the SAN (or CN), mongosh will fail to connect.如果主机名与SAN(或CN)不匹配,mongosh将无法连接。

    Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. 从MongoDB 4.2开始,在执行SAN比较时,MongoDB支持比较DNS名称或IP地址。In previous versions, MongoDB only supports comparisons of DNS names.在以前的版本中,MongoDB仅支持比较DNS名称。

    To connect mongosh to a mongod or mongos that requires TLS/SSL, specify the --host option or use a connection string to specify the hostname. 要将mongosh连接到需要TLS/SSL的mongodmongos,请指定--host选项或使用连接字符串指定主机名。All other TLS/SSL options must be specified using the command-line options.必须使用命令行选项指定所有其他TLS/SSL选项。

Connect to MongoDB Instance Using Encryption (tls Options)使用加密连接到MongoDB实例(tls选项)

Note注意

The procedure uses the tls options (available starting in MongoDB 4.2). 该过程使用tls选项(从MongoDB 4.2开始可用)。For procedures using their ssl aliases, see mongosh Configuration (Using ssl Options).有关使用ssl别名的过程,请参阅mongosh配置(使用ssl选项)。

To connect to a mongod or mongos instance that requires encrypted communication, start mongosh with:要连接到需要加密通信mongodmongos实例,请使用以下命令启动mongosh

For example, consider a mongod instance running on hostname.example.com with the following options:例如,考虑一个在hostname.example.com上运行的mongod实例,其中包含以下选项:

mongod --tlsMode requireTLS --tlsCertificateKeyFile <pem>

To connect to the instance, start mongosh with the following options:要连接到实例,请使用以下选项启动mongosh

mongosh --tls --host hostname.example.com --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem

mongosh verifies the certificate presented by the mongod instance against the specified hostname and the CA file.根据指定的主机名和CA文件验证mongod实例提供的证书。

Connect to MongoDB Instance that Requires Client Certificates (tls Options)连接到需要客户端证书的MongoDB实例(tls选项)

Note注意

The procedure uses the tls options (available starting in MongoDB 4.2). 该过程使用tls选项(从MongoDB 4.2开始可用)。For procedures using their ssl aliases, see mongosh Configuration (Using ssl Options).有关使用ssl别名的过程,请参阅mongosh配置(使用ssl选项)

To connect to a mongod or mongos that requires CA-signed client certificates, start mongosh with:要连接到需要CA签名客户端证书的mongodmongos,请使用以下命令启动mongosh

  • --tls
  • --host and the --tlsCAFile to validate the server certificate,用来验证服务器证书,
  • --tlsCertificateKeyFile option to specify the client certificate to present to the server.选项指定要呈现给服务器的客户端证书。

For example, consider a mongod instance running on hostname.example.com with the following options:例如,考虑一个在hostname.example.com上运行的mongod实例,其中包含以下选项:

mongod --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/caToValidateClientCertificates.pem

To connect to the instance, start mongosh with the following options:要连接到实例,请使用以下选项启动mongosh

mongosh --tls --host hostname.example.com --tlsCertificateKeyFile /etc/ssl/client.pem --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem
On Windows and macOS,在Windows和macOS上,

You can also use the --tlsCertificateSelector option to specify the client certificate from the system certificate store instead of using --tlsCertificateKeyFile. 您还可以使用--tlsCertificateSelector选项指定来自系统证书存储的客户端证书,而不是使用--tls证书KeyFile。If the CA file is also in the system certificate store, you can omit the --tlsCAFile option as well. 如果CA文件也在系统证书存储中,也可以省略--tlsCAFile选项。For example, to use a certificate with the CN (Common Name) of myclient.example.net and the CA file from the system certificate store on macOS, start mongosh with the following options:例如,要使用myclient.example.netCN(公用名)证书和macOS上系统证书存储中的CA文件,请使用以下选项启动mongosh

mongosh --tls  --host hostname.example.com --tlsCertificateSelector subject="myclient.example.net"

Although still available, mongosh--ssl, --sslCAFile, --sslPEMKeyFile, and --sslCertificateSelector options are deprecated as of MongoDB 4.2.尽管mongosh--ssl--sslCAFile--sslPEMKeyFile--sslCertificateSelector选项仍然可用,但从MongoDB 4.2开始,这些选项已被弃用。

Avoid Use of --tlsAllowInvalidCertificates Option避免使用--tlsAllowInvalidCertificates选项

Warning警告

Although available, avoid using the --tlsAllowInvalidCertificates option if possible. 尽管可用,但尽可能避免使用--tlsAllowInvalidCertificates选项。If the use of --tlsAllowInvalidCertificates is necessary, only use the option on systems where intrusion is not possible.如果需要使用--tlsAllowInvalidCertificates,请仅在不可能入侵的系统上使用该选项。

If mongosh runs with the --tlsAllowInvalidCertificates option, mongosh will not attempt to validate the server certificates. 如果mongosh使用--tlsAllowInvalidCertificates选项运行,mongosh将不会尝试验证服务器证书。This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. 这会造成对过期的mongodmongos证书以及冒充有效mongodmongos实例的外部进程的漏洞。If you only need to disable the validation of the hostname in the TLS/SSL certificates, see --tlsAllowInvalidHostnames.如果只需要禁用TLS/SSL证书中主机名的验证,请参阅--tlsAllowInvalidHostnames

mongosh Configuration (Using ssl Options)配置(使用ssl选项)

mongosh provides various TLS/SSL settings, including:提供了各种TLS/SSL设置,包括:

SSL Option (Deprecated in 4.2)SSL选项(4.2中不推荐使用)Notes
--sslEnables TLS/SSL connection.启用TLS/SSL连接。
--sslPEMKeyFileSpecifies the .pem file that contains mongosh's certificate and key to present to the mongod or mongos instance. 指定包含mongosh证书和密钥的.pem文件,以提供给mongodmongos实例。
--sslPEMKeyPasswordIf mongosh's certificate key file is encrypted.如果mongosh的证书密钥文件已加密。
--sslCAFileSpecifies the Certificate Authority (CA) .pem file for verification of the certificate presented by the mongod or the mongos instance. 指定证书颁发机构(CA)的.pem文件,用于验证mongodmongos实例提供的证书。
--sslCertificateSelectorIf running on Windows or macOS, use a certificate from the system certificate store. (New in version 4.0) 如果在Windows或macOS上运行,请使用系统证书存储中的证书。(4.0版中的新增功能)

For a complete list of ssl options, see SSL Options.有关ssl选项的完整列表,请参阅ssl选项

For TLS/SSL connections, mongosh validates the certificate presented by the mongod or mongos instance:对于TLS/SSL连接,mongosh验证mongodmongos实例提供的证书:

  • mongosh verifies that the certificate is from the specified Certificate Authority --sslCAFile. 验证证书是否来自指定的证书颁发机构--sslCAFileIf the certificate is not from the specified CA, mongosh will fail to connect.如果证书不是来自指定的CA,mongosh将无法连接。

  • mongosh verifies that the hostname (specified in --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod or mongos. 验证主机名(在--host选项或连接字符串中指定)是否与mongodmongos提供的证书中的SAN(如果没有SAN,则为CN)匹配。If SAN is present, mongosh does not match against the CN. 如果存在SAN,则mongoshCN不匹配。If the hostname does not match the SAN (or CN), mongosh will fail to connect.如果主机名与SAN(或CN)不匹配,mongosh将无法连接。

    Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. 从MongoDB 4.2开始,在执行SAN比较时,MongoDB支持比较DNS名称或IP地址。In previous versions, MongoDB only supports comparisons of DNS names.在以前的版本中,MongoDB仅支持比较DNS名称。

    To connect mongosh to a mongod or mongos that requires TLS/SSL, specify the --host option or use a connection string to specify the hostname. 要将mongosh连接到需要TLS/SSL的mongodmongos,请指定--host选项或使用连接字符串指定主机名。All other TLS/SSL options must be specified using the command-line options.必须使用命令行选项指定所有其他TLS/SSL选项。

Connect to MongoDB Instance Using Encryption (--ssl Options)使用加密连接到MongoDB实例(--ssl选项)

Note注意

The procedure uses the ssl options. 该过程使用ssl选项。For procedures using the tls aliases (available starting in MongoDB 4.2), see mongosh Configuration (Using tls Options).有关使用tls别名的过程(从MongoDB 4.2开始可用),请参阅mongosh配置(使用tls选项)

To connect to a mongod or mongos instance that requires encrypted communication, start mongosh with:要连接到需要加密通信mongodmongos实例,请使用以下命令启动mongosh

  • --ssl
  • --host and --sslCAFile to validate the server certificate.用来验证服务器证书。

For example, consider a mongod instance running on hostname.example.com with the following options:例如,考虑一个在hostname.example.com上运行的mongod实例,其中包含以下选项:

mongod --sslMode requireSSL --sslPEMKeyFile <pem>

To connect to the instance, start mongosh with the following options:要连接到实例,请使用以下选项启动mongosh

mongosh --ssl --host hostname.example.com --sslCAFile /etc/ssl/caToValidateServerCertificates.pem

mongosh verifies the certificate presented by the mongod instance against the specified hostname and the CA file.根据指定的主机名和CA文件验证mongod实例提供的证书。

Connect to MongoDB Instance that Requires Client Certificates (ssl Options)连接到需要客户端证书的MongoDB实例(ssl选项)

Note注意

The procedure uses the ssl options. 该过程使用ssl选项。For procedures using the tls aliases (available starting in MongoDB 4.2), see mongosh Configuration (Using tls Options).有关使用tls别名的过程(从MongoDB 4.2开始可用),请参阅mongosh配置(使用tls选项)。

To connect to a mongod or mongos that requires CA-signed client certificates, start mongosh with:要连接到需要CA签名客户端证书mongodmongos,请使用以下命令启动mongosh

  • --ssl
  • --host and the --sslCAFile to validate the server certificate,要验证服务器证书,
  • --sslPEMKeyFile option to specify the client certificate to present to the server.选项指定要呈现给服务器的客户端证书。

For example, consider a mongod instance running on hostname.example.com with the following options:例如,考虑一个在hostname.example.com上运行的mongod实例,其中包含以下选项:

mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem

To connect to the instance, start mongosh with the following options:要连接到实例,请使用以下选项启动mongosh

mongosh --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem
On Windows and macOS,在Windows和macOS上,

You can also use the --sslCertificateSelector option to specify the client certificate from the system certificate store instead of using --sslPEMKeyFile. 您还可以使用--sslCertificateSelector选项从系统证书存储中指定客户端证书,而不是使用--sslPEMKeyFileIf the CA file is also in the system certificate store, you can omit the --sslCAFile option as well. 如果CA文件也在系统证书存储中,也可以省略--sslCAFile选项。For example, to use a certificate with the CN (Common Name) of myclient.example.net and the CA file from the system certificate store on macOS, start mongosh with the following options:例如,要使用myclient.example.net的CN(公用名)证书和macOS上系统证书存储中的CA文件,请使用以下选项启动mongosh

mongosh --ssl  --host hostname.example.com --sslCertificateSelector subject=myclient.example.net

Avoid Use of --sslAllowInvalidCertificates Option避免使用--sslAllowInvalidCertificates选项

Warning警告

Although available, avoid using the --sslAllowInvalidCertificates option if possible. 尽管可用,但尽可能避免使用--sslAllowInvalidCertificates选项。If the use of --sslAllowInvalidCertificates is necessary, only use the option on systems where intrusion is not possible.如果需要使用--sslAllowInvalidCertificates,请仅在不可能入侵的系统上使用该选项。

If mongosh (and other MongoDB Tools) runs with the --sslAllowInvalidCertificates option, mongosh (and other MongoDB Tools) will not attempt to validate the server certificates. 如果mongosh(和其他MongoDB工具)使用--sslAllowInvalidCertificates选项运行,mongosh将不会尝试验证服务器证书。This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. 这会造成对过期的mongodmongos证书以及冒充有效mongodmongos实例的外部进程的漏洞。If you only need to disable the validation of the hostname in the TLS/SSL certificates, see --sslAllowInvalidHostnames.如果只需要禁用TLS/SSL证书中主机名的验证,请参阅--sslAllowInvalidHostnames

MongoDB Atlas, MongoDB Cloud Manager and MongoDB Ops ManagerMongoDB Atlas、MongoDB云管理器和MongoDB运营管理器

MongoDB Atlas uses TLS/SSL to encrypt the connections to your databases.MongoDB Atlas使用TLS/SSL加密与数据库的连接。

The MongoDB Cloud Manager and Ops Manager Monitoring agents use encrypted communication to gather its statistics. MongoDB云管理器和Ops Manager监控代理使用加密通信来集合其统计信息。Because the agents already encrypt communications to the MongoDB Cloud Manager/Ops Manager servers, this is just a matter of enabling TLS/SSL support in MongoDB Cloud Manager/Ops Manager on a per host basis.由于代理已经加密与MongoDB Cloud Manager/Ops Manager服务器的通信,因此这只是基于每台主机在MongoDB云管理器/Ops Manager中启用TLS/SSL支持的问题。

For more information, see:有关详细信息,请参阅:

MongoDB DriversMongoDB驱动程序

The MongoDB Drivers support encrypted communication. See:MongoDB驱动程序支持加密通信。请参见:

MongoDB ToolsMongoDB工具

Various MongoDB utility programs support encrypted communication. These tools include:各种MongoDB实用程序支持加密通信。这些工具包括:

To use encrypted communication with these tools, use the same ssl options as mongosh. 要使用这些工具进行加密通信,请使用与mongosh相同的ssl选项。See mongosh Configuration (Using ssl Options).请参阅mongosh配置(使用ssl选项)。

Tip提示
See also: 参阅:
←  Configure mongod and mongos for TLS/SSLUpgrade a Cluster to Use TLS/SSL →