OPTIONS
翻译或纠错本页面

Upgrade a Cluster to Use SSL

注解

The default distribution of MongoDB does not contain support for SSL. To use SSL you can either compile MongoDB with SSL support or use MongoDB Enterprise. See Configure mongod and mongos for SSL for more information about SSL and MongoDB.

在 2.6 版更改.

The MongoDB server supports listening for both SSL encrypted and unencrypted connections on the same TCP port. This allows upgrades of MongoDB clusters to use SSL encrypted connections. To upgrade from a MongoDB cluster using no SSL encryption to one using only SSL encryption, use the following rolling upgrade process:

  1. For each node of a cluster, start the node with the option --sslMode set to allowSSL. The --sslMode allowSSL setting allows the node to accept both SSL and non-SSL incoming connections. Its connections to other servers do not use SSL. Include other SSL options as well as any other options that are required for your specific configuration. For example:

    mongod --replSet <name> --sslMode allowSSL --sslPEMKeyFile <path to SSL Certificate and key PEM file> --sslCAFile <path to root CA PEM file>
    

    Upgrade all nodes of the cluster to these settings.

    注解

    You may also specify these options in the configuration file, as in the following example:

    sslMode = <disabled|allowSSL|preferSSL|requireSSL>
    sslPEMKeyFile = <path to SSL certificate and key PEM file>
    sslCAFile = <path to root CA PEM file>
    
  2. Switch all clients to use SSL. See SSL Configuration for Clients.

  3. For each node of a cluster, use the setParameter command to update the sslMode to preferSSL. [1] With preferSSL as its net.ssl.mode, the node accepts both SSL and non-SSL incoming connections, and its connections to other servers use SSL. For example:

    db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "preferSSL" } )
    

    Upgrade all nodes of the cluster to these settings.

    At this point, all connections should be using SSL.

  4. For each node of the cluster, use the setParameter command to update the sslMode to requireSSL. [1] With requireSSL as its net.ssl.mode, the node will reject any non-SSL connections. For example:

    db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "requireSSL" } )
    
  5. After the upgrade of all nodes, edit the configuration file with the appropriate SSL settings to ensure that upon subsequent restarts, the cluster uses SSL.

[1](1, 2) As an alternative to using the setParameter command, you can also restart the nodes with the appropriate SSL options and values.