To fully implement SSL with the MongoDB driver, you must specify values for SSL connection properties in these two distinct ways:
First, you must specify values for SSL connection properties when creating a schema map with the Schema Tool. Specifically, in the Open Schema Map dialog, you must enter key-value pairs in the Connection Options field. (See Starting the Schema Tool for details.) These values must match the values you specify in the connection URL used by your JDBC application.
Note: When creating or opening a schema map, the Schema Tool accesses data from the server for the purpose of object mapping and generating column statistics. This process requires data to be transferred over networks, which can make data vulnerable to interception by unauthorized parties. To provide more secure transmission of data, you should consider implementing SSL.
Second, you must specify values for SSL connection properties in the connection URL used by your JDBC application. These values should match the values you specify when creating a schema map with the Schema Tool.
The following steps outline how to configure SSL encryption. These steps should be taken when you create a schema map with the Schema Tool and when you formulate the connection URL used by your application. Moreover, the connection property values specified in the Schema Tool must match the values specified in the connection URL used by your JDBC application.
Note: Connection hangs can occur when the driver is configured for SSL and the database server does not support SSL. You may want to set a login timeout using the LoginTimeout property to avoid problems when connecting to a server that does not support SSL.
To configure SSL encryption:
1. Set the EncryptionMethod property to SSL.
2. Specify the location and password of the truststore file used for SSL server authentication. Either set the TrustStore and TrustStorePassword properties or their corresponding Java system properties (javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, respectively).
3. To validate certificates sent by the database server, set the ValidateServerCertificate property to true.
4. Optionally, set the HostNameInCertificate property to a host name to be used to validate the certificate. The HostNameInCertificate property provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the driver is connecting to is the server that was requested.
5. If your database server is configured for SSL client authentication, configure your keystore information:
a. Specify the location and password of the keystore file. Either set the KeyStore and KeyStorePassword properties or their corresponding Java system properties (javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword, respectively).
b. If any key entry in the keystore file is password-protected, set the KeyPassword property to the key password.