Configuring SSL Verification
If you are connecting to a MongoDB server that has Secure Sockets Layer (SSL) enabled, then you can configure the connector to connect to an SSL-enabled socket. When connecting to a server over SSL, the connector supports identity verification between the client and the server.
You can set the connection properties described below in a connection string or in a DSN (in the odbc.ini
file). Settings in the connection string take precedence over
settings in the DSN.
Configuring an SSL Connection without Identity Verification
You can configure a connection that uses SSL but does not verify the identity of the client or the server.
To configure an SSL connection without verification:
- Set the
SSL
property to1
. - Set the
sslAllowInvalidCertificates
property to1
.
Configuring One-way SSL Verification
You can configure one-way verification so that the client verifies the identity of the MongoDB server.
To configure one-way SSL verification:
- Set the
SSL
property to1
. - Choose one:
- To verify the server using a certificate from a specific
.pem
file, set thesslCAFile
property to the full path of the PEM file. - Or, to verify the server using certificates stored in multiple
.pem
files, set thesslCADir
property to the full path of the directory where the PEM files are located. - Set the
sslCRLFile
to the full path of the.pem
file containing the list of revoked certificates.
Configuring Two-way SSL Verification
You can configure two-way SSL verification so that the client and the MongoDB server verify each other.
To configure two-way SSL verification:
- Set the
SSL
property to1
. - Set the
sslPEMKeyFile
property to the full path of the.pem
file containing the certificate for verifying the client. - If the client certificate is protected with a password, set the
sslPEMKeyPwd
property to the password. - Choose one:
- To verify the server using a certificate from a specific
.pem
file, set thesslCAFile
property to the full path of the PEM file. - Or, to verify the server using certificates stored in multiple
.pem
files, set thesslCADir
property to the full path of the directory where the.pem
files are located. - Set the
sslCRLFile
to the full path of the.pem
file containing the list of revoked certificates.
- SSL Driver Configuration Options on page 1
- Configuring Authentication
- Configuring the Driver on page 1