MongoDB SSL encryption and Spring's Driver

There is very limited information regarding MongoDB and SSL encryption for the transport between replica sets and drivers (java clients). Anyone have any experience setting this up? Looking to have traffic (queries and replica information) between nodes encrypted without having to use stunnel or some other SSL proxy method.


Solution 1:

First, let me say that the MongoDB SSL docs are being worked on, most of the information here will be included there eventually, but until then.....

The Java driver, which I believe spring uses, does support SSL. In terms of getting mongoDB running with SSL, there are currently two options. First, you can become a subscriber and use the subscriber edition - that has SSL (and SNMP) support built in:

https://www.10gen.com/mongodb-subscriber-edition-download

As of writing this, it is very much a new offering and is only available for Amazon Linux and Ubuntu.

The second option, thanks to the fact that MongoDB is open source, is to build yourself a copy of mongoDB with SSL support. To do so, first I would recommend following the general build instructions until you succeed with a non-SSL build:

http://www.mongodb.org/display/DOCS/Building+for+Linux

Then build with the --ssl flag passed to scons to enable SSL. You will also likely have to install the required openssl libraries or the configure will fail dependencies check (generally libssl and libssl-dev).

Once you complete that step, you should be good to go. When running MongoDB with SSL enabled bear in mind that you have to connect with SSL for everything. All clients, the shell, the driver and MMS will all have to connect via SSL or fail. In order to start mongod with SSL you will need a cert, a key, the password and something like these options (in addition to any other options you want to pass):

mongod --sslOnNormalPorts --sslPEMKeyFile <pem> --sslPEMKeyPassword <pass>

You may also specify these option in a config file (usually /etc/mongodb.conf) like so:

sslOnNormalPorts = true
sslPEMKeyFile = /etc/ssl/mongodb.pem
sslPEMKeyPassword = pass

For the shell simply use

mongo --ssl --host <hostname> --port <port>

Finally, you mentioned using Java, here is an example "sslApp.java" class file:

import com.mongodb.*;
import javax.net.ssl.SSLContext;
public class sslApp {
public static void main(String args[])
throws Exception {
         MongoOptions o = new MongoOptions();
         o.socketFactory = SSLSocketFactory.getDefault();
         Mongo m = new Mongo( "localhost" , o );
         DB db = m.getDB( "test" );
         DBCollection c = db.getCollection( "foo" );
         System.out.println( c.findOne() );
} }