MongoDB Pro and Amazon DocumentDB TLS/SSL Configuration

To use Liquibase with Amazon DocumentDB successfully, you must utilize the MongoDB Pro extension to create a connection between the two. If you want to use Amazon DocumentDB with TLS enabled, follow these instructions:

  1. Follow the AWS instruction Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC if needed to connect from outside an Amazon Virtual Private Cloud (VPC).
  2. Create Java Truststore. Items 1 and 2 in Connecting Programmatically to Amazon DocumentDB § Connecting with TLS Enabled (for Java snippet)
  3. Add Amazon DocumentDB credentials (liquibase.command.username, liquibase.command.password) to the liqubase.properties file, environment variables, or command line.
  4. Specify the supportsValidator property:
  5. liquibase.mongodb.supportsValidator: false
  6. Specify a connection string:
  7. liquibase.command.url: mongodb://localhost:27017/my_dbname?directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsAllowInvalidHostnames=true&retryWrites=false&tlsCAFile=PATH_TO_CAFILE/global-bundle.pem

    Note: The location localhost:27017 is used from the SSH tunnel (created on the first step)

    For connection from outside an Amazon VPC, it should contain attributes tls=true&tlsAllowInvalidHostnames=true&retryWrites=false&tlsCAFile=PATH_TO_CAFILE/rds-combined-ca-bundle.pem

  8. Add information about Truststore (created on the second step) to environment variables before running Liquibase commands:
  9. On Linux:

    export JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE/rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"

    On Windows:

    set JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE\\rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"