X509 user authentication vs. replication internal authentication

Quick question:

If using x.509 for replica set internal authentication, does this require user authentication also use x.509, or can I have a MongoDB cluster where internally x.509 is used, but user authentication uses SCRAM-SHA-1?

Hi Barron_43628,

Yes it is possible and that’s your assignment for Homework 1.5: Enabling Mixed Authentication Mechanisms.

Best,

David

Thank you David. I just discovered the mongod option --sslMode allowSSL as opposed to --sslMode requireSSL

1 Like

Exactly the situation I have set up for my production database :slight_smile: The replica set nodes use their official certificates to authenticate among each-other, while the application account simply uses a strong password.

One good reason for MongoDB to allow this mixed mode, is because simply not all products can handle x509 authentication. Or maybe they could, if their developers built it in. But that takes time and effort and also provides complexity to the end-user.