Secure Your Data

Overview

MongoDB supports multiple mechanisms that secure your database connection. This page contains code examples that demonstrate each of these mechanisms.

Tip

To learn more about any of the mechanisms shown on this page, see the link provided in each section.

To use an example from this page, copy the code example into the sample application or your own application. Make sure to replace all placeholders in the code examples, such as <hostname>, with the relevant values for your MongoDB deployment.

Sample Application

You can use the following sample application to test the code examples on this page. To use the sample application, perform the following steps:

Ensure you have the MongoDB PHP Library installed in your project. To learn more about installing the MongoDB PHP Library, see the Download and Install guide.
Copy the following code and paste it into a new .php file.
Copy a code example from this page and paste it on the specified lines in the file.

1 <?php
2 
3 require __DIR__ . '/../vendor/autoload.php';
4 
5 // Start example code here
6 
7 // End example code here
8 
9 try {
10     $client->test->command(['ping' => 1]);
11     echo 'Successfully pinged the MongoDB server.', PHP_EOL;
12 } catch (MongoDB\Driver\Exception\RuntimeException $e) {
13     printf("Failed to ping the MongoDB server: %s\n", $e->getMessage());
14 }

SCRAM-SHA-256

The following code shows how to authenticate by using the SCRAM-SHA-256 authentication mechanism:

$uriOptions = [
    'username' => '<username>',
    'password' => '<password>',
    'authSource' => '<authentication database>',
    'authMechanism' => 'SCRAM-SHA-256',
];
$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>',
    $uriOptions,
);

$uri = 'mongodb://<username>:<password>@<hostname>:<port>/?authSource=admin&authMechanism=SCRAM-SHA-256';
$client = new MongoDB\Client($uri);

To learn more about SCRAM-SHA-256 authentication, see SCRAM Authentication Mechanisms in the Authentication guide.

MONGODB X.509

The following code shows how to create a connection URI to authenticate by using the X.509 authentication mechanism:

$uriOptions = [
    'tls' => true,
    'tlsCertificateKeyFile' => '<file path>',
    'authMechanism' => 'MONGODB-X509',
];
$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>',
    $uriOptions,
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsCertificateKeyFile=<file path>&authMechanism=MONGODB-X509';
$client = new MongoDB\Client($uri);

To learn more about X.509 authentication, see X.509 Authentication Mechanism in the Authentication guide.

MONGODB-AWS

The following sections show how to connect to MongoDB by using the MONGODB-AWS authentication mechanism. When you use the MONGODB-AWS mechanism, the MongoDB PHP Library attempts to retrieve your AWS credentials from the following sources, in the order listed:

Options passed to the MongoDB\Client constructor, either as part of the connection string or the $uriOptions array parameter
Environment variables
AWS EKS AssumeRoleWithWebIdentity request
ECS container metadata
EC2 instance metadata

Each section shows how to authenticate with MONGODB-AWS when retrieving your AWS credentials from options passed to your client or the alternative external sources.

To learn more about authenticating with AWS, see AWS IAM Authentication Mechanism in the Authentication guide.

MongoDB\Client Credentials

The following code shows how to pass AWS credentials to the MongoDB\Client constructor to authenticate with MONGODB-AWS:

$uriOptions = [
    'username' => '<AWS IAM access key ID>',
    'password' => '<AWS IAM secret access key>',
    'authMechanism' => 'MONGODB-AWS',
];
$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>',
    $uriOptions,
);

$uri = 'mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?authMechanism=MONGODB-AWS';
$client = new MongoDB\Client($uri);

To learn more about authenticating with AWS by retrieving MongoDB\Client credentials, see MongoDB\Client Credentials in the Authentication guide.

External Credentials

The following code shows how to authenticate with MONGODB-AWS when obtaining credentials from environment variables, an AssumeRoleWithWebIdentity request, ECS metadata, or EC2 instance metadata:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>',
    ['authMechanism' => 'MONGODB-AWS'],
);

$uri = 'mongodb://<hostname>:<port>/?authMechanism=MONGODB-AWS';
$client = new MongoDB\Client($uri);

To learn more about authenticating with AWS by obtaining external credentials, see the following sections in the Authentication guide:

Transport Layer Security (TLS)

Enable TLS

The following code shows how to enable TLS for the connection to your MongoDB instance:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true';
$client = new MongoDB\Client($uri);

To learn more about enabling TLS, see Enable TLS in the TLS Configuration guide.

Specify a Certificate Authority (CA) File

The following code shows how to specify the path to your CA file for the connection to your MongoDB instance:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsCAFile' => '/path/to/ca.pem'],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsCAFile=/path/to/ca.pem';
$client = new MongoDB\Client($uri);

To learn more about specifying a CA file, see Specify a CA File in the TLS Configuration guide.

Disable OCSP Checks

The following code shows how to prevent the driver from contacting the OCSP endpoint:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsDisableOCSPEndpointCheck' => true],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsDisableOCSPEndpointCheck=true';
$client = new MongoDB\Client($uri);

To learn more about disabling OCSP checks, see OCSP in the TLS Configuration guide.

Specify a Certificate Revocation List (CRL)

The following code shows how to instruct the driver to verify the server's certificate against a CRL:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true],
    ['crl_file' => '/path/to/file.pem'],
);

To learn more about specifying a CRL, see Certificate Revocation List in the TLS configuration guide.

Present a Client Certificate

The following code shows how to specify the client certificate that the driver presents to your MongoDB deployment:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsCertificateKeyFile' => '/path/to/client.pem'],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsCertificateKeyFile=/path/to/client.pem';
$client = new MongoDB\Client($uri);

To learn more about specifying a client certificate, see Present a Client Certificate in the TLS Configuration guide.

Provide a Certificate Key File Password

The following code shows how to specify the password for your client certificate:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    [
        'tls' => true,
        'tlsCertificateKeyFile' => '/path/to/client.pem',
        'tlsCertificateKeyFilePassword' => '<password>',
    ],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsCertificateKeyFile=/path/to/client.pem&tlsCertificateKeyFilePassword=<password>';
$client = new MongoDB\Client($uri);

Important

When replacing the <password> placeholder in the connection URI, ensure that you percent-encode the value.

To learn more about providing a key file password, see Provide a Key Password in the TLS Configuration guide.

Allow Insecure TLS

The following code shows how to relax TLS constraints, which has the same effect as disabling both certificate validation and hostname verification:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsInsecure' => true],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsInsecure=true';
$client = new MongoDB\Client($uri);

To learn more about allowing insecure TLS, see Allow Insecure TLS in the TLS Configuration guide.

Warning

Setting the tlsInsecure option to true might expose your application to security risks. Enabling this option makes your application insecure and potentially vulnerable to expired certificates and to foreign processes posing as valid client instances.

Disable Certificate Validation

The following code shows how to disable certificate validation:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsAllowInvalidCertificates' => true],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsAllowInvalidCertificates=true';
$client = new MongoDB\Client($uri);

To learn more about disabling certificate validation, see Allow Insecure TLS in the TLS Configuration guide.

Disable Hostname Verification

The following code shows how to disable hostname verification:

$client = new MongoDB\Client(
    'mongodb://<hostname>:<port>/',
    ['tls' => true, 'tlsAllowInvalidHostnames' => true],
);

$uri = 'mongodb://<hostname>:<port>/?tls=true&tlsAllowInvalidHostnames=true';
$client = new MongoDB\Client($uri);

To learn more about disabling hostname verification, see Allow Insecure TLS in the TLS Configuration guide.

Back

Logging

Authentication

1	<?php
2
3	require __DIR__ . '/../vendor/autoload.php';
4
5	// Start example code here
6
7	// End example code here
8
9	try {
10	$client->test->command(['ping' => 1]);
11	echo 'Successfully pinged the MongoDB server.', PHP_EOL;
12	} catch (MongoDB\Driver\Exception\RuntimeException $e) {
13	printf("Failed to ping the MongoDB server: %s\n", $e->getMessage());
14	}