Clojure - How to connect to MongoDB/DocumentDB via TLS Connection using Monger

Question

I am not able to connect via TLS and monger to an AWS DocumentDB database. I downloaded the PEM file from AWS and added it to a new keystore file

keytool -import -alias documentdb_certs -storepass SomePassword -keystore documentdb_certs -file ./rds-combined-ca-bundle.pem

I use monger: (:require [monger.core :as mg])

I tried different ways to pass in the cert information via the project.clj file like

:jvm-opts ["-Djavax.net.ssl.trustStore=<my path>/clojure/resources/aws-cert/documentdb_certs"
             "-Djavax.net.ssl.trustStorePassword=<password>"
             ]

or

  :injections [
               (.. System (setProperty "javax.net.ssl.trustStore" "<my path>/clojure/resources/aws-cert/documentdb_certs"))
               (.. System (setProperty "javax.net.ssl.trustStorePassword" "MyPassWord"))
               ]

I am trying to get a connection like the following

(defn simple-aggregate-function
  "just trying"
  ([conn]
   (let [db (mg/get-db conn "db_name")
         collection "collection_name"]
     (mc/aggregate db collection
       [
        {"match" {:createdDate         {"$gte" "2022-03-01", "$lt" "2022-03-06"}}},
        {"$sort" {:_id 1}}
        ]
       :cursor {:batch-size 50}
       ))))

(def connection-uri-template2 "mongodb://%s:%s@%s:27017/%s?retryWrites=false&replicaSet=rs0&authSource=admin&tls=true")
(def connection-uri2 (format connection-uri-template2 user-name password db-server database))

(let [uri connection-uri2 {:keys [conn]} (mg/connect-via-uri uri)]

  (do
    (println connection-uri2)
    (def result (simple-aggregate-function conn))
    (println result)
    )
  (mg/disconnect conn))

I am getting timeouts when running the application.

I am not able to find anything helpful in my online search. I wonder if someone has an example of working configuration or can outline the steps to connect successfully via Monger and TLS to DocumentDB

Answer 1

Did you check the Amazon DocumentDB documentation for connecting programatically ? The rds-combined-ca-bundle.pem file contains multiple certificates for each AWS region, if you click on the Java tab there's a bash script there which parses the .pem file and imports the certificates correctly in the keystore.