Secure your Mongo clusters with SSL

MongoDirector now supports enabling SSL for your MongoDB servers. SSL is extremely important to maintain the privacy and validity of your data over untrusted networks. If you are deploying a production database cluster on the internet SSL is definitely something you should consider.

Enabling SSL is now as easy as checking a box in the creation wizard.

MongodB with ssl

So why use SSL with mongodb?

1. Privacy – If you are connecting to your MongoDB server over unsecured networks your data is traveling unencrypted and is susceptible to eavesdropping and tampering. SSL encrypts the data so that only the two endpoints have access to the unencrypted data.
2. Authentication – Use  PKI (Private key infrastructure) to ensure that only clients with certificates from an appropriate CA can connect to the Mongodb server. This is an additional step and you can choose to not use your custom certificates or CA – you will still have the benefits of privacy due to end to end encryption.

Drawbacks

1. Performance overhead – There is definitely some performance overhead for using SSL. While we are yet to run comprehensive test there is definite overhead due to using SSL.
2. Lack of MongoDB UI – Most of the popular MongoDB UI’s don’t support SSL out of the box. So you might need to go for the paid version or use the mongo console.

Connecting to your SSL enabled MongoDB server
If you connecting to a server with SSL enabled there are several differences in the mongo connection code. Please refer to the documentation of your driver for more details.

1. Mongo shell
The default mongo client does not support connections to a SSL enabled server – you need the SSL enabled build of mongo. You can SSH into the SSL enabled server and then use the mongo client on the server to connect. Here is the syntax to connect using  the admin user provided by MongoDirector.

mongo --ssl -u admin -p <pass> servername/admin</p>

If you would like to download the SSL enabled mongo client to your own server please contact support@mongodirector.com

2. Code:
You will need to append the “ssl=true” property to your MongoDB connection string. Also certain platforms (E.g. JDK) will require you to add the public key of the SSL certificate to the trusted path before you can connect to the server. By default a self signed certificate is generated for every server. Download the certificate from /etc/ssl on the server. For more instructions on how you can ssh into the instance refer to the “VM Credentials” section in this blog post. Once you download the public key you will need to add it to your trusted keystone.

keytool -import -alias "MongoDB-cert" -file "/etc/ssl/mongodb-cert.crt" 
-keystore "/usr/java/default/jre/lib/security/cacerts"
-noprompt -storepass "changeit"

The default password for the cacerts store is “changeit”. For security reasons you should change this password to your own. Once you have added the certificate enumerate the certs in the keystone to confirm that the certificate got added

keytool -list -keystore cacerts -storepass changeit

3. Mongo UI : Robomongo
RoboMongo is one of the few mongo UI’s that support connecting with SSL. When creating a connection to your MongoDB server select the SSL option. For the certificate use the .pem file that has both the public key and the private key. This file is located at /etc/ssl on your mongodb server.
Connect to Mongodb with ssl using Robomongo

As always if you have any questions please reach out to us at support@mongodirector.com