How to Connect to DocumentDB with X.509 client cert

Last updated: 2 minutes read.

As AWS DocumentDB runs with TLS enabled, we require a way to run it without disabling the TLS verification. DocumentDB uses self-signed certs for verification, and provides a bundle with root certificates for this purpose, so we need a way to load this bundle. Additionally DocumentDB can’t be exposed to the local machine outside of the Amazon Virtual Private Cloud (VPC), which means that even if verification is turned on, it will always fail since if we use a SSH tunnel or a similar method, the domain will differ from the original. Also, it can have Mutual TLS enabled.

So, in order to support it, we provide the following variables for both our Tyk Analytics Dashboard and Tyk Pump:

  • mongo_ssl_ca_file - path to the PEM file with trusted root certificates
  • mongo_ssl_pem_keyfile - path to the PEM file which contains both client certificate and private key. This is required for Mutual TLS.
  • mongo_ssl_allow_invalid_hostnames - ignore hostname check when it differs from the original (for example with SSH tunneling). The rest of the TLS verification will still be performed.

A working DocumentDB configuration looks like this (assuming that there is SSH tunnel, proxying to 27018 port).

  "mongo_url": "mongodb://testest:[email protected]:27018/tyk_analytics?connect=direct",
  "mongo_use_ssl": true,
  "mongo_ssl_insecure_skip_verify": false,
  "mongo_ssl_ca_file": "<path to>/rds-combined-ca-bundle.pem",
  "mongo_ssl_allow_invalid_hostnames": true,

Capped Collections

If you are using DocumentDB, capped collections are not supported. See here for more details.