Skip to content

Running with SSL Enabled

Jump to bottom
Luke Lovett edited this page Jan 27, 2015 · 1 revision

This page provides information on how to start MongoDB with SSL support enabled using Mongo Orchestration. First make sure that:

  • You have MongoDB binaries that have SSL support (should see SSL options in --help).
  • These binaries are on your PATH or described in Mongo Orchestration's config file.

All SSL parameters are described within the sslParams field in any request to start MongoDB nodes. For example:

curl -XPOST http://localhost:8889/v1/replica_sets -d'{
    "members": [{},{},{}],
    "sslParams": {
        "sslAllowInvalidCertificates": true,
        "sslCAFile": "tests/lib/ca.pem",
        "sslMode": "requireSSL",
        "sslPEMKeyFile": "tests/lib/server.pem"
    }
}'

If we want to have member authentication (authenticating nodes among themselves) using MONGODB-X509, we need to set the clusterAuthMode flag on each individual node. Amending the previous example:

curl -XPOST http://localhost:8889/v1/replica_sets -d'{
    "members": [
        {"procParams": {"clusterAuthMode": "x509"}},
        {"procParams": {"clusterAuthMode": "x509"}},
        {"procParams": {"clusterAuthMode": "x509"}}
    ],
    "sslParams": {
        "sslAllowInvalidCertificates": true,
        "sslCAFile": "tests/lib/ca.pem",
        "sslMode": "requireSSL",
        "sslPEMKeyFile": "tests/lib/server.pem"
    }
}'

If we wanted to use MONGODB-X509 to authenticate clients, we need to set the authenticationMechanisms parameter on each server as well. For example, if we wanted to be able to use SSL certificates to authenticate clients in addition to the "default" SCRAM-SHA-1 authentication mechanism, we'd specify both:

curl -XPOST http://localhost:8889/v1/replica_sets -d'{
    "members": [
        {
            "procParams": {"clusterAuthMode": "x509"},
            "setParameter": {"authenticationMechanisms": "MONGODB-X509,SCRAM-SHA-1"}
        },
        {
            "procParams": {"clusterAuthMode": "x509"},
            "setParameter": {"authenticationMechanisms": "MONGODB-X509,SCRAM-SHA-1"}
        },
        {
            "procParams": {"clusterAuthMode": "x509"},
            "setParameter": {"authenticationMechanisms": "MONGODB-X509,SCRAM-SHA-1"}
        }
    ],
    "sslParams": {
        "sslAllowInvalidCertificates": true,
        "sslCAFile": "tests/lib/ca.pem",
        "sslMode": "requireSSL",
        "sslPEMKeyFile": "tests/lib/server.pem"
    }
}'
Clone this wiki locally