The MongoDB server supports listening for both TLS/SSL encrypted and unencrypted connections on the same TCP port. MongoDB服务器支持在同一TCP端口上侦听TLS/SSL加密和未加密连接。This allows upgrades of MongoDB clusters to use TLS/SSL encrypted connections.这允许升级MongoDB群集以使用TLS/SSL加密连接。
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. 从4.0版开始,MongoDB在提供TLS 1.1+的系统上禁用TLS 1.0加密支持。For more details, see Disable TLS 1.0.有关更多详细信息,请参阅禁用TLS 1.0。
tls Settings)tls设置)A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. TLS/SSL、PKI(公钥基础设施)证书和证书颁发机构的完整描述超出了本文档的范围。This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.本页假定您已经了解TLS/SSL以及访问有效证书。
To upgrade from a MongoDB cluster using no TLS/SSL encryption to one using only TLS/SSL encryption, use the following rolling upgrade process.要从不使用TLS/SSL加密的MongoDB群集升级到仅使用TLS/SSL加密的MongoDB群集,请使用以下滚动升级过程。
The procedures in this section use the 本节中的过程使用tls settings/option (Available in MongoDB 4.2). tls设置/选项(在MongoDB 4.2中可用)。For procedures using their 有关使用其ssl aliases, see Procedure (Using ssl Settings).ssl别名的过程,请参阅过程(使用ssl设置)。
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.tls设置/选项提供与ssl选项相同的功能,因为MongoDB始终支持tls 1.0和更高版本。
For each node of a cluster, start the node with the command-line option 对于集群的每个节点,使用命令行选项--tlsMode or the configuration file option net.tls.mode set to allowTLS. --tlsMode或配置文件选项net.tls.mode设置为allowTLS来启动节点。The allowTLS setting allows the node to accept both TLS/SSL and non-TLS/non-SSL incoming connections. allowTLS设置允许节点接受TLS/SSL和非TLS/非SSL传入连接。Its connections to other servers do not use TLS/SSL. 它与其他服务器的连接不使用TLS/SSL。Include other TLS/SSL options [2] as well as any other options that are required for your specific configuration.包括其他TLS/SSL选项[2]以及特定配置所需的任何其他选项。
Starting in MongoDB 3.6, 从MongoDB 3.6开始,mongod and mongos bind to localhost by default. mongod和mongos默认绑定到localhost。If the members of your deployment are run on different hosts or if you wish remote clients to connect to your deployment, you must specify 如果部署的成员在不同的主机上运行,或者如果希望远程客户端连接到部署,则必须指定--bind_ip or net.bindIp. --bind_ip或net.bindIp。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For Example:例如:
mongod --replSet <name> --tlsMode allowTLS --tlsCertificateKeyFile <TLS/SSL certificate and key file> --sslCAFile <path to root CA PEM file> <additional options>
To specify these options in the configuration file, include the following settings in the file:要在配置文件中指定这些选项,请在文件中包含以下设置:
net: ssl: mode: <allowSSL> PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
Upgrade all nodes of the cluster to these settings.将群集的所有节点升级到这些设置。
For each node of a cluster, use the 对于集群的每个节点,使用setParameter command to update the tlsMode to preferTLS. setParameter命令将tlsMode更新为preferTLS。[1] With 使用preferTLS as its net.tls.mode, the node accepts both TLS/SSL and non-TLS/non-SSL incoming connections, and its connections to other servers use TLS/SSL. preferTLS作为其net.tls.mode,节点接受TLS/SSL和非TLS/非SSL传入连接,并且它与其他服务器的连接使用TLS/SSL。For Example:例如:
db.adminCommand( { setParameter: 1, tlsMode: "preferTLS" } )
Upgrade all nodes of the cluster to these settings.将群集的所有节点升级到这些设置。
At this point, all connections should be using TLS/SSL.此时,所有连接都应使用TLS/SSL。
For each node of the cluster, use the 对于集群的每个节点,使用setParameter command to update the tlsMode to requireTLS. setParameter命令将tlsMode更新为requireTLS。[1] With 以requireTLS as its net.tls.mode, the node will reject any non-TLS/non-SSL connections. requireTLS作为其net.tls.mode,节点将拒绝任何非TLS/非SSL连接。For Example:例如:
db.adminCommand( { setParameter: 1, tlsMode: "requireTLS" } )
ssl Settings)ssl设置)A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. TLS/SSL、PKI(公钥基础设施)证书和证书颁发机构的完整描述超出了本文档的范围。This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.本页假定您事先了解TLS/SSL以及访问有效证书。
To upgrade from a MongoDB cluster using no TLS/SSL encryption to one using only TLS/SSL encryption, use the following rolling upgrade process.要从不使用TLS/SSL加密的MongoDB集群升级到仅使用TLS/SSL加密的集群,请使用以下滚动升级过程。
The procedures in this section use the 本节中的过程使用ssl settings/option. ssl设置/选项。For procedures using their 有关使用tls aliases (Available in MongoDB 4.2), see Procedure (Using tls Settings).tls别名的过程(在MongoDB 4.2中可用),请参阅过程(使用tls设置)。
The tls settings/options provide identical functionality as the ssl options since MongoDB has always supported TLS 1.0 and later.tls设置/选项提供与ssl选项相同的功能,因为MongoDB一直支持tls 1.0和更高版本。
For each node of a cluster, start the node with the command-line option 对于集群的每个节点,使用命令行选项--sslMode or the configuration file option net.ssl.mode set to allowSSL. --sslMode或配置文件选项net.ssl.mode设置为allowSSL来启动节点。The allowSSL setting allows the node to accept both TLS/SSL and non-TLS/non-SSL incoming connections. allowSSL设置允许节点接受TLS/SSL和非TLS/非SSL传入连接。Its connections to other servers do not use TLS/SSL. 它与其他服务器的连接不使用TLS/SSL。Include other TLS/SSL options [2] as well as any other options that are required for your specific configuration.包括其他TLS/SSL选项[2]以及特定配置所需的任何其他选项。
Starting in MongoDB 3.6, 从MongoDB 3.6开始,mongod and mongos bind to localhost by default. mongod和mongos默认绑定到localhost。If the members of your deployment are run on different hosts or if you wish remote clients to connect to your deployment, you must specify 如果部署的成员在不同的主机上运行,或者如果希望远程客户端连接到部署,则必须指定--bind_ip or net.bindIp. --bind_ip或net.bindIp。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For Example:例如:
mongod --replSet <name> --sslMode allowSSL --sslPEMKeyFile <path to TLS/SSL Certificate and key PEM file> --sslCAFile <path to root CA PEM file> <additional options>
To specify these options in the configuration file, include the following settings in the file:要在配置文件中指定这些选项,请在文件中包含以下设置:
net: ssl: mode: <allowSSL> PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
Upgrade all nodes of the cluster to these settings.将群集的所有节点升级到这些设置。
For each node of a cluster, use the 对于集群的每个节点,使用setParameter command to update the sslMode to preferSSL. setParameter命令将sslMode更新为preferSSL。[1] With 使用preferSSL as its net.ssl.mode, the node accepts both TLS/SSL and non-TLS/non-SSL incoming connections, and its connections to other servers use TLS/SSL. preferSSL作为其net.ssl.mode,节点接受TLS/SSL和非TLS/非SSL传入连接,并且它与其他服务器的连接使用TLS/SSL。For Example:例如:
db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )
Upgrade all nodes of the cluster to these settings.将群集的所有节点升级到这些设置。
At this point, all connections should be using TLS/SSL.此时,所有连接都应使用TLS/SSL。
For each node of the cluster, use the 对于集群的每个节点,使用setParameter command to update the sslMode to requireSSL. setParameter命令将sslMode更新为requireSSL。[1] With 使用requireSSL as its net.ssl.mode, the node will reject any non-TLS/non-SSL connections. requireSSL作为其net.ssl.mode,节点将拒绝任何非TLS/非SSL连接。For Example:例如:
db.adminCommand( { setParameter: 1, sslMode: "requireSSL" } )
| [1] | (1, 2, 3, 4) setParameter command, you can also restart the nodes with the appropriate TLS/SSL options and values.setParameter命令之外,您还可以使用适当的TLS/SSL选项和值重新启动节点。 |
| [2] | (1, 2)
|