Configuration File Options配置文件选项

Externally Sourced Values外部来源值

The following expansion directives are available:以下扩展指令可用：

For complete documentation, see Externally Sourced Configuration File Values.有关完整文档，请参阅外部源配置文件值。

Expansion Directives and 扩展指令和--configExpand

If you are using expansion directives in the configuration file, you must include the --configExpand option when starting the mongod or mongos. 如果在配置文件中使用扩展指令，则在启动mongod或mongos时必须包含--configExpand选项。For example:例如：

mongod --config /etc/mongod.conf  --configExpand "rest,exec"
mongos --config /etc/mongos.conf  --configExpand "rest,exec"

If the configuration file includes an expansion directive and you start the mongod / mongos without specifying that directive in the --configExpand option, the mongod / mongos fails to start.如果配置文件包含一个扩展指令，并且您在没有在--configExpand选项中指定该指令的情况下启动mongod/mongos，则mongod/mongos无法启动。

For complete documentation, see Externally Sourced Configuration File Values.有关完整文档，请参阅外部源配置文件值。

systemLog.component Options

systemLog:
   component:
      accessControl:
         verbosity: <int>
      command:
         verbosity: <int>

      # COMMENT some component verbosity settings omitted for brevity

      replication:
         verbosity: <int>
         election:
            verbosity: <int>
         heartbeats:
            verbosity: <int>
         initialSync:
            verbosity: <int>
         rollback:
            verbosity: <int>
      storage:
         verbosity: <int>
         journal:
            verbosity: <int>
         recovery:
            verbosity: <int>
      write:
         verbosity: <int>

systemLog.component.accessControl.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to access control. 与访问控制相关的组件的日志消息详细级别。See ACCESS components.请参阅ACCESS组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.command.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to commands. 与命令相关的组件的日志消息详细级别。See COMMAND components.请参见COMMAND组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.control.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to control operations. 与控制操作相关的组件的日志消息详细级别。See CONTROL components.请参阅CONTROL组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.ftdc.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to diagnostic data collection operations. See FTDC components.与诊断数据集合操作相关的组件的日志消息详细级别。请参阅FTDC组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.geo.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to geospatial parsing operations. 与地理空间分析操作相关的组件的日志消息详细级别。See GEO components.请参见GEO组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.index.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to indexing operations. 与索引操作相关的组件的日志消息详细级别。See INDEX components.请参见INDEX组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.network.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to networking operations. 与网络操作相关的组件的日志消息详细级别。See NETWORK components.请参阅NETWORK组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.query.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to query operations. 与查询操作相关的组件的日志消息详细级别。See QUERY components.请参阅QUERY组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.replication.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to replication. 与复制相关的组件的日志消息详细级别。See REPL components.请参见REPL组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.replication.election.verbosity

Type: integer

Default: 0

New in version 4.2. 4.2版新增。

The log message verbosity level for components related to election. See ELECTION components.与选举相关的组件的日志消息详细级别。请参见ELECTION组件。

If systemLog.component.replication.election.verbosity is unset, systemLog.component.replication.verbosity level also applies to election components.如果未设置systemLog.component.replication.election.verbosity，则systemLog.component.replication.verbosity级别也适用于选举组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.replication.heartbeats.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to heartbeats. 与检测信号相关的组件的日志消息详细级别。See REPL_HB components.请参见REPL_HB组件。

If systemLog.component.replication.heartbeats.verbosity is unset, systemLog.component.replication.verbosity level also applies to heartbeats components.如果未设置systemLog.component.replication.heartbeats.verbosity，则systemLog.component.replication.verbosity级别也适用于检测信号组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.replication.initialSync.verbosity

Type: integer

Default: 0

New in version 4.2. 4.2版新增。

The log message verbosity level for components related to initialSync. 与initialSync相关的组件的日志消息详细级别。See INITSYNC components.请参阅INITSYNC组件。

If systemLog.component.replication.initialSync.verbosity is unset, systemLog.component.replication.verbosity level also applies to initialSync components.如果未设置systemLog.component.replication.initialSync.verbosity，则systemLog.component.replication.verbosity级别也适用于initialSync组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.replication.rollback.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to rollback. 与回滚相关的组件的日志消息详细级别。See ROLLBACK components.请参见ROLLBACK组件。

If systemLog.component.replication.rollback.verbosity is unset, systemLog.component.replication.verbosity level also applies to rollback components.如果未设置systemLog.component.replication.rollback.verbosity，则systemLog.component.replication.verbosity级别也适用于回滚组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.sharding.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to sharding. 与分片相关的组件的日志消息详细级别。See SHARDING components.请参阅SHARDING组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to storage. 与存储相关的组件的日志消息详细级别。See STORAGE components.请参阅STORAGE组件。

If systemLog.component.storage.journal.verbosity is unset, systemLog.component.storage.verbosity level also applies to journaling components.如果未设置systemLog.component.storage.journal.verbosity，则systemLog.component.storage.verbosity级别也适用于日志组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.journal.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to journaling. 与日志记录相关的组件的日志消息详细级别。See JOURNAL components.请参阅JOURNAL组件。

If systemLog.component.storage.journal.verbosity is unset, the journaling components have the same verbosity level as the parent storage components: i.e. either the systemLog.component.storage.verbosity level if set or the default verbosity level.如果未设置systemLog.component.storage.journal.verbosity，则日志记录组件与父存储组件具有相同的详细级别：即，如果设置了systemLog.component.storage.verbosity级别，则为默认详细级别。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.recovery.verbosity

Type: integer

Default: 0

New in version 4.0. 4.0版新增。

The log message verbosity level for components related to recovery. 与恢复相关的组件的日志消息详细级别。See RECOVERY components.请参阅RECOVERY组件。

If systemLog.component.storage.recovery.verbosity is unset, systemLog.component.storage.verbosity level also applies to recovery components.如果未设置systemLog.component.storage.recovery.verbosity，则systemLog.component.storage.verbosity级别也适用于恢复组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity level for components related to the WiredTiger storage engine. 与WiredTiger存储引擎相关的组件的日志消息详细级别。See WT components.请参见WT组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtBackup.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity level for components related to backup operations performed by the WiredTiger storage engine. See WTBACKUP components.与WiredTiger存储引擎执行的备份操作相关的组件的日志消息详细级别。请参阅WTBACKUP组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtCheckpoint.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to checkpoint operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的检查点操作相关的组件的日志消息详细信息。See WTCHKPT components.请参见WTCHKPT组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtCompact.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to compaction operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的压缩操作相关的组件的日志消息详细信息。See WTCMPCT components.请参阅WTCMPCT组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtEviction.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to eviction operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的逐出操作相关的组件的日志消息详细信息。See WTEVICT components.请参阅WTEVICT组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtHS.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to history store operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的历史存储操作相关的组件的日志消息详细信息。See WTHS components.请参阅WTHS组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtRecovery.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to recovery operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的恢复操作相关的组件的日志消息详细信息。See WTRECOV components.请参阅WTRECOV组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtRTS.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to rollback to stable (RTS) operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的回滚到稳定（RTS）操作相关的组件的日志消息详细信息。See WTRTS components.请参阅WTRTS组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtSalvage.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to salvage operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的回收操作相关的组件的日志消息详细信息。See WTSLVG components.请参阅WTSLVG组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtTiered.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to tiered storage operations performed by the WiredTiger storage engine.与WiredTiger存储引擎执行的分层存储操作相关的组件的日志消息详细信息。 See WTTIER components.请参阅WTTIER组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtTimestamp.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to timestamps used by the WiredTiger storage engine. 与WiredTiger存储引擎使用的时间戳相关的组件的日志消息详细信息。See WTTS components.请参阅WTTS组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtTransaction.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to transaction operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的事务操作相关的组件的日志消息详细信息。See WTTXN components.请参阅WTTXN组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtVerify.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to verification operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的验证操作相关的组件的日志消息详细信息。See WTVRFY components.请参阅WTVRFY组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.storage.wt.wtWriteLog.verbosity

Type: integer

Default: -1

New in version 5.3. 5.3版新增。

The log message verbosity for components related to log write operations performed by the WiredTiger storage engine. 与WiredTiger存储引擎执行的日志写入操作相关的组件的日志消息详细信息。See WTWRTLOG components.请参阅WTWRTLOG组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.transaction.verbosity

Type: integer

Default: 0

New in version 4.0.2. 4.0.2版新增。

The log message verbosity level for components related to transaction. 与事务相关的组件的日志消息详细级别。See TXN components.请参阅TXN组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

systemLog.component.write.verbosity

Type: integer

Default: 0

The log message verbosity level for components related to write operations. 与写入操作相关的组件的日志消息详细级别。See WRITE components.请参阅WRITE组件。

The verbosity level can range from 0 to 5:详细程度级别可以在0到5之间：

• 0 is the MongoDB's default log verbosity level, to include Informational messages.0是MongoDB的默认日志详细级别，包括信息消息。
• 1 to 5 increases the verbosity level to include Debug messages.1到5增加了详细级别以包括调试消息。

net.unixDomainSocket Options

net:
   unixDomainSocket:
      enabled: <boolean>
      pathPrefix: <string>
      filePermissions: <int>

net.unixDomainSocket.enabled

Type: boolean

Default: true

Enable or disable listening on the UNIX domain socket. 启用或禁用对UNIX域套接字的侦听。net.unixDomainSocket.enabled applies only to Unix-based systems.仅适用于基于Unix的系统。

When net.unixDomainSocket.enabled is true, mongos or mongod listens on the UNIX socket.当net.unixDomainSocket.enabled为true时，mongos或mongod侦听UNIX套接字。

The mongos or mongod process always listens on the UNIX socket unless one of the following is true:mongos或mongod进程始终侦听UNIX套接字，除非以下情况之一为真：

• net.unixDomainSocket.enabled is 为false
• --nounixsocket is set. 已设置。The command line option takes precedence over the configuration file setting.命令行选项优先于配置文件设置。
• net.bindIp is not set未设置
• net.bindIp does not specify localhost or its associated IP address未指定localhost或其关联的IP地址

mongos or mongod installed from official .deb and .rpm packages have the bind_ip configuration set to 127.0.0.1 by default.默认情况下，从官方.deb和.rpm包安装的mongos或mongod的bind_ip配置设置为127.0.0.1。

net.unixDomainSocket.pathPrefix

Type: string

Default: /tmp

The path for the UNIX socket. UNIX套接字的路径。net.unixDomainSocket.pathPrefix applies only to Unix-based systems.仅适用于基于Unix的系统。

If this option has no value, the mongos or mongod process creates a socket with /tmp as a prefix. 如果该选项没有值，mongos或mongod进程将创建一个以/tmp为前缀的套接字。MongoDB creates and listens on a UNIX socket unless one of the following is true:MongoDB在UNIX套接字上创建和侦听，除非以下情况之一为真：

• net.unixDomainSocket.enabled is 为false
• --nounixsocket is set已设置
• net.bindIp is not set未设置
• net.bindIp does not specify localhost or its associated IP address未指定localhost或其关联的IP地址

net.unixDomainSocket.filePermissions

Type: int

Default: 0700

Sets the permission for the UNIX domain socket file.设置UNIX域套接字文件的权限。

net.unixDomainSocket.filePermissions applies only to Unix-based systems.仅适用于基于Unix的系统。

net.http Options

net.tls Options

net:
   tls:
      mode: <string>
      certificateKeyFile: <string>
      certificateKeyFilePassword: <string>
      certificateSelector: <string>
      clusterCertificateSelector: <string>
      clusterFile: <string>
      clusterPassword: <string>
      clusterAuthX509:
        attributes: <string>
        extensionValue: <string>
      CAFile: <string>
      clusterCAFile: <string>
      CRLFile: <string>
      allowConnectionsWithoutCertificates: <boolean>
      allowInvalidCertificates: <boolean>
      allowInvalidHostnames: <boolean>
      disabledProtocols: <string>
      FIPSMode: <boolean>
      logVersions: <string>

net.tls.mode

Type: string

New in version 4.2. 4.2版新增。

Enables TLS used for all network connections. 启用用于所有网络连接的TLS。The argument to the net.tls.mode setting can be one of the following:net.tls.mode设置的参数可以是以下参数之一：

Value值	Description描述
disabled	The server does not use TLS.服务器不使用TLS。
allowTLS	Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS.服务器之间的连接不使用TLS。对于传入连接，服务器同时接受TLS和非TLS。
preferTLS	Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS.服务器之间的连接使用TLS。对于传入连接，服务器同时接受TLS和非TLS。
requireTLS	The server uses and accepts only TLS encrypted connections.服务器仅使用并接受TLS加密的连接。

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.如果未指定--tlsCAFile或tls.CAFile，并且您未使用x.509身份验证，则在连接到启用TLS的服务器时将使用系统范围的CA证书存储。

If using x.509 authentication, --tlsCAFile or tls.CAFile must be specified unless using --tlsCertificateSelector.如果使用x.509身份验证，则必须指定--tlsCAFile或tls.CAFile，除非使用--tlsCertificateSelector。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.certificateKeyFile

Type: string

New in version 4.2:4.2版新增：The .pem file that contains both the TLS certificate and key.同时包含TLS证书和键的.pem文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.tls.certificateSelector setting to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始，您可以使用net.tls.certificateSelector设置从操作系统的安全证书存储中指定证书，而不是PEM键文件。certificateKeyFile and 和net.tls.certificateSelector are mutually exclusive. 相互排斥。You can only specify one.您只能指定一个。

• On Linux/BSD, you must specify net.tls.certificateKeyFile when TLS is enabled.在Linux/BSD上，启用TLS时，必须指定net.tls.certificateKeyFile。
• On Windows or macOS, you must specify either net.tls.certificateKeyFile or net.tls.certificateSelector when TLS is enabled.在Windows或macOS上，启用TLS时，必须指定net.tls.certificateKeyFile或net.tls.certificateSelector。
  Important

  For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. The mongod fails to start if it encounters an encrypted PEM file. 仅适用于Windows，MongoDB 4.0及更高版本不支持加密的PEM文件。如果mongod遇到加密的PEM文件，它将无法启动。To securely store and access a certificate for use with TLS on Windows, use net.tls.certificateSelector.若要在Windows上安全地存储和访问用于TLS的证书，请使用net.tls.certificateSelector。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.certificateKeyFilePassword

Type: string

New in version 4.2:4.2版新增：The password to de-crypt the certificate-key file (i.e. certificateKeyFile). 对证书键文件（即certificateKeyFile）进行解密的密码。Use the net.tls.certificateKeyFilePassword option only if the certificate-key file is encrypted. 仅当证书键文件已加密时，才使用net.tls.certificateKeyFilePassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下，mongos或mongod都会对所有日志记录和报告输出的密码进行编辑。

Starting in MongoDB 4.0:从MongoDB 4.0开始：

• On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the net.tls.certificateKeyFilePassword option, MongoDB will prompt for a passphrase. 在Linux/BSD上，如果PEM文件中的私钥是加密的，并且您没有指定net.tls.certificateKeyFilePassword选项，MongoDB将提示输入密码短语。See TLS/SSL Certificate Passphrase.请参阅TLS/SSL证书密码。
• On macOS, if the private key in the PEM file is encrypted, you must explicitly specify the net.tls.certificateKeyFilePassword option. 在macOS上，如果PEM文件中的私钥已加密，则必须显式指定net.tls.certificateKeyFilePassword选项。Alternatively, you can use a certificate from the secure system store (see net.tls.certificateSelector) instead of a PEM key file or use an unencrypted PEM file.或者，您可以使用安全系统存储中的证书（请参阅net.tls.certificateSelector）而不是PEM键文件，或者使用未加密的PEM文件。
• On Windows, MongoDB does not support encrypted certificates. 在Windows上，MongoDB不支持加密证书。The mongod fails if it encounters an encrypted PEM file. 如果mongod遇到加密的PEM文件，它就会失败。Use net.tls.certificateSelector instead.：请改用net.tls.certificateSelector。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.certificateSelector

Type: string

New in version 4.2:4.2版新增：Available on Windows and macOS as an alternative to net.tls.certificateKeyFile. 可在Windows和macOS上作为net.tls.certificateKeyFile的替代方案使用。In MongoDB 4.0, see net.ssl.certificateSelector.在MongoDB 4.0中，请参阅net.ssl.certificateSelector。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to use for TLS/SSL.指定证书属性，以便从操作系统的证书存储中选择用于TLS/SSL的匹配证书。

net.tls.certificateKeyFile and net.tls.certificateSelector options are mutually exclusive. You can only specify one.net.tls.certificateKeyFile和net.tls.certificateSelector选项是互斥的。您只能指定一个。

net.tls.certificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数，其中该属性可以是以下内容之一：

Property属性	Value type值类型	Description描述
subject	ASCII string	Subject name or common name on certificate证书上的使用者名称或通用名称
thumbprint	hex string	A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.一种字节序列，用十六进制表示，用于通过SHA-1摘要识别公钥。 The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint。

When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.使用系统SSL证书存储时，OCSP（联机证书状态协议）用于验证证书的吊销状态。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified TLS certificate. mongod在操作系统的安全证书存储中搜索验证指定TLS证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the TLS certificate.特别是，安全证书存储必须包含根CA和构建TLS证书的完整证书链所需的任何中间CA证书。 Do not use net.tls.CAFile or net.tls.clusterFile to specify the root and intermediate CA certificate不要使用net.tls.CAFile或net.tls.clusterFile指定根证书和中间CA证书

For example, if the TLS certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如，如果TLS证书是用单个根CA证书签名的，则安全证书存储必须包含该根CA证书。If the TLS certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermedia CA certificate and the root CA certificate.如果TLS证书是用中间CA证书签名的，则安全证书存储必须包含中间CA证书和根CA证书。

Note

You cannot use the rotateCertificates command or the db.rotateCertificates() shell method when using net.tls.certificateSelector or --tlsCertificateSelector set to thumbprint当使用设置为指纹的net.tls.certificateSelector或--tlsCertificateSelector时，不能使用rotateCertificates命令或db.rotateCertificates()shell方法

net.tls.clusterCertificateSelector

Type: string

New in version 4.2:4.2版新增：Available on Windows and macOS as an alternative to net.tls.clusterFile.可在Windows和macOS上作为net.tls.clusterFile的替代方案提供。

Specifies a certificate property to select a matching certificate from the operating system's secure certificate store to use for internal x.509 membership authentication.指定一个证书属性，从操作系统的安全证书存储中选择一个匹配的证书，用于内部x.509成员身份验证。

net.tls.clusterFile and net.tls.clusterCertificateSelector options are mutually exclusive. You can only specify one.net.tls.clusterFile和net.tls.clusterCertificateSelector选项相互排斥。您只能指定一个。

net.tls.clusterCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数，其中该属性可以是以下内容之一：

Property属性	Value type值类型	Description描述
subject	ASCII string	Subject name or common name on certificate证书上的使用者名称或通用名称
thumbprint	hex string	A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.一种字节序列，用十六进制表示，用于通过SHA-1摘要识别公钥。 The thumbprint is sometimes referred to as a fingerprint. thumbprint有时被称为fingerprint。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified cluster certificate. mongod在操作系统的安全证书存储中搜索验证指定群集证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the cluster certificate. 特别是，安全证书存储必须包含根CA和构建到群集证书的完整证书链所需的任何中间CA证书。Do not use net.tls.CAFile or net.tls.clusterCAFile to specify the root and intermediate CA certificate.不要使用net.tls.CAFile或net.tls.clusterCAFile来指定根证书和中间CA证书。

For example, if the cluster certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如，如果群集证书是用单个根CA证书签名的，则安全证书存储必须包含该根CA证书。If the cluster certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermediate CA certificate and the root CA certificate.如果群集证书是用中间CA证书签名的，则安全证书存储必须包含中间CA证书和根CA证书。

Changed in version 4.4:4.4版更改：mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间后30天内过期，则在连接时记录警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关详细信息，请参阅x.509证书接近到期触发警告。

net.tls.clusterFile

Type: string

New in version 4.2:4.2版新增：The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set..pem文件，包含用于集群或副本集成员身份验证的x.509证书键文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.tls.clusterCertificateSelector option to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始，您可以使用net.tls.clusterCertificateSelector选项从操作系统的安全证书存储中指定证书，而不是PEM键文件。net.tls.clusterFile and net.tls.clusterCertificateSelector options are mutually exclusive.net.tls.clusterFile和net.tls.clusterCertificateSelector选项相互排斥。 You can only specify one.您只能指定一个。

If net.tls.clusterFile does not specify the .pem file for internal cluster authentication or the alternative net.tls.clusterCertificateSelector, the cluster uses the .pem file specified in the certificateKeyFile setting or the certificate returned by the net.tls.certificateSelector.如果net.tls.clusterFile未指定用于内部群集身份验证的.pem文件或替代net.tls.clusterCertificateSelector，则群集将使用certificateKeyFile设置中指定的.pem文件或net.tls.certificateSelector返回的证书。

If using x.509 authentication, --tlsCAFile or tls.CAFile must be specified unless using --tlsCertificateSelector.如果使用x.509身份验证，则必须指定--tlsCAFile或tls.CAFile，除非使用--tlsCertificateSelector。

Changed in version 4.4:4.4版更改：mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. 如果提供的x.509证书在mongod/mongos主机系统时间后30天内过期，则在连接时记录警告。See x.509 Certificates Nearing Expiry Trigger Warnings for more information.有关详细信息，请参阅x.509证书接近到期触发警告。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

Important

For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. 仅适用于Windows，MongoDB 4.0及更高版本不支持加密的PEM文件。The mongod fails to start if it encounters an encrypted PEM file. 如果mongod遇到加密的PEM文件，它将无法启动。To securely store and access a certificate for use with membership authentication on Windows, use net.tls.clusterCertificateSelector.要在Windows上安全存储和访问用于成员身份验证的证书，请使用net.tls.clusterCertificateSelector。

net.tls.clusterPassword

Type: string

New in version 4.2:4.2版新增：The password to de-crypt the x.509 certificate-key file specified with --sslClusterFile. 对用--sslClusterFile指定的x.509证书键文件进行解密的密码。Use the net.tls.clusterPassword option only if the certificate-key file is encrypted. 仅当证书键文件已加密时，才使用net.tls.clusterPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下，mongos或mongod都会对所有日志记录和报告输出的密码进行编辑。

Starting in MongoDB 4.0:从MongoDB 4.0开始：

• On Linux/BSD, if the private key in the x.509 file is encrypted and you do not specify the net.tls.clusterPassword option, MongoDB will prompt for a passphrase. 在Linux/BSD上，如果x.509文件中的私钥是加密的，并且您没有指定net.tls.clusterPassword选项，MongoDB将提示输入密码短语。See TLS/SSL Certificate Passphrase.请参阅TLS/SSL证书密码短语。
• On macOS, if the private key in the x.509 file is encrypted, you must explicitly specify the net.tls.clusterPassword option. 在macOS上，如果x.509文件中的私钥已加密，则必须显式指定net.tls.clusterPassword选项。Alternatively, you can either use a certificate from the secure system store (see net.tls.clusterCertificateSelector) instead of a cluster PEM file or use an unencrypted PEM file.或者，您可以使用安全系统存储中的证书（请参阅net.tls.clusterCertificateSelector）代替集群PEM文件，也可以使用未加密的PEM文件。
• On Windows, MongoDB does not support encrypted certificates. 在Windows上，MongoDB不支持加密证书。The mongod fails if it encounters an encrypted PEM file. 如果mongod遇到加密的PEM文件，它就会失败。Use net.tls.clusterCertificateSelector.请使用net.tls.clusterCertificateSelector。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.clusterAuthX509

New in version 7.0. 7.0版新增。

net:
   tls:
     clusterAuthX509:
       attributes: <string>
       extensionValue: <string>

net.tls.clusterAuthX509.attributes

Type: string

New in version 7.0. 7.0版新增。

Specifies a set of X.509 Distinguished Name (DN) attributes and values that the server expects cluster member nodes to contain in their certificate subject names. 指定一组X.509可分辨名称（DN）属性和值，服务器希望群集成员节点在其证书使用者名称中包含这些属性和值。This lets you use certificates that don't contain DC, O, and OU values to authenticate cluster members.这允许您使用不包含DC、O和OU值的证书来对集群成员进行身份验证。

When attributes is set, MongoDB matches certificates using the DN and ignores extension values.设置attributes后，MongoDB将使用DN匹配证书，并忽略扩展值。

net.tls.clusterAuthX509.extensionValue

Type: string

New in version 7.0. 7.0版新增。

Specifies an extension value that corresponds to the MongoDB cluster membership extension OID, 1.3.6.1.4.1.34601.2.1.2, that the server expects cluster member nodes to contain in their certificates. This allows you to use certificates that don't contain DC, O, and OU values to authenticate cluster members.指定一个扩展值，该值对应于MongoDB集群成员资格扩展OID 1.3.6.1.4.1.3046011.2.1.2，服务器希望集群成员节点在其证书中包含该OID。这允许您使用不包含DC、O和OU值的证书来对集群成员进行身份验证。

When extensionValue is set, MongoDB matches certificates using certificate extension values and ignores the Distinguished Name (DN).当设置extensionValue时，MongoDB使用证书扩展值匹配证书，并忽略可分辨名称（DN）。

net.tls.CAFile

Type: string

New in version 4.2:4.2版新增：The .pem file that contains the root certificate chain from the Certificate Authority. 包含证书颁发机构的根证书链的.pem文件。Specify the file name of the .pem file using relative or absolute paths.使用相对路径或绝对路径指定.pem文件的文件名。

Windows/macOS Only

If using net.tls.certificateSelector and/or net.tls.clusterCertificateSelector, do not use net.tls.CAFile to specify the root and intermediate CA certificates. 如果使用net.tls.certificateSelector和/或net.tls.clusterCertificateSelector，请不要使用net.tls.CAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.tls.certificateSelector and/or net.tls.clusterCertificateSelector certificates in the secure certificate store.将验证net.tls.certificateSelector和/或net.tls.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.clusterCAFile

Type: string

New in version 4.2:4.2版新增：The .pem file that contains the root certificate chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. .pem文件，包含证书颁发机构的根证书链，用于验证建立连接的客户端提供的证书。Specify the file name of the .pem file using relative or absolute paths. 使用相对路径或绝对路径指定pem文件的文件名。net.tls.clusterCAFile requires that net.tls.CAFile is set.要求设置net.tls.CAFile。

If net.tls.clusterCAFile does not specify the .pem file for validating the certificate from a client establishing a connection, the cluster uses the .pem file specified in the net.tls.CAFile option.如果net.tls.clusterCAFile没有指定.pem文件来验证来自建立连接的客户端的证书，则集群将使用net.tls.CAFile选项中指定的.pem文件。

net.tls.clusterCAFile lets you use separate Certificate Authorities to verify the client to server and server to client portions of the TLS handshake.允许您使用单独的证书颁发机构来验证TLS握手的客户端到服务器和服务器到客户端部分。

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始，在macOS或Windows上，您可以使用操作系统安全存储中的证书，而不是PEM键文件。See net.tls.clusterCertificateSelector. 请参阅net.tls.clusterCertificateSelector。When using the secure store, you do not need to, but can, also specify the net.tls.clusterCAFile.使用安全存储时，您不需要，但也可以指定net.tls.clusterCAFile。

Windows/macOS Only

If using net.tls.certificateSelector and/or net.tls.clusterCertificateSelector, do not use net.tls.clusterCAFile to specify the root and intermediate CA certificates. 如果使用net.tls.certificateSelector和/或net.tls.clusterCertificateSelector，请不要使用net.tls.clusterCAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.tls.certificateSelector and/or net.tls.clusterCertificateSelector certificates in the secure certificate store.将验证net.tls.certificateSelector和/或net.tls.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.CRLFile

Type: string

New in version 4.2:4.2版新增：In MongoDB 4.0 and earlier, see net.ssl.CRLFile.在MongoDB 4.0及更早版本中，请参阅net.ssl.CRLFile。

The .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.包含证书吊销列表的.pem文件。使用相对路径或绝对路径指定.pem文件的文件名。

Note

• Starting in MongoDB 4.0, you cannot specify net.tls.CRLFile on macOS. 从MongoDB 4.0开始，您不能在macOS上指定net.tls.CRLFile。Instead, you can use the system SSL certificate store, which uses OCSP (Online Certificate Status Protocol) to validate the revocation status of certificates. 相反，您可以使用系统SSL证书存储，该存储使用OCSP（在线证书状态协议）来验证证书的吊销状态。See net.ssl.certificateSelector in MongoDB 4.0 and net.tls.certificateSelector in MongoDB 4.2+ to use the system SSL certificate store.请参阅MongoDB 4.0中的net.ssl.certificateSelector和MongoDB 4.2+中的net.tls.certificateSelector以使用系统SSL证书存储。
• Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.从版本4.4开始，为了检查证书吊销，MongoDB默认启用OCSP（在线证书状态协议），作为指定CRL文件或使用系统SSL证书存储的替代方案。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.allowConnectionsWithoutCertificates

Type: boolean

New in version 4.2. 4.2版新增。

For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.对于不提供证书的客户端，假设连接成功，mongod或mongos会对TLS/SSL连接进行加密。

For clients that present a certificate, however, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.然而，对于提供证书的客户端，mongos或mongod使用CAFile指定的根证书链执行证书验证，并拒绝具有无效证书的客户端。

Use the net.tls.allowConnectionsWithoutCertificates option if you have a mixed deployment that includes clients that do not or cannot present certificates to the mongos or mongod.如果您的混合部署包括不向mongos或mongod提供证书或不能向其提供证书的客户端，请使用net.tls.allowConnectionsWithoutCertificates选项。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.allowInvalidCertificates

Type: boolean

New in version 4.2. 4.2版新增。

Enable or disable the validation checks for TLS certificates on other servers in the cluster and allows the use of invalid certificates to connect.在群集中的其他服务器上启用或禁用TLS证书的验证检查，并允许使用无效证书进行连接。

Note

If you specify --tlsAllowInvalidCertificates or tls.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.如果在使用x.509身份验证时指定--tlsAllowInvalidCertificates或tls.allowInvalidCertificates: true，则无效证书仅足以建立TLS连接，但不足以进行身份验证。

When using the net.tls.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.当使用net.tls.allowInvalidCertificates设置时，MongoDB会记录有关使用无效证书的警告。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.allowInvalidHostnames

Type: boolean

Default: false

When net.tls.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS certificates, allowing mongod to connect to MongoDB instances if the hostname their certificates do not match the specified hostname.当net.tls.allowInvalidHostnames为true时，MongoDB将禁用TLS证书中主机名的验证，如果主机名及其证书与指定的主机名不匹配，则允许mongod连接到MongoDB实例。

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos和针对客户端的TLS/SSL配置。

net.tls.disabledProtocols

Type: string

Prevents a MongoDB server running with TLS from accepting incoming connections that use a specific protocol or protocols. 阻止使用TLS运行的MongoDB服务器接受使用特定协议的传入连接。To specify multiple protocols, use a comma separated list of protocols, but do not use spaces after the commas. 要指定多个协议，请使用逗号分隔的协议列表，但不要在逗号后使用空格。If you include a space before a protocol name, the server interprets it as an unrecognized protocol and doesn't start.如果在协议名称之前包含空格，则服务器会将其解释为无法识别的协议，并且不会启动。

net.tls.disabledProtocols recognizes the following protocols: TLS1_0, TLS1_1, TLS1_2, and TLS1_3.识别以下协议：TLS1_0、TLS1_1、TLS1_2和TLS1_3。

• On macOS, you cannot disable TLS1_1 and leave both TLS1_0 and TLS1_2 enabled. 在macOS上，不能禁用TLS1_1并同时启用TLS1_0和TLS1_2。You must disable at least one of the other two, for example, TLS1_0,TLS1_1.必须禁用其他两个中的至少一个，例如TLS1_0,TLS1_1。
• To list multiple protocols, specify as a comma separated list of protocols without spaces after the commas. 要列出多个协议，请指定为逗号分隔的协议列表，逗号后无空格。For example TLS1_0,TLS1_1.例如TLS1_0,TLS1_1。
• Specifying an unrecognized protocol or including a space after a comma prevents the server from starting.指定无法识别的协议或在逗号后包含空格会阻止服务器启动。
• The specified disabled protocols overrides any default disabled protocols.指定的禁用协议将覆盖任何默认的禁用协议。

MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. 如果TLS 1.1+在系统上可用，MongoDB将禁用TLS 1.0的使用。To enable TLS 1.0, specify none to net.tls.disabledProtocols. 若要启用TLS 1.0，请将none指定为net.tls.disabledProtocols。See Disable TLS 1.0.请参阅禁用TLS 1.0。

Members of replica sets and sharded clusters must speak at least one protocol in common.副本集和分片集群的成员必须至少使用一个通用协议。

Tip

See also: 另请参阅：

Disallow Protocols禁用协议

net.tls.FIPSMode

Type: boolean

New in version 4.2. 4.2版新增。

Enable or disable the use of the FIPS mode of the TLS library for the mongos or mongod. 为mongos或mongod启用或禁用TLS库的FIPS模式。Your system must have a FIPS compliant library to use the net.tls.FIPSMode option.您的系统必须具有符合FIPS的库才能使用net.tls.FIPSMode选项。

Note

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. FIPS兼容的TLS/SSL仅在MongoDB企业版中可用。See Configure MongoDB for FIPS for more information.有关更多信息，请参阅配置MongoDB for FIPS。

net.tls.logVersions

Type: string

Instructs mongos or mongod to log a message when a client connects using a specified TLS version.指示mongos或mongod在客户端使用指定的TLS版本进行连接时记录消息。

Specify either a single TLS version or a comma-separated list of multiple TLS versions.指定单个TLS版本或多个TLS版本的逗号分隔列表。

Example

To instruct mongos or mongod to log a message when a client connects using either TLS 1.2 or TLS 1.3, set net.tls.logVersions to "TLS1_2,TLS1_3".若要指示mongos或mongod在客户端使用TLS 1.2或TLS 1.3连接时记录消息，请将net.tls.logVersions设置为"TLS1_2,TLS1_3"。

net.ssl Options

net:
   ssl:                            # deprecated since 4.2
      sslOnNormalPorts: <boolean>  # deprecated since 2.6
      mode: <string>
      PEMKeyFile: <string>
      PEMKeyPassword: <string>
      certificateSelector: <string>
      clusterCertificateSelector: <string>
      clusterFile: <string>
      clusterPassword: <string>
      CAFile: <string>
      clusterCAFile: <string>
      CRLFile: <string>
      allowConnectionsWithoutCertificates: <boolean>
      allowInvalidCertificates: <boolean>
      allowInvalidHostnames: <boolean>
      disabledProtocols: <string>
      FIPSMode: <boolean>

net.ssl.sslOnNormalPorts

Type: boolean

Deprecated since version 2.6自2.6版起弃用: Use net.tls.mode: requireTLS instead.：请改用net.tls.mode: requireTLS。

Enable or disable TLS/SSL for mongos or mongod.为mongos或mongod启用或禁用TLS/SSL。

With net.ssl.sslOnNormalPorts, a mongos or mongod requires TLS/SSL encryption for all connections on the default MongoDB port, or the port specified by net.port. 使用net.ssl.sslOnNormalPorts，mongos或mongod需要对默认MongoDB端口或net.port指定的端口上的所有连接进行TLS/SSL加密。By default, net.ssl.sslOnNormalPorts is disabled.默认情况下，net.ssl.sslOnNormalPorts处于禁用状态。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.mode

Type: string

Deprecated since version 4.2: Use net.tls.mode instead.：请改用net.tls.mode。

Enables TLS/SSL or mixed TLS/SSL used for all network connections. 启用用于所有网络连接的TLS/SSL或混合TLS/SSL。The argument to the net.ssl.mode setting can be one of the following:net.ssl.mode设置的参数可以是以下参数之一：

Value值	Description描述
disabled	The server does not use TLS/SSL.服务器未使用TLS/SSL。
allowSSL	Connections between servers do not use TLS/SSL. 服务器之间的连接不使用TLS/SSL。For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL.对于传入连接，服务器同时接受TLS/SSL和非TLS/非SSL。
preferSSL	Connections between servers use TLS/SSL. 服务器之间的连接使用TLS/SSL。For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL.对于传入连接，服务器同时接受TLS/SSL和非TLS/非SSL。
requireSSL	The server uses and accepts only TLS/SSL encrypted connections.服务器仅使用并接受TLS/SSL加密的连接。

If --tlsCAFile/net.tls.CAFile (or their aliases --sslCAFile/net.ssl.CAFile) is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS/SSL-enabled server.如果未指定--tlsCAFile/net.tls.CAFile（或其别名--sslCAFile/net.ssl.CAFile），并且您未使用x.509身份验证，则在连接到启用TLS/SSL的服务器时将使用系统范围的CA证书存储。

To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.若要使用x.509身份验证，必须指定--tlsCAFile或net.tls.CAFile，除非您使用的是--tlsCertificateSelector或--net.tls.certificateSelector。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.PEMKeyFile

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.certificateKeyFile instead.：请改用net.tls.certificateKeyFile。

The .pem file that contains both the TLS/SSL certificate and key.包含TLS/SSL证书和键的.pem文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.ssl.certificateSelector setting to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始，您可以使用net.ssl.certificateSelector设置从操作系统的安全证书存储中指定证书，而不是PEM键文件。PEMKeyFile and 和net.ssl.certificateSelector are mutually exclusive. 相互排斥。You can only specify one.您只能指定一个。

• On Linux/BSD, you must specify net.ssl.PEMKeyFile when TLS/SSL is enabled.在Linux/BSD上，启用TLS/SSL时，必须指定net.ssl.PEMKeyFile。
• On Windows or macOS, you must specify either net.ssl.PEMKeyFile or net.ssl.certificateSelector when TLS/SSL is enabled.在Windows或macOS上，启用TLS/SSL时，必须指定net.ssl.PEMKeyFile或net.ssl.certificateSelector。
  Important

  For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. The mongod fails to start if it encounters an encrypted PEM file. 仅适用于Windows，MongoDB 4.0及更高版本不支持加密的PEM文件。如果mongod遇到加密的PEM文件，它将无法启动。To securely store and access a certificate for use with TLS/SSL on Windows, use net.ssl.certificateSelector.要在Windows上安全地存储和访问与TLS/SSL一起使用的证书，请使用net.ssl.certificateSelector。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.PEMKeyPassword

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.certificateKeyFilePassword instead.：请改用net.tls.certificateKeyFilePassword。

The password to de-crypt the certificate-key file (i.e. PEMKeyFile). 对证书键文件（即PEMKeyFile）进行解密的密码。Use the net.ssl.PEMKeyPassword option only if the certificate-key file is encrypted. 仅当证书键文件已加密时，才使用net.ssl.PEMKeyPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下，mongos或mongod都会对所有日志记录和报告输出的密码进行编辑。

Starting in MongoDB 4.0:从MongoDB 4.0开始：

• On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the net.ssl.PEMKeyPassword option, MongoDB will prompt for a passphrase. 在Linux/BSD上，如果PEM文件中的私钥是加密的，并且您没有指定net.ssl.PEMKeyPassword选项，MongoDB将提示输入密码短语。See TLS/SSL Certificate Passphrase.请参阅TLS/SSL证书密码短语。
• On macOS, if the private key in the PEM file is encrypted, you must explicitly specify the net.ssl.PEMKeyPassword option. 在macOS上，如果PEM文件中的私钥已加密，则必须显式指定net.ssl.PEMKeyPassword选项。Alternatively, you can use a certificate from the secure system store (see net.ssl.certificateSelector) instead of a PEM key file or use an unencrypted PEM file.或者，您可以使用安全系统存储中的证书（请参阅net.ssl.certificateSelector）而不是PEM键文件，或者使用未加密的PEM文件。
• On Windows, MongoDB does not support encrypted certificates. 在Windows上，MongoDB不支持加密证书。The mongod fails if it encounters an encrypted PEM file. Use net.ssl.certificateSelector instead.如果mongod遇到加密的PEM文件，它就会失败。请改用net.ssl.certificateSelector。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.certificateSelector

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.certificateSelector instead.：请改用net.tls.certificateSelector。

New in version 4.0:4.0版新增：Available on Windows and macOS as an alternative to net.ssl.PEMKeyFile.可在Windows和macOS上作为net.ssl.PEMKeyFile的替代品提供。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to use for TLS/SSL.指定证书属性，以便从操作系统的证书存储中选择用于TLS/SSL的匹配证书。

net.ssl.PEMKeyFile and 和net.ssl.certificateSelector options are mutually exclusive. You can only specify one.选项是相互排斥的。您只能指定一个。

net.ssl.certificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数，其中该属性可以是以下内容之一：

Property属性	Value type值类型	Description描述
subject	ASCII string	Subject name or common name on certificate证书上的使用者名称或通用名称
thumbprint	hex string	A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.一种字节序列，用十六进制表示，用于通过SHA-1摘要识别公钥。 The thumbprint is sometimes referred to as a fingerprint. thumbprint有时被称为fingerprint。

When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.使用系统SSL证书存储时，OCSP（联机证书状态协议）用于验证证书的吊销状态。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified TLS/SSL certificate. mongod在操作系统的安全证书存储中搜索验证指定TLS/SSL证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the TLS/SSL certificate. 特别是，安全证书存储必须包含根CA和构建TLS/SSL证书的完整证书链所需的任何中间CA证书。Do not use net.ssl.CAFile or net.ssl.clusterFile to specify the root and intermediate CA certificate不要使用net.ssl.CAFile或net.ssl.clusterFile指定根证书和中间CA证书

For example, if the TLS/SSL certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如，如果TLS/SSL证书是用单个根CA证书签名的，则安全证书存储必须包含该根CA证书。If the TLS/SSL certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermediate CA certificate and the root CA certificate.如果TLS/SSL证书是用中间CA证书签名的，则安全证书存储必须包含中间CA证书和根CA证书。

net.ssl.clusterCertificateSelector

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.clusterCertificateSelector instead.：请改用net.tls.clusterCertificateSelector。

New in version 4.0:4.0版新增：Available on Windows and macOS as an alternative to net.ssl.clusterFile.可在Windows和macOS上作为net.ssl.clusterFile的替代品提供。

Specifies a certificate property to select a matching certificate from the operating system's secure certificate store to use for internal x.509 membership authentication.指定一个证书属性，从操作系统的安全证书存储中选择一个匹配的证书，用于内部x.509成员身份验证。

net.ssl.clusterFile and 和net.ssl.clusterCertificateSelector options are mutually exclusive. 选项是相互排斥的。You can only specify one.您只能指定一个。

net.ssl.clusterCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数，其中该属性可以是以下内容之一：

Property属性	Value type值类型	Description描述
subject	ASCII string	Subject name or common name on certificate证书上的使用者名称或通用名称
thumbprint	hex string	A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.一种字节序列，用十六进制表示，用于通过SHA-1摘要识别公钥。 The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint。

The mongod searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified cluster certificate. mongod在操作系统的安全证书存储中搜索验证指定群集证书的完整证书链所需的CA证书。Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the cluster certificate. 特别是，安全证书存储必须包含根CA和构建到群集证书的完整证书链所需的任何中间CA证书。Do not use net.ssl.CAFile or net.ssl.clusterFile to specify the root and intermediate CA certificate.不要使用net.ssl.CAFile或net.ssl.clusterFile来指定根证书和中间CA证书。

For example, if the cluster certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. 例如，如果群集证书是用单个根CA证书签名的，则安全证书存储必须包含该根CA证书。If the cluster certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermediate CA certificate and the root CA certificate.如果群集证书是用中间CA证书签名的，则安全证书存储必须包含中间CA证书和根CA证书。

net.ssl.clusterFile

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.clusterFile instead.：请改用net.tls.clusterFile。

The .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set..pem文件，包含用于集群或副本集成员身份验证的x.509证书键文件。

Starting with MongoDB 4.0 on macOS or Windows, you can use the net.ssl.clusterCertificateSelector option to specify a certificate from the operating system's secure certificate store instead of a PEM key file. 从macOS或Windows上的MongoDB 4.0开始，您可以使用net.ssl.clusterCertificateSelector选项从操作系统的安全证书存储中指定证书，而不是PEM键文件。net.ssl.clusterFile and 和net.ssl.clusterCertificateSelector options are mutually exclusive. 选项是相互排斥的。You can only specify one.您只能指定一个。

If net.ssl.clusterFile does not specify the .pem file for internal cluster authentication or the alternative net.ssl.clusterCertificateSelector, the cluster uses the .pem file specified in the PEMKeyFile setting or the certificate returned by the net.ssl.certificateSelector.如果net.ssl.clusterFile未指定用于内部群集身份验证的 .pem文件或备用net.ssl.clusterCertificateSelector，则群集将使用在PEMKeyFile设置中指定的pem文件或net.ssl.certificateSelector返回的证书。

To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.若要使用x.509身份验证，必须指定--tlsCAFile或net.tls.CAFile，除非您使用的是--tlsCertificateSelector或--net.tls.certificateSelector。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

Important

For Windows only, MongoDB 4.0 and later do not support encrypted PEM files. 仅适用于Windows，MongoDB 4.0及更高版本不支持加密的PEM文件。The mongod fails to start if it encounters an encrypted PEM file. 如果mongod遇到加密的PEM文件，它将无法启动。To securely store and access a certificate for use with membership authentication on Windows, use net.ssl.clusterCertificateSelector.要在Windows上安全存储和访问用于成员身份验证的证书，请使用net.ssl.clusterCertificateSelector。

net.ssl.clusterPassword

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.clusterPassword instead.：请改用net.tls.clusterPassword。

The password to de-crypt the x.509 certificate-key file specified with --sslClusterFile. 对用--sslClusterFile指定的x.509证书键文件进行解密的密码。Use the net.ssl.clusterPassword option only if the certificate-key file is encrypted. 仅当证书键文件已加密时，才使用net.ssl.clusterPassword选项。In all cases, the mongos or mongod will redact the password from all logging and reporting output.在所有情况下，mongos或mongod都会对所有日志记录和报告输出的密码进行编辑。

Starting in MongoDB 4.0:从MongoDB 4.0开始：

• On Linux/BSD, if the private key in the x.509 file is encrypted and you do not specify the net.ssl.clusterPassword option, MongoDB will prompt for a passphrase. 在Linux/BSD上，如果x.509文件中的私钥是加密的，并且您没有指定net.ssl.clusterPassword选项，MongoDB将提示输入密码短语。See TLS/SSL Certificate Passphrase.请参阅TLS/SSL证书密码短语。
• On macOS, if the private key in the x.509 file is encrypted, you must explicitly specify the net.ssl.clusterPassword option. 在macOS上，如果x.509文件中的私钥已加密，则必须明确指定net.ssl.clusterPassword选项。Alternatively, you can either use a certificate from the secure system store (see net.ssl.clusterCertificateSelector) instead of a cluster PEM file or use an unencrypted PEM file.或者，您可以使用安全系统存储中的证书（请参阅net.ssl.clusterCertificateSelector）而不是集群PEM文件，也可以使用未加密的PEM文件。
• On Windows, MongoDB does not support encrypted certificates. 在Windows上，MongoDB不支持加密证书。The mongod fails if it encounters an encrypted PEM file. 如果mongod遇到加密的PEM文件，它就会失败。Use net.ssl.clusterCertificateSelector.请使用net.ssl.clusterCertificateSelector。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.CAFile

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.CAFile instead.：请改用net.tls.CAFile。

The .pem file that contains the root certificate chain from the Certificate Authority. .pem文件，包含来自证书颁发机构的根证书链。Specify the file name of the .pem file using relative or absolute paths.使用相对路径或绝对路径指定.pem文件的文件名。

Windows/macOS Only

If using net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector, do not use net.ssl.CAFile to specify the root and intermediate CA certificates. 如果使用net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector，请不要使用net.ssl.CAFile指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector certificates in the secure certificate store.将验证net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.clusterCAFile

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.clusterCAFile instead.：请改用net.tls.clusterCAFile。

The .pem file that contains the root certificate chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. .pem文件，包含证书颁发机构的根证书链，用于验证建立连接的客户端提供的证书。Specify the file name of the .pem file using relative or absolute paths. 使用相对路径或绝对路径指定.pem文件的文件名。net.ssl.clusterCAFile requires that net.ssl.CAFile is set.

If net.ssl.clusterCAFile does not specify the .pem file for validating the certificate from a client establishing a connection, the cluster uses the .pem file specified in the net.ssl.CAFile option.如果net.ssl.clusterCAFile没有指定用于验证来自建立连接的客户端的证书的.pem文件，则集群将使用net.ssl.CAFile选项中指定的.pem。

net.ssl.clusterCAFile lets you use separate Certificate Authorities to verify the client to server and server to client portions of the TLS handshake.允许您使用单独的证书颁发机构来验证TLS握手的客户端到服务器和服务器到客户端部分。

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始，在macOS或Windows上，您可以使用操作系统安全存储中的证书，而不是PEM键文件。See net.ssl.clusterCertificateSelector. 请参阅net.ssl.clusterCertificateSelector。When using the secure store, you do not need to, but can, also specify the net.ssl.clusterCAFile.使用安全存储时，您不需要，但也可以指定net.ssl.clusterCAFile。

Windows/macOS Only

If using net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector, do not use net.ssl.clusterCAFile to specify the root and intermediate CA certificates. 如果使用net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector，请不要使用net.ssl.clusterCAFile来指定根证书和中间CA证书。Store all CA certificates required to validate the full trust chain of the net.ssl.certificateSelector and/or net.ssl.clusterCertificateSelector certificates in the secure certificate store.将验证net.ssl.certificateSelector和/或net.ssl.clusterCertificateSelector证书的完整信任链所需的所有CA证书存储在安全证书存储中。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.CRLFile

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.CRLFile instead.：请改用net.tls.CRLFile。

The .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.包含证书吊销列表的.pem文件。使用相对路径或绝对路径指定.pem文件的文件名。

Note

• Starting in MongoDB 4.0, you cannot specify net.ssl.CRLFile on macOS. 从MongoDB 4.0开始，您不能在macOS上指定net.ssl.CRLFile。Instead, you can use the system SSL certificate store, which uses OCSP (Online Certificate Status Protocol) to validate the revocation status of certificates. 相反，您可以使用系统SSL证书存储，该存储使用OCSP（在线证书状态协议）来验证证书的吊销状态。See net.ssl.certificateSelector in MongoDB 4.0 and net.tls.certificateSelector in MongoDB 4.2 to use the system SSL certificate store.请参阅MongoDB 4.0中的net.ssl.certificateSelector和MongoDB 4.2中的net.tls.certificateSelector来使用系统SSL证书存储。
• Starting in version 4.4, MongoDB enables, by default, the use of OCSP (Online Certificate Status Protocol) to check for certificate revocation as an alternative to specifying a CRL file or using the system SSL certificate store.从版本4.4开始，MongoDB默认情况下允许使用OCSP（在线证书状态协议）检查证书吊销，作为指定CRL文件或使用系统SSL证书存储的替代方案。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.allowConnectionsWithoutCertificates

Type: boolean

Deprecated since version 4.2自4.2版起弃用: Use net.tls.allowConnectionsWithoutCertificates instead.：请改用net.tls.allowConnectionsWithoutCertificates。

For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.对于不提供证书的客户端，假设连接成功，mongod或mongos会对TLS/SSL连接进行加密。

For clients that present a certificate, however, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.然而，对于提供证书的客户端，mongos或mongod使用CAFile指定的根证书链执行证书验证，并拒绝具有无效证书的客户端。

Use the net.ssl.allowConnectionsWithoutCertificates option if you have a mixed deployment that includes clients that do not or cannot present certificates to the mongos or mongod.如果您的混合部署包括不向mongos或mongod提供证书或不能向其提供证书的客户端，请使用net.ssl.allowConnectionsWithoutCertificates选项。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.allowInvalidCertificates

Type: boolean

Deprecated since version 4.2自4.2版起弃用: Use net.tls.allowInvalidCertificates instead.：请改用net.tls.allowInvalidCertificates。

Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows the use of invalid certificates to connect.启用或禁用群集中其他服务器上TLS/SSL证书的验证检查，并允许使用无效证书进行连接。

Note

Starting in MongoDB 4.0, if you specify any of the following x.509 authentication options, an invalid certificate is sufficient only to establish a TLS connection but it is insufficient for authentication:从MongoDB 4.0开始，如果指定以下x.509身份验证选项中的任何一个，则无效证书仅足以建立TLS连接，但不足以进行身份验证：

• --sslAllowInvalidCertificates or net.ssl.allowInvalidCertificates: true for MongoDB 4.0 and later
• --tlsAllowInvalidCertificates or net.tls.allowInvalidCertificates: true for MongoDB 4.2 and later

When using the net.ssl.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.当使用net.ssl.allowInvalidCertificates设置时，MongoDB会记录有关使用无效证书的警告。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.allowInvalidHostnames

Type: boolean

Default: false

Deprecated since version 4.2.自4.2版起弃用。

Use net.tls.allowInvalidHostnames instead.请改用net.tls.allowInvalidHostnames。

When net.ssl.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS/SSL certificates, allowing mongod to connect to MongoDB instances if the hostname their certificates do not match the specified hostname.当net.ssl.allowInvalidHostnames为true时，MongoDB将禁用TLS/SSL证书中主机名的验证，允许mongod在主机名及其证书与指定主机名不匹配时连接到MongoDB实例。

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .有关TLS/SSL和MongoDB的更多信息，请参阅为TLS/SSL配置mongod和mongos以及针对客户端的TLS/SSL配置。

net.ssl.disabledProtocols

Type: string

Deprecated since version 4.2自4.2版起弃用: Use net.tls.disabledProtocols instead.：请改用net.tls.disabledProtocols。

Prevents a MongoDB server running with TLS/SSL from accepting incoming connections that use a specific protocol or protocols. To specify multiple protocols, use a comma separated list of protocols.阻止使用TLS/SSL运行的MongoDB服务器接受使用特定协议的传入连接。要指定多个协议，请使用逗号分隔的协议列表。

net.ssl.disabledProtocols recognizes the following protocols: TLS1_0, TLS1_1, TLS1_2, and starting in version 4.0.4 (and 3.6.9), TLS1_3.net.ssl.disabledProtocols可识别以下协议：TLS1_0、TLS1_1、TLS1_2，以及从版本4.0.4（和3.6.9）开始的TLS1_3。

• On macOS, you cannot disable TLS1_1 and leave both TLS1_0 and TLS1_2 enabled. 在macOS上，不能禁用TLS1_1并同时启用TLS1_0和TLS1_2。You must disable at least one of the other two, for example, TLS1_0,TLS1_1.必须禁用其他两个中的至少一个，例如TLS1_0,TLS1_1。
• To list multiple protocols, specify as a comma separated list of protocols. For example TLS1_0,TLS1_1.要列出多个协议，请指定为以逗号分隔的协议列表。例如TLS1_0,TLS1_1。
• Specifying an unrecognized protocol will prevent the server from starting.指定无法识别的协议将阻止服务器启动。
• The specified disabled protocols overrides any default disabled protocols.指定的禁用协议将覆盖任何默认的禁用协议。

Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. 从4.0版本开始，如果TLS 1.1+在系统上可用，MongoDB将禁用TLS 1.0的使用。To enable the disabled TLS 1.0, specify none to net.ssl.disabledProtocols. See Disable TLS 1.0.要启用禁用的TLS 1.0，请为net.ssl.disabledProtocols指定none。请参阅禁用TLS 1.0。

Members of replica sets and sharded clusters must speak at least one protocol in common.副本集和分片集群的成员必须至少使用一个通用协议。

Tip

See also: 另请参阅：

Disallow Protocols禁用协议

net.ssl.FIPSMode

Type: boolean

Deprecated since version 4.2自4.2版起弃用: Use net.tls.FIPSMode instead.：请改用net.tls.FIPSMode。

Enable or disable the use of the FIPS mode of the TLS/SSL library for the mongos or mongod. Your system must have a FIPS compliant library to use the net.ssl.FIPSMode option.为mongos或mongod启用或禁用TLS/SSL库的FIPS模式。您的系统必须具有符合FIPS的库才能使用net.ssl.FIPSMode选项。

Note

FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. FIPS兼容的TLS/SSL仅在MongoDB企业版中可用。See Configure MongoDB for FIPS for more information.有关更多信息，请参阅配置MongoDB for FIPS。

net.compression Option

net:
   compression:
      compressors: <string>

net.compression.compressors

Default: snappy,zstd,zlib

Specifies the default compressor(s) to use for communication between this mongod or mongos instance and:指定用于此mongod或mongos实例与以下对象之间通信的默认压缩器：

• other members of the deployment if the instance is part of a replica set or a sharded cluster部署的其他成员（如果实例是副本集或分片集群的一部分）
• mongosh
• drivers that support the OP_COMPRESSED message format.支持OP_COMPRESSED消息格式的驱动程序。

MongoDB supports the following compressors:MongoDB支持以下压缩器：

• snappy
• zlib (Available starting in MongoDB 3.6)（从MongoDB 3.6开始提供）
• zstd (Available starting in MongoDB 4.2)（从MongoDB 4.2开始提供）

In versions 3.6 and 4.0, mongod and mongos enable network compression by default with snappy as the compressor.在3.6和4.0版本中，mongod和mongos默认启用网络压缩，并使用snappy作为压缩器。

Starting in version 4.2, mongod and mongos instances default to both snappy,zstd,zlib compressors, in that order.从4.2版本开始，mongod和mongos实例默认为snappy,zstd,zlib压缩器，按顺序排列。

To disable network compression, set the value to disabled.要禁用网络压缩，请将该值设置为disabled。

Important

Messages are compressed when both parties enable network compression. Otherwise, messages between the parties are uncompressed.当双方都启用网络压缩时，消息会被压缩。否则，双方之间的消息将被解压缩。

If you specify multiple compressors, then the order in which you list the compressors matter as well as the communication initiator. 如果指定了多个压缩器，那么列出压缩器的顺序与通信启动器一样重要。For example, if mongosh specifies the following network compressors zlib,snappy and the mongod specifies snappy,zlib, messages between mongosh and mongod uses zlib.例如，如果mongosh指定以下网络压缩器zlib,snappy，而mongod指定snappy,zlib，则mongosh和mongod之间的消息使用zlib。

If the parties do not share at least one common compressor, messages between the parties are uncompressed. 如果双方不共享至少一个公共压缩器，则双方之间的消息将被解压缩。For example, if mongosh specifies the network compressor zlib and mongod specifies snappy, messages between mongosh and mongod are not compressed.例如，如果mongosh指定网络压缩器zlib，mongod指定snappy，则mongosh和mongod之间的消息不会被压缩。

Key Management Configuration Options键管理配置选项

security:
   enableEncryption: <boolean>
   encryptionCipherMode: <string>
   encryptionKeyFile: <string>
   kmip:
      keyIdentifier: <string>
      rotateMasterKey: <boolean>
      serverName: <string>
      port: <string>
      clientCertificateFile: <string>
      clientCertificatePassword: <string>
      clientCertificateSelector: <string>
      serverCAFile: <string>
      connectRetries: <int>
      connectTimeoutMS: <int>
      activateKeys: <boolean>
      keyStatePollingSeconds: <int>

security.enableEncryption

Type: boolean

Default: false

Enables encryption for the WiredTiger storage engine. 为WiredTiger存储引擎启用加密。You must set to true to pass in encryption keys and configurations.必须设置为true才能传入加密键和配置。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.encryptionCipherMode

Type: string

Default: AES256-CBC

The cipher mode to use for encryption at rest:用于静态加密的密码模式：

Mode	Description描述
AES256-CBC	256-bit Advanced Encryption Standard in Cipher Block Chaining Mode256位高级加密标准在密码块链接模式下的应用
AES256-GCM	256-bit Advanced Encryption Standard in Galois/Counter ModeGalois/Counter模式下的256位高级加密标准 Available only on Linux. Changed in version 4.0:4.0版更改：MongoDB Enterprise on Windows no longer supports AES256-GCM. Windows上的MongoDB Enterprise不再支持AES256-GCM。This cipher is now available only on Linux. 此密码现在仅在Linux上可用。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.encryptionKeyFile

Type: string

The path to the local keyfile when managing keys via process other than KMIP. 通过KMIP以外的进程管理键时，本地键文件的路径。Only set when managing keys via process other than KMIP. If data is already encrypted using KMIP, MongoDB will throw an error.仅在通过KMIP以外的进程管理键时设置。如果数据已经使用KMIP加密，MongoDB将抛出一个错误。

Requires security.enableEncryption to be true.要求security.enableEncryption为true。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.keyIdentifier

Type: string

Unique KMIP identifier for an existing key within the KMIP server. KMIP服务器中现有键的唯一KMIP标识符。Include to use the key associated with the identifier as the system key. 包含将与标识符关联的键用作系统键。You can only use the setting the first time you enable encryption for the mongod instance. 您只能在第一次为mongod实例启用加密时使用该设置。Requires security.enableEncryption to be true.要求security.enableEncryption为true。

If unspecified, MongoDB will request that the KMIP server create a new key to utilize as the system key.如果未指定，MongoDB将请求KMIP服务器创建一个新键作为系统键。

If the KMIP server cannot locate a key with the specified identifier or the data is already encrypted with a key, MongoDB will throw an error.如果KMIP服务器找不到具有指定标识符的键，或者数据已经用键加密，MongoDB将抛出错误。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.rotateMasterKey

Type: boolean

Default: false

If true, rotate the master key and re-encrypt the internal keystore.如果为true，则旋转主键并重新加密内部键库。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

Tip

See also: 另请参阅：

KMIP Master Key RotationKMIP主键旋转

security.kmip.serverName

Type: string

Hostname or IP address of the KMIP server to connect to. Requires security.enableEncryption to be true.要连接到的KMIP服务器的主机名或IP地址。要求security.enableEncryption为true。

Starting in MongoDB 4.2.1 (and 4.0.14), you can specify multiple KMIP servers as a comma-separated list, e.g. server1.example.com,server2.example.com. 从MongoDB 4.2.1（和4.0.14）开始，您可以将多个KMIP服务器指定为逗号分隔的列表，例如server1.example.com,server2.example.com。On startup, the mongod will attempt to establish a connection to each server in the order listed, and will select the first server to which it can successfully establish a connection. KMIP server selection occurs only at startup.启动时，mongod将尝试按照列出的顺序建立与每个服务器的连接，并选择第一个可以成功建立连接的服务器。KMIP服务器选择仅在启动时发生。

mongod verifies the connection to the KMIP server on startup.在启动时验证与KMIP服务器的连接。

The server name specified in --kmipServerName must match either the Subject Alternative Name SAN or the Common Name CN on the certificate presented by the KMIP server. 在--kmipServerName中指定的服务器名称必须与KMIP服务器提供的证书上的使用者备用名称SAN或公用名称CN匹配。SAN can be a system name or an IP address.可以是系统名称或IP地址。

If SAN is present, mongod does not try to match against CN.如果存在SAN，mongod不会尝试与CN进行匹配。

If the hostname or IP address of the KMIP server does does not match either SAN or CN, mongod does not start.如果KMIP服务器的主机名或IP地址与SAN或CN不匹配，则mongod不会启动。

Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.从MongoDB 4.2开始，在进行SAN比较时，MongoDB支持DNS名称或IP地址的比较。在以前的版本中，MongoDB只支持DNS名称的比较。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.port

Type: string

Default: 5696

Port number to use to communicate with the KMIP server. 用于与KMIP服务器通信的端口号。Requires security.kmip.serverName. Requires security.enableEncryption to be true.需要security.kmip.serverName。要求security.enableEncryption为true。

If specifying multiple KMIP servers with security.kmip.serverName, the mongod will use the port specified with security.kmip.port for all provided KMIP servers.如果使用security.kmip.serverName指定多个KMIP服务器，则mongod将为所有提供的KMIP服务器使用使用security.kmip.port指定的端口。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.clientCertificateFile

Type: string

Path to the .pem file used to authenticate MongoDB to the KMIP server. 用于向KMIP服务器验证MongoDB的.pem文件的路径。The specified .pem file must contain both the TLS/SSL certificate and key.指定的.pem文件必须同时包含TLS/SSL证书和键。

To use this setting, you must also specify the security.kmip.serverName setting.若要使用此设置，还必须指定security.kmip.serverName设置。

Note

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始，在macOS或Windows上，您可以使用操作系统安全存储中的证书，而不是PEM键文件。See security.kmip.clientCertificateSelector.请参阅security.kmip.clientCertificateSelector。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.clientCertificatePassword

Type: string

The password to decrypt the client certificate (i.e. security.kmip.clientCertificateFile), used to authenticate MongoDB to the KMIP server. 解密客户端证书的密码（即security.kmip.clientCertificateFile），用于向KMIP服务器验证MongoDB。Use the option only if the certificate is encrypted.仅当证书已加密时才使用该选项。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.clientCertificateSelector

Type: string

New in version 4.0:4.0版新增：(and 4.2.15, 4.4.7, and 5.0)

Available on Windows and macOS as an alternative to security.kmip.clientCertificateFile.在Windows和macOS上可用作security.kmip.clientCertificateFile的替代方案。

security.kmip.clientCertificateFile and 和security.kmip.clientCertificateSelector options are mutually exclusive. You can only specify one.选项是相互排斥的。您只能指定一个。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to authenticate MongoDB to the KMIP server.指定一个证书属性，以便从操作系统的证书存储中选择一个匹配的证书，以向KMIP服务器验证MongoDB。

security.kmip.clientCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数，其中该属性可以是以下内容之一：

Property属性	Value type值类型	Description描述
subject	ASCII string	Subject name or common name on certificate证书上的使用者名称或通用名称
thumbprint	hex string	A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.一种字节序列，用十六进制表示，用于通过SHA-1摘要识别公钥。 The thumbprint is sometimes referred to as a fingerprint. thumbprint有时被称为fingerprint。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.serverCAFile

Type: string

Path to CA File. Used for validating secure client connection to KMIP server.CA文件的路径。用于验证与KMIP服务器的安全客户端连接。

Note

Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. 从4.0开始，在macOS或Windows上，您可以使用操作系统安全存储中的证书，而不是PEM键文件。See security.kmip.clientCertificateSelector. 请参阅security.kmip.clientCertificateSelector。When using the secure store, you do not need to, but can, also specify the security.kmip.serverCAFile.使用安全存储时，您不需要，但也可以指定security.kmip.serverCAFile。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.connectRetries

Type: int

Default: 0

New in version 4.4. 4.4版新增。

How many times to retry the initial connection to the KMIP server. 重试与KMIP服务器的初始连接的次数。Use together with connectTimeoutMS to control how long the mongod waits for a response between each retry.与connectTimeoutMS一起使用可以控制mongod在每次重试之间等待响应的时间。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.connectTimeoutMS

Type: int

Default: 5000

New in version 4.4. 4.4版新增。

Timeout in milliseconds to wait for a response from the KMIP server. 等待KMIP服务器响应的超时（以毫秒为单位）。If the connectRetries setting is specified, the mongod will wait up to the value specified with connectTimeoutMS for each retry.如果指定了connectRetries设置，则mongod将在每次重试时等待connectTimeoutMS指定的值。

Value must be 1000 or greater.值必须大于或等于1000。

Note

Enterprise Feature企业功能

Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

security.kmip.activateKeys

Type: boolean

Default: true

New in version 5.3. 5.3版新增。

Activates all newly created KMIP keys upon creation and then periodically checks those keys are in an active state.在创建时激活所有新创建的KMIP键，然后定期检查这些键是否处于活动状态。

When security.kmip.activateKeys is true and you have existing keys on a KMIP server, the key must be activated first or the mongod node will fail to start.当security.kmip.activateKeys为true并且您在KMIP服务器上有现有键时，必须首先激活该键，否则mongod节点将无法启动。

If the key being used by the mongod transitions into a non-active state, the mongod node will shut down unless kmipActivateKeys is false. 如果mongod使用的键转换为非活动状态，则mongod节点将关闭，除非kmipActivateKeys为false。To ensure you have an active key, rotate the KMIP master key by using security.kmip.rotateMasterKey.要确保您有一个活动键，请使用security.kmip.rotateMasterKey。

security.kmip.keyStatePollingSeconds

Type: int

Default: 900 seconds

New in version 5.3. 5.3版新增。

Frequency in seconds at which mongod polls the KMIP server for active keys.mongod轮询KMIP服务器以获取活动键的频率（以秒为单位）。

To disable disable polling, set the value to -1.要禁用禁用轮询，请将值设置为-1。