MongoDB Pro and Amazon DocumentDB TLS/SSL Configuration
To use Liquibase with Amazon DocumentDB successfully, you must utilize the MongoDB Pro extension to create a connection between the two. If you want to use Amazon DocumentDB with TLS enabled, follow these instructions:
- Follow the AWS instruction Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC if needed to connect from outside an Amazon Virtual Private Cloud (VPC).
- Create Java Truststore. Items 1 and 2 in Connecting Programmatically to Amazon DocumentDB § Connecting with TLS Enabled (for Java snippet)
- Add Amazon DocumentDB credentials (
liquibase.command.username
,liquibase.command.password
) to theliqubase.properties
file, environment variables, or command line. - Specify the
supportsValidator
property: - Specify a connection string:
- Add information about Truststore (created on the second step) to environment variables before running Liquibase commands:
liquibase.mongodb.supportsValidator: false
liquibase.command.url: mongodb://localhost:27017/my_dbname?directConnection=true&serverSelectionTimeoutMS=2000&tls=true&tlsAllowInvalidHostnames=true&retryWrites=false&tlsCAFile=PATH_TO_CAFILE/global-bundle.pem
Note: The location localhost:27017
is used from the SSH tunnel (created on the first step)
For connection from outside an Amazon VPC, it should contain attributes tls=true&tlsAllowInvalidHostnames=true&retryWrites=false&tlsCAFile=PATH_TO_CAFILE/rds-combined-ca-bundle.pem
On Linux:
export JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE/rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"
On Windows:
set JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE\\rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"