.\" Man page generated from reStructuredText. . .TH "MONGOS" "1" "Oct 24, 2019" "4.0" "mongodb-manual" .SH NAME mongos \- MongoDB Sharded Cluster Query Router . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SS On this page .INDENT 0.0 .IP \(bu 2 \fI\%Synopsis\fP .IP \(bu 2 \fI\%Considerations\fP .IP \(bu 2 \fI\%Options\fP .UNINDENT .SH SYNOPSIS .sp \fI\%mongos\fP for "MongoDB Shard," is a routing service for MongoDB shard configurations that processes queries from the application layer, and determines the location of this data in the sharded cluster, in order to complete these operations. From the perspective of the application, a \fI\%mongos\fP instance behaves identically to any other MongoDB instance. .sp \fBSEE ALSO:\fP .INDENT 0.0 .INDENT 3.5 conf\-file\-command\-line\-mapping .UNINDENT .UNINDENT .sp \fBNOTE:\fP .INDENT 0.0 .INDENT 3.5 Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see 4.0\-disable\-tls\&. .UNINDENT .UNINDENT .SH CONSIDERATIONS .sp Never change the name of the \fI\%mongos\fP binary. .SH OPTIONS .SS Core Options .INDENT 0.0 .TP .B \-\-help, \-h Returns information on the options and use of \fBmongos\fP\&. .UNINDENT .INDENT 0.0 .TP .B \-\-version Returns the \fBmongos\fP release number. .UNINDENT .INDENT 0.0 .TP .B \-\-config , \-f Specifies a configuration file for runtime configuration options. The configuration file is the preferred method for runtime configuration of \fBmongos\fP\&. The options are equivalent to the command\-line configuration options. See /reference/configuration\-options for more information. .sp Ensure the configuration file uses ASCII encoding. The \fBmongos\fP instance does not support configuration files with non\-ASCII encoding, including UTF\-8. .UNINDENT .INDENT 0.0 .TP .B \-\-verbose, \-v Increases the amount of internal reporting returned on standard output or in log files. Increase the verbosity with the \fB\-v\fP form by including the option multiple times, (e.g. \fB\-vvvvv\fP\&.) .UNINDENT .INDENT 0.0 .TP .B \-\-quiet Runs \fBmongos\fP in a quiet mode that attempts to limit the amount of output. .sp This option suppresses: .INDENT 7.0 .IP \(bu 2 output from database commands .IP \(bu 2 replication activity .IP \(bu 2 connection accepted events .IP \(bu 2 connection closed events .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-port \fIDefault\fP: 27017 .sp The TCP port on which the \fI\%mongos\fP instance listens for client connections. .UNINDENT .INDENT 0.0 .TP .B \-\-bind_ip \fIDefault\fP: localhost .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 Starting in MongoDB 3.6, \fBmongos\fP bind to localhost by default. See 3.6\-bind\-to\-localhost\&. .UNINDENT .UNINDENT .sp The hostnames and/or IP addresses and/or full Unix domain socket paths on which \fBmongos\fP should listen for client connections. You may attach \fBmongos\fP to any interface. To bind to multiple addresses, enter a list of comma\-separated values. .INDENT 7.0 .INDENT 3.5 .SS Example .sp \fBlocalhost,/tmp/mongod.sock\fP .UNINDENT .UNINDENT .sp You can specify both IPv4 and IPv6 addresses, or hostnames that resolve to an IPv4 or IPv6 address. .INDENT 7.0 .INDENT 3.5 .SS Example .sp \fBlocalhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513\fP .UNINDENT .UNINDENT .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 If specifying an IPv6 address \fIor\fP a hostname that resolves to an IPv6 address to \fI\%\-\-bind_ip\fP, you must start \fBmongos\fP with \fI\%\-\-ipv6\fP to enable IPv6 support. Specifying an IPv6 address to \fI\%\-\-bind_ip\fP does not enable IPv6 support. .UNINDENT .UNINDENT .sp If specifying a \fI\%link\-local IPv6 address\fP (\fBfe80::/10\fP), you must append the \fI\%zone index\fP to that address (i.e. \fBfe80::
%\fP). .INDENT 7.0 .INDENT 3.5 .SS Example .sp \fBlocalhost,fe80::a00:27ff:fee0:1fcf%enp0s3\fP .UNINDENT .UNINDENT .INDENT 7.0 .INDENT 3.5 .SS Tip .sp When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members. The use of logical DNS hostnames avoids configuration changes due to ip address changes. .UNINDENT .UNINDENT .sp \fBWARNING:\fP .INDENT 7.0 .INDENT 3.5 Before binding to a non\-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. For a complete list of security recommendations, see /administration/security\-checklist\&. At minimum, consider enabling authentication and hardening network infrastructure\&. .UNINDENT .UNINDENT .sp For more information about IP Binding, refer to the /core/security\-mongodb\-configuration documentation. .sp To bind to all IPv4 addresses, enter \fB0.0.0.0\fP\&. .sp To bind to all IPv4 and IPv6 addresses, enter \fB::,0.0.0.0\fP or alternatively, use the \fBnet.bindIpAll\fP setting. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 \fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. Specifying both options causes \fBmongos\fP to throw an error and terminate. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-bind_ip_all New in version 3.6. .sp If specified, the \fBmongos\fP instance binds to all IPv4 addresses (i.e. \fB0.0.0.0\fP). If \fBmongos\fP starts with \fI\%\-\-ipv6\fP, \fI\%\-\-bind_ip_all\fP also binds to all IPv6 addresses (i.e. \fB::\fP). .sp \fBmongos\fP only supports IPv6 if started with \fI\%\-\-ipv6\fP\&. Specifying \fI\%\-\-bind_ip_all\fP alone does not enable IPv6 support. .sp \fBWARNING:\fP .INDENT 7.0 .INDENT 3.5 Before binding to a non\-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access. For a complete list of security recommendations, see /administration/security\-checklist\&. At minimum, consider enabling authentication and hardening network infrastructure\&. .UNINDENT .UNINDENT .sp For more information about IP Binding, refer to the /core/security\-mongodb\-configuration documentation. .sp Alternatively, you can set the \fB\-\-bind_ip\fP option to \fB::,0.0.0.0\fP to bind to all IP addresses. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 \fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That is, you can specify one or the other, but not both. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-maxConns The maximum number of simultaneous connections that \fBmongos\fP will accept. This setting has no effect if it is higher than your operating system\(aqs configured maximum connection tracking threshold. .sp Do not assign too low of a value to this option, or you will encounter errors during normal application operation. .sp This is particularly useful for a \fI\%mongos\fP if you have a client that creates multiple connections and allows them to timeout rather than closing them. .sp In this case, set \fBmaxIncomingConnections\fP to a value slightly higher than the maximum number of connections that the client creates, or the maximum size of the connection pool. .sp This setting prevents the \fI\%mongos\fP from causing connection spikes on the individual shards\&. Spikes like these may disrupt the operation and memory allocation of the sharded cluster\&. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP setting. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-syslog Sends all logging output to the host\(aqs syslog system rather than to standard output or to a log file. , as with \fI\%\-\-logpath\fP\&. .sp The \fI\%\-\-syslog\fP option is not supported on Windows. .sp \fBWARNING:\fP .INDENT 7.0 .INDENT 3.5 The \fBsyslog\fP daemon generates timestamps when it logs a message, not when MongoDB issues the message. This can lead to misleading timestamps for log entries, especially when the system is under heavy load. We recommend using the \fI\%\-\-logpath\fP option for production systems to ensure accurate timestamps. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-syslogFacility \fIDefault\fP: user .sp Specifies the facility level used when logging messages to syslog. The value you specify must be supported by your operating system\(aqs implementation of syslog. To use this option, you must enable the \fI\%\-\-syslog\fP option. .UNINDENT .INDENT 0.0 .TP .B \-\-logpath Sends all diagnostic logging information to a log file instead of to standard output or to the host\(aqs syslog system. MongoDB creates the log file at the path you specify. .sp By default, MongoDB will move any existing log file rather than overwrite it. To instead append to the log file, set the \fI\%\-\-logappend\fP option. .UNINDENT .INDENT 0.0 .TP .B \-\-logappend Appends new entries to the end of the existing log file when the \fBmongos\fP instance restarts. Without this option, \fBmongod\fP will back up the existing log and create a new file. .UNINDENT .INDENT 0.0 .TP .B \-\-redactClientLogData New in version 3.4: Available in MongoDB Enterprise only. .sp A \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP redacts any message accompanying a given log event before logging. This prevents the \fBmongos\fP from writing potentially sensitive data stored on the database to the diagnostic log. Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs. .sp Use \fI\%\-\-redactClientLogData\fP in conjunction with /core/security\-encryption\-at\-rest and /core/security\-transport\-encryption to assist compliance with regulatory requirements. .sp For example, a MongoDB deployment might store Personally Identifiable Information (PII) in one or more collections. The \fBmongos\fP logs events such as those related to CRUD operations, sharding metadata, etc. It is possible that the \fBmongos\fP may expose PII as a part of these logging operations. A \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP removes any message accompanying these events before being output to the log, effectively removing the PII. .sp Diagnostics on a \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP may be more difficult due to the lack of data related to a log event. See the process logging manual page for an example of the effect of \fI\%\-\-redactClientLogData\fP on log output. .sp You can enable or disable log redaction on a running \fBmongos\fP using the \fBsetParameter\fP database command. .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C db.adminCommand( { setParameter: 1, redactClientLogData : true | false } ) .ft P .fi .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-timeStampFormat \fIDefault\fP: iso8601\-local .sp The time format for timestamps in log messages. Specify one of the following values: .TS center; |l|l|. _ T{ Value T} T{ Description T} _ T{ \fBctime\fP T} T{ Displays timestamps as \fBWed Dec 31 18:17:54.811\fP\&. T} _ T{ \fBiso8601\-utc\fP T} T{ Displays timestamps in Coordinated Universal Time (UTC) in the ISO\-8601 format. For example, for New York at the start of the Epoch: \fB1970\-01\-01T00:00:00.000Z\fP T} _ T{ \fBiso8601\-local\fP T} T{ Displays timestamps in local time in the ISO\-8601 format. For example, for New York at the start of the Epoch: \fB1969\-12\-31T19:00:00.000\-0500\fP T} _ .TE .UNINDENT .INDENT 0.0 .TP .B \-\-pidfilepath Specifies a file location to store the process ID (PID) of the \fBmongos\fP process . The user running the the \fBmongod\fP or \fBmongos\fP process must be able to write to this path. If the \fI\%\-\-pidfilepath\fP option is not specified, the process does not create a PID file. This option is generally only useful in combination with the the \fI\%\-\-fork\fP option. .INDENT 7.0 .INDENT 3.5 .IP "Linux" .sp On Linux, PID file management is generally the responsibility of your distro\(aqs init system: usually a service file in the \fB/etc/init.d\fP directory, or a systemd unit file registered with \fBsystemctl\fP\&. Only use the \fI\%\-\-pidfilepath\fP option if you are not using one of these init systems. For more information, please see the respective Installation Guide for your operating system. .UNINDENT .UNINDENT .INDENT 7.0 .INDENT 3.5 .IP "macOS" .sp On macOS, PID file management is generally handled by \fBbrew\fP\&. Only use the \fI\%\-\-pidfilepath\fP option if you are not using \fBbrew\fP on your macOS system. For more information, please see the respective Installation Guide for your operating system. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-keyFile Specifies the path to a key file that stores the shared secret that MongoDB instances use to authenticate to each other in a sharded cluster or replica set\&. \fI\%\-\-keyFile\fP implies \fBclient authorization\fP\&. See inter\-process\-auth for more information. .UNINDENT .INDENT 0.0 .TP .B \-\-setParameter Specifies one of the MongoDB parameters described in /reference/parameters\&. You can specify multiple \fBsetParameter\fP fields. .UNINDENT .INDENT 0.0 .TP .B \-\-nounixsocket Disables listening on the UNIX domain socket. \fI\%\-\-nounixsocket\fP applies only to Unix\-based systems. .sp The \fBmongos\fP process always listens on the UNIX socket unless one of the following is true: .INDENT 7.0 .IP \(bu 2 \fI\%\-\-nounixsocket\fP is set .IP \(bu 2 \fBnet.bindIp\fP is not set .IP \(bu 2 \fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address .UNINDENT .sp New in version 2.6: \fBmongos\fP installed from official \&.deb and \&.rpm packages have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by default. .UNINDENT .INDENT 0.0 .TP .B \-\-unixSocketPrefix \fIDefault\fP: /tmp .sp The path for the UNIX socket. \fI\%\-\-unixSocketPrefix\fP applies only to Unix\-based systems. .sp If this option has no value, the \fBmongos\fP process creates a socket with \fB/tmp\fP as a prefix. MongoDB creates and listens on a UNIX socket unless one of the following is true: .INDENT 7.0 .IP \(bu 2 \fBnet.unixDomainSocket.enabled\fP is \fBfalse\fP .IP \(bu 2 \fI\%\-\-nounixsocket\fP is set .IP \(bu 2 \fBnet.bindIp\fP is not set .IP \(bu 2 \fBnet.bindIp\fP does not specify \fBlocalhost\fP or its associated IP address .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-filePermissions \fIDefault\fP: \fB0700\fP .sp Sets the permission for the UNIX domain socket file. .sp \fI\%\-\-filePermissions\fP applies only to Unix\-based systems. .UNINDENT .INDENT 0.0 .TP .B \-\-fork Enables a daemon mode that runs the \fBmongos\fP process in the background. By default \fBmongos\fP does not run as a daemon: typically you will run \fBmongos\fP as a daemon, either by using \fI\%\-\-fork\fP or by using a controlling process that handles the daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP). .sp The \fI\%\-\-fork\fP option is not supported on Windows. .UNINDENT .INDENT 0.0 .TP .B \-\-transitionToAuth New in version 3.4: Allows the \fBmongos\fP to accept and create authenticated and non\-authenticated connections to and from other \fBmongod\fP and \fI\%mongos\fP instances in the deployment. Used for performing rolling transition of replica sets or sharded clusters from a no\-auth configuration to internal authentication\&. Requires specifying a internal authentication mechanism such as \fI\%\-\-keyFile\fP\&. .sp For example, if using keyfiles for internal authentication, the \fBmongos\fP creates an authenticated connection with any \fBmongod\fP or \fI\%mongos\fP in the deployment using a matching keyfile. If the security mechanisms do not match, the \fBmongos\fP utilizes a non\-authenticated connection instead. .sp A \fBmongos\fP running with \fI\%\-\-transitionToAuth\fP does not enforce user access controls\&. Users may connect to your deployment without any access control checks and perform read, write, and administrative operations. .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 A \fBmongos\fP running with internal authentication and \fIwithout\fP \fI\%\-\-transitionToAuth\fP requires clients to connect using user access controls\&. Update clients to connect to the \fBmongos\fP using the appropriate user prior to restarting \fBmongos\fP without \fI\%\-\-transitionToAuth\fP\&. .UNINDENT .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-networkMessageCompressors \fIDefault\fP: snappy .sp New in version 3.4. .sp Specifies the default compressor(s) to use for communication between this \fBmongos\fP instance and: .INDENT 7.0 .IP \(bu 2 other members of the sharded cluster .IP \(bu 2 a \fBmongo\fP shell .IP \(bu 2 drivers that support the \fBOP_COMPRESSED\fP message format. .UNINDENT .sp MongoDB supports the following compressors: .INDENT 7.0 .IP \(bu 2 snappy .IP \(bu 2 zlib (Available in MongoDB 3.6 or greater) .UNINDENT .sp \fBIn versions 3.6 and 4.0\fP, \fBmongod\fP and \fI\%mongos\fP enable network compression by default with \fBsnappy\fP as the compressor. .sp To disable network compression, set the value to \fBdisabled\fP\&. .sp \fBIMPORTANT:\fP .INDENT 7.0 .INDENT 3.5 Messages are compressed when both parties enable network compression. Otherwise, messages between the parties are uncompressed. .UNINDENT .UNINDENT .sp If you specify multiple compressors, then the order in which you list the compressors matter as well as the communication initiator. For example, if a \fBmongo\fP shell specifies the following network compressors \fBzlib,snappy\fP and the \fBmongod\fP specifies \fBsnappy,zlib\fP, messages between \fBmongo\fP shell and \fBmongod\fP uses \fBzlib\fP\&. .sp If the parties do not share at least one common compressor, messages between the parties are uncompressed. For example, if a \fBmongo\fP shell specifies the network compressor \fBzlib\fP and \fBmongod\fP specifies \fBsnappy\fP, messages between \fBmongo\fP shell and \fBmongod\fP are not compressed. .UNINDENT .INDENT 0.0 .TP .B \-\-serviceExecutor \fIDefault\fP: synchronous .sp New in version 3.6. .sp Determines the threading and execution model \fBmongos\fP uses to execute client requests. The \fB\-\-serviceExecutor\fP option accepts one of the following values: .TS center; |l|l|. _ T{ Value T} T{ Description T} _ T{ \fBsynchronous\fP T} T{ The \fBmongos\fP uses synchronous networking and manages its networking thread pool on a per connection basis. Previous versions of MongoDB managed threads in this way. T} _ T{ \fBadaptive\fP T} T{ The \fBmongos\fP uses the new experimental asynchronous networking mode with an adaptive thread pool which manages threads on a per request basis. This mode should have more consistent performance and use less resources when there are more inactive connections than database requests. T} _ .TE .UNINDENT .INDENT 0.0 .TP .B \-\-timeZoneInfo The full path from which to load the time zone database. If this option is not provided, then MongoDB will use its built\-in time zone database. .sp The configuration file included with Linux and macOS packages sets the time zone database path to \fB/usr/share/zoneinfo\fP by default. .sp The built\-in time zone database is a copy of the \fI\%Olson/IANA time zone database\fP\&. It is updated along with MongoDB releases, but the release cycle of the time zone database differs from the release cycle of MongoDB. A copy of the most recent release of the time zone database can be downloaded from \fI\%https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip\fP\&. .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C wget https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip unzip timezonedb\-latest.zip mongos \-\-timeZoneInfo timezonedb\-2017b/ .ft P .fi .UNINDENT .UNINDENT .UNINDENT .SS Sharded Cluster Options .INDENT 0.0 .TP .B \-\-configdb /,... Changed in version 3.2. .sp Specifies the configuration servers for the sharded cluster\&. .sp Starting in MongoDB 3.2, config servers for sharded clusters can be deployed as a replica set\&. The replica set config servers must run the WiredTiger storage engine\&. MongoDB 3.2 deprecates the use of three mirrored \fBmongod\fP instances for config servers. .sp Specify the config server replica set name and the hostname and port of at least one of the members of the config server replica set. .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C sharding: configDB: /cfg1.example.net:27019, cfg2.example.net:27019,... .ft P .fi .UNINDENT .UNINDENT .sp The \fI\%mongos\fP instances for the sharded cluster must specify the same config server replica set name but can specify hostname and port of different members of the replica set. .UNINDENT .INDENT 0.0 .TP .B \-\-localThreshold \fIDefault\fP: 15 .sp Specifies the ping time, in milliseconds, that \fI\%mongos\fP uses to determine which secondary replica set members to pass read operations from clients. The default value of \fB15\fP corresponds to the default value in all of the client \fI\%drivers\fP\&. .sp When \fI\%mongos\fP receives a request that permits reads to secondary members, the \fI\%mongos\fP will: .INDENT 7.0 .IP \(bu 2 Find the member of the set with the lowest ping time. .IP \(bu 2 Construct a list of replica set members that is within a ping time of 15 milliseconds of the nearest suitable member of the set. .sp If you specify a value for the \fI\%\-\-localThreshold\fP option, \fI\%mongos\fP will construct the list of replica members that are within the latency allowed by this value. .IP \(bu 2 Select a member to read from at random from this list. .UNINDENT .sp The ping time used for a member compared by the \fI\%\-\-localThreshold\fP setting is a moving average of recent ping times, calculated at most every 10 seconds. As a result, some queries may reach members above the threshold until the \fI\%mongos\fP recalculates the average. .sp See the replica\-set\-read\-preference\-behavior\-member\-selection section of the read preference documentation for more information. .UNINDENT .SS TLS/SSL Options .INDENT 0.0 .INDENT 3.5 .SS See .sp /tutorial/configure\-ssl for full documentation of MongoDB\(aqs support. .UNINDENT .UNINDENT .INDENT 0.0 .TP .B \-\-sslOnNormalPorts Deprecated since version 2.6: Use \fI\%\-\-sslMode requireSSL\fP instead. .sp Enables TLS/SSL for \fBmongos\fP\&. .sp With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongos\fP requires TLS/SSL encryption for all connections on the default MongoDB port, or the port specified by \fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is disabled. .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . .UNINDENT .INDENT 0.0 .TP .B \-\-sslMode New in version 2.6. .sp Enables TLS/SSL or mixed TLS/SSL used for all network connections. The argument to the \fI\%\-\-sslMode\fP option can be one of the following: .TS center; |l|l|. _ T{ Value T} T{ Description T} _ T{ \fBdisabled\fP T} T{ The server does not use TLS/SSL. T} _ T{ \fBallowSSL\fP T} T{ Connections between servers do not use TLS/SSL. For incoming connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL. T} _ T{ \fBpreferSSL\fP T} T{ Connections between servers use TLS/SSL. For incoming connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL. T} _ T{ \fBrequireSSL\fP T} T{ The server uses and accepts only TLS/SSL encrypted connections. T} _ .TE .sp Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not specified and you are not using x.509 authentication, the system\-wide CA certificate store will be used when connecting to an TLS/SSL\-enabled server. .sp If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP must be specified unless using \fB\-\-sslCertificateSelector\fP\&. .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . .UNINDENT .INDENT 0.0 .TP .B \-\-sslPEMKeyFile .sp \fBNOTE:\fP .INDENT 7.0 .INDENT 3.5 Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system\(aqs secure store instead of a PEM key file. See \fI\%\-\-sslCertificateSelector\fP\&. .UNINDENT .UNINDENT .sp Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate and key. .INDENT 7.0 .IP \(bu 2 On Linux/BSD, you must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled. .IP \(bu 2 On Windows or macOS, you must specify either \fI\%\-\-sslPEMKeyFile\fP or \fI\%\-\-sslCertificateSelector\fP when TLS/SSL is enabled. .UNINDENT .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . .UNINDENT .INDENT 0.0 .TP .B \-\-sslPEMKeyPassword Specifies the password to de\-crypt the certificate\-key file (i.e. \fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the certificate\-key file is encrypted. In all cases, the \fBmongos\fP will redact the password from all logging and reporting output. .sp Starting in MongoDB 4.0: .INDENT 7.0 .IP \(bu 2 On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the \fI\%\-\-sslPEMKeyPassword\fP option, MongoDB will prompt for a passphrase. See ssl\-certificate\-password\&. .IP \(bu 2 On macOS or Windows, if the private key in the PEM file is encrypted, you must explicitly specify the \fI\%\-\-sslPEMKeyPassword\fP option. Alternatively, you can use a certificate from the secure system store (see \fI\%\-\-sslCertificateSelector\fP) instead of a PEM key file or use an unencrypted PEM file. .UNINDENT .sp For more information about TLS/SSL and MongoDB, see /tutorial/configure\-ssl and /tutorial/configure\-ssl\-clients . .UNINDENT .INDENT 0.0 .TP .B \-\-clusterAuthMode