liquibase-mongodb icon indicating copy to clipboard operation
liquibase-mongodb copied to clipboard

Published 20 hours ago verified publisher icon liquibase

Difficulty connecting to AWS DocumentDB with TLS

Open TCG-MichaelHaynes opened this issue 3 years ago • 4 comments

The notes for release 4.1.1.2 of this connector talk about adding a new parameter for Azure Cosmos and Amazon DocumentDB.

However, every attempt I’ve made to connect to DocumentDB has failed. Connecting to DocumentDB with TLS requires using a .PEM/.P7B file. You can specify the location of these files with a connection string parameter (tlsCAFile) but my connections fail when I attempt this. Looking at the DEBUG logs, it appears as if the driver being used doesn’t recognize that parameter.

[2021-05-19 10:54:37] WARNING [com.mongodb.diagnostics.logging.JULLogger log] Connection string contains unsupported option 'tlscafile'.

Is there a different way to connect with TLS which works for AWS DocumentDB? Thanks!

┆Issue is synchronized with this Jira Bug by Unito

TCG-MichaelHaynes avatar May 21 '21 18:05 TCG-MichaelHaynes

I'm about to try a migration to DocumentDB with our Liquibase configs, so I'm interested in this issue, as well.

DarrinProtag avatar Oct 08 '21 15:10 DarrinProtag

I'm really interested too!

jalpcast avatar Jun 17 '22 06:06 jalpcast

We're having exactly the same problem.

  • Java Mongo driver does not support the tlsCAFile parameter.
    • See https://jira.mongodb.org/browse/JAVA-3066
    • See https://stackoverflow.com/questions/72411315/mongo-x509-tls-connection-options
    • See https://github.com/liquibase/liquibase-mongodb/issues/113
  • For the Spring connection to the database, we implemented the solution to configure the MongoClientSettings with SslContext. as it's described here.
  • However, it's unclear how to marry MongoClientSettings (or ConnectionString) with the DatabaseFactory.getInstance().openDatabase that is used for MongoLiquibaseDatabase.

dmitry-weirdo avatar Feb 22 '23 18:02 dmitry-weirdo

hi all,

One way to solve this would be to convert Amazon RDS CA certificate to Java KeyStore and use it with Liquibase. This approach is shown in the Amazon DocumentDB documentation: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled. Open the Java tab and use the provided script.

Then, before running Liquibase, set JAVA_OPTS with the javax.net.ssl.trustStore that points to the location of your JKS and javax.net.ssl.trustStorePassword that contains the JKS password:

export JAVA_OPTS='-Djavax.net.ssl.trustStore=/XXX/rds-truststore.jks -Djavax.net.ssl.trustStorePassword=XXX'

The url property doesn't have to have tlsCAFile parameter. Java SSL Factory will load your trust store and will use it to validate connections to Amazon DocumentDB.

Finally, Amazon DocumentDB doesn't support document validation (as of the time of writing this comment). That is why in your liquibase.properties you must set liquibase.mongodb.supportsValidator to false. My sample config looks like this:

liquibase.mongodb.supportsValidator: false
url: mongodb://user:[email protected]:27017/test?ssl=true&replicaSet=rs0&retryWrites=false

lukaszbudnik avatar Mar 13 '23 15:03 lukaszbudnik