SSL Example

Running mongod with SSL

In order to run monary with SSL, mongod needs to be compiled with ssl enabled. Instructions can be found here.

To run mongod with SSL options:

$ mongod --sslOnNormalPorts --sslPEMKeyFile <pem> --sslCAFile=<ca>

The test permissions files can be found in the “test/certificates” directory of the Monary source. To run mongod with the SSL permissions provided by the monary source directory:

$ mongod --sslOnNormalPorts --sslPEMKeyFile=test/certificates/server.pem
         --sslCAFile=test/certificates/ca.pem --sslWeakCertificateValidation

First we’re going to put some sample data into our DB. Make sure you are using a mongo shell that has been compiled with SSL:

$ mongo --ssl
  > for (var i = 0; i < 5; i++) { db.ssl.insert({x1:NumberInt(i) }) }
  WriteResult({ "nInserted" : 1 })

The sample certificate files can be downloaded from here. Collect the certificate files to be passed to Monary:

>>> import os
>>> import monary
>>> cert_path = os.path.join("test", "certificates")
>>> client_pem = os.path.join(cert_path, 'client.pem')
>>> ca_pem = os.path.join(cert_path, 'ca.pem')

Connect with Monary:

>>> with monary.Monary("mongodb://localhost:27017/?ssl=true",
...                    pem_file=client_pem,
...                    ca_file=ca_pem,
...                    ca_dir=cert_path,
...                    weak_cert_validation=False) as m:
...     arrays = m.query("test", "ssl", {}, ["x1"], ["float64"])
>>> arrays
[masked_array(data = [1.0 0.0 1.0 2.0 3.0 4.0],
        mask = [False False False False False False],
  fill_value = 1e+20)

Password Protected PEM Files

To run mongod with a password-protected PEM file, you need to run mongo with the following options:

$ mongod --sslMode requireSSL --sslPEMKeyFile=<password-protected-pem> --sslPEMKeyPassword "qwerty"

For example, with the test/certificates files:

$ mongod --sslMode requireSSL --sslPEMKeyFile=test/certificates/password_protected.pem --sslPEMKeyPassword "qwerty"

To connect with an SSL-protected MongoDB instance with Monary, you just need to specify the SSL parameters:

>>> pwd_pem = os.path.join(cert_path, 'password_protected.pem')
>>> with monary.Monary("mongodb://localhost:27017/?ssl=true",
...                    pem_file=pwd_pem,
...                    pem_pwd='qwerty',
...                    ca_file=ca_pem,
...                    weak_cert_validation=True) as monary:
...    arrays = monary.query("test", "ssl", {}, ["x1"], ["float64"])
>>> arrays
[masked_array(data = [0.0 1.0 2.0 3.0 4.0],
        mask = [False False False False False],
  fill_value = 1e+20)

Alternatively, if you do not want to specify the password directly, you can connect without the pem_pwd parameter. You will be prompted for the password.