Setting up SSL for a MongoDB Java application
You can set up SSL for a MongoDB Java™ application. This information uses MongoDB Java client driver version 3.0 and assumes that the Java client driver runs on a Linux® system.
Procedure
To use SSL for a MongoDB Java application, complete the following steps:
- To set up the truststore and optionally set up the keystore on the Linux system, complete the following steps:
- To set up the truststore on the Linux system, import the certificate authority (CA) certificate file to a truststore on the Linux system, for example, by using the keytool utility on
the Linux system.
The CA certificate file is used to validate the z/TPF support for MongoDB server certificate that is defined in the SSL configuration file for MongoDB on the z/TPF system.
The following example uses the keytool command to import the CA certificate file into a truststore:keytool -import -file /certs/cacert.pem -alias mongoClient -keystore /trust/mongoStore.ts -storepass StorePass - Optional: Set up the keystore on the Linux system if you enable client authentication by
specifying VERIFYPEER=YES in the SSL configuration file for MongoDB on the z/TPF system.
To set up the keystore on the Linux system, import the key and certificate of the Java application into a keystore on the Linux system, for example, by using the keytool utility on the Linux system.
The keytool utility might require that the key and certificate of the Java application are in one pkcs12 file. You can use the openssl pkcs12 command on the Linux system to create the pkcs12 file from the existing certificate and key files as shown in the following example:openssl pkcs12 -export -in MongoClientCert.pem -inkey MongoClientKey.pem -out MongoClientKeyCert.p12 -name mongoClientNote: You are asked to assign a password for this command, and the password is used to import the pkcs12 file when you enter the keytool command to import the pkcs12 file.When the pkcs12 file is created, import this file to a keystore on the Linux system by using the keytool command as shown in the following example.keytool -importkeystore -srckeystore MongoClientKeyCert.p12 -destkeystore /keys/MongoClientKeyCert.jks -srcstoretype pkcs12 -alias mongoClient -destkeypass StorePassNote: You are asked to enter the password for the pkcs12 file. The password is created when you enter the openssl pkcs12 command to create the pkcs12 file. - Set the Java system property in
your Java application to point to the correct
truststore and the keystore if needed.
You must set the Java system properties before the Java application tries to connect to the z/TPF system.
The following example defines the truststore in a Java application:System.setProperty("javax.net.ssl.trustStore","/trust/mongoStore.ts"); System.setProperty("javax.net.ssl.trustStorePassword","StorePass");The following example defines the keystore, if needed, in a Java application:System.setProperty ("javax.net.ssl.keyStore","/keys/ MongoClientKeyCert.jks"); System.setProperty ("javax.net.ssl.keyStorePassword","StorePass");
- To set up the truststore on the Linux system, import the certificate authority (CA) certificate file to a truststore on the Linux system, for example, by using the keytool utility on
the Linux system.
- Specify to use SSL on the MongoDB
Java client when the MongoClient object is being
instantiated. The following example builds the options that are required to use SSL in the MongoDB Java client.
MongoClientOptions.Builder builder = MongoClientOptions.builder(); builder.sslEnabled(true).build(); // If hostname or common name in certificate does not match hostname of //system, the following code is required. //builder.sslInvalidHostNameAllowed(true).build(); MongoClientOptions sslOptions = builder.build(); // create mongo client with SSL option MongoCredential.createMongoCRCredential(“user”, "tpfdf", "pw".toCharArray()); mongoClient = new MongoClient(myServer, credential, sslOptions);