Connecting Axon application to DocumentDb 

Reading Time: 5 minutes

Step 1 : Create an Amazon EC2 Instance

This EC2 instance is for ssh tunneling to aws documentDB cluster and application running locally.

  1. On the Amazon EC2 console, choose Launch instance.
  2. Locate Amazon AMI and choose Select.
  3. Choose the t2.micro instance type.
  4. Choose Review and Launch
  5. Under Security Groups, choose Edit security groups.
  6. Configure Security groups for testing purpose , allow all traffic
  1. Verify the information and choose Launch.
  2. A window will pop up titled Select an existing key pair or create a new key pair. It will look like this: This key pair will help in ssh tunneling
    You must provide an Amazon EC2 key pair. If you do have an Amazon EC2 key pair:
    1. Select a key pair, choose your key pair from the list.
    2. You must already have the private key file (.pem file) available to log in to your Amazon EC2 instance.
  3. If you do not have an Amazon EC2 key pair:
    1. Choose Create a new key pair.
    2. Write a name for the key bar in the field Key pair name.
    3. Download the private key file (.pem file). You need this file later when you log in to your Amazon EC2 instance.
  4. Choose Launch Instances.
  1. After downloading the key pair change the permissions of key pair 

By  using cmd: chmod 400 keypair-name   :-  Gives the user read permission, and removes all other permission.

Step 2 : Create an Amazon DocumentDB Cluster

  1. Navigate to the Amazon DocumentDB console and choose Clusters from the navigation pane.
  2. Choose Create.
  3. For Number of instances, choose 1. This will minimize cost. Leave other settings at their default.
  4. For Authentication, enter a username and password. Important: You will need this username and password to authenticate your cluster in a later step.
  5. Turn on Show advanced settings.
  6. In the Network settings section, for Amazon VPC security groups, choose demoDocDB. This security groups must same as we made in instance
  7. Choose Create cluster.

Step 3 : Create a Java application with the Axon framework for Event-Sourcing.(Aws DocumentDB as event store) 

When connecting to a TLS-enabled Amazon DocumentDB cluster from a Java application, your program must use the AWS-provided certificate authority (CA) file to validate the connection. To use the Amazon RDS CA certificate, do the following:

  1. Download the Amazon RDS CA file from .
  2. Create a trust store with the CA certificate contained in the file by performing the following commands. Be sure to change the <truststorePassword> to something else. If you are accessing a trust store that contains both the old CA certificate (rds-ca-2015-root.pem) and the new CA certificate (rds-ca-2019-root.pem), you can import the certificate bundle into the trust store.
    The following is a sample shell script that imports the certificate bundle into a trust store.

Shell script




curl -sS “; > ${mydir}/rds-combined-ca-bundle.pem

awk ‘split_after == 1 {n++;split_after=0} /—–END CERTIFICATE—–/ {split_after=1}{print > “rds-ca-” n “.pem”}’ < ${mydir}/rds-combined-ca-bundle.pem

for CERT in rds-ca-*; do

  alias=$(openssl x509 -noout -text -in $CERT | perl -ne ‘next unless /Subject:/; s/.*(CN=|CN = )//; print’)

  echo “Importing $alias”

  keytool -import -file ${CERT} -alias “${alias}” -storepass ${storepassword} -keystore ${truststore} -noprompt

  rm $CERT


rm ${mydir}/rds-combined-ca-bundle.pem

echo “Trust store content is: “

keytool -list -v -keystore “$truststore” -storepass ${storepassword} | grep Alias | cut -d ” ” -f3- | while read alias 


   expiry=`keytool -list -v -keystore “$truststore” -storepass ${storepassword} -alias “${alias}” | grep Valid | perl -ne ‘if(/until: (.*?)\n/) { print “$1\n”; }’`

   echo ” Certificate ${alias} expires in ‘$expiry'” 


After implementation of the shell script, a certificate will be generated named as 

rds-truststore.jks this certificate will help in ssh tunneling by setting the properties in the system by using function setProperty()

In main class :-

String truststore = “rds-truststore.jks”;

String truststorePassword = “truststorepassword”;

System.setProperty(“”, truststore);

System.setProperty(“”, truststorePassword); – Location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Containing password of keystore file

Axon configurations

package org.knoldus.engine.config;

import com.mongodb.ConnectionString;

import com.mongodb.MongoClientSettings;

import com.mongodb.MongoCredential;

import com.mongodb.client.MongoClient;

import com.mongodb.client.MongoClients;



import org.axonframework.eventsourcing.eventstore.EmbeddedEventStore;

import org.axonframework.eventsourcing.eventstore.EventStorageEngine;

import org.axonframework.eventsourcing.eventstore.EventStore;

import org.axonframework.extensions.mongo.DefaultMongoTemplate;

import org.axonframework.extensions.mongo.eventsourcing.eventstore.MongoEventStorageEngine;

import org.axonframework.serialization.json.JacksonSerializer;

import org.axonframework.spring.config.AxonConfiguration;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;


* Configuring the Axon.



public class AxonConfig {


    * Event store embedded event store.


    * @param storageEngine the storage engine stores Aggregate Events

    * @param configuration the Axon configuration defines a number of

    *                      conditional beans.

    * @return the embedded event store automatically fetches new events



   public EmbeddedEventStore eventStore(

           final EventStorageEngine storageEngine,

           final AxonConfiguration configuration) {

       return EmbeddedEventStore.builder()







    * Storage engine event storage engine.


    * @return the event storage engine stores Aggregate Events

    * @throws NoSuchAlgorithmException



   public EventStorageEngine storageEngine() throws NoSuchAlgorithmException {

       String template = “mongodb://%s:%s@%s/admin?ssl=true&replicaSet=rs0&readpreference=%s”;

       String username = “username”;

       String password = “password”;

       String clusterEndpoint = “”;

       String readPreference = “secondaryPreferred”;

       String connectionString = String.format(template, username, password,

               clusterEndpoint, readPreference);

       ConnectionString uri = new ConnectionString(connectionString);

       MongoCredential credential = MongoCredential

               .createCredential(username, “admin”, password.toCharArray());

       SSLContext sslContext = SSLContext.getDefault();

       MongoClientSettings settings = MongoClientSettings.builder().credential(credential)

               .applyToSslSettings(builder -> {







       final MongoClient mongoClient = MongoClients.create(settings);

       return MongoEventStorageEngine.builder()








Step 4 : Connect our documentdb cluster to our local machine

We can use the following cmd:-

ssh -i “ec2Access.pem” -L -N 


After the SSH tunnel is created, any commands that you issue to localhost:27017 are forwarded to the Amazon DocumentDB cluster sample-cluster running in the Amazon VPC.

Now , To connect to your Amazon DocumentDB cluster via mongo shell from outside the Amazon VPC, use the following command.

mongo –sslAllowInvalidHostnames –ssl –sslCAFile rds-combined-ca-bundle.pem –username <yourUsername> –password <yourPassword> 


Then Run application by using the following cmd:

mvn spring-boot:run


In this blog we learnt about that how we connect our application to documentdb

Written by 

Chiranjeev kumar is a Software intern at Knoldus. He is passionate about the java programming . He is recognized as a good team player, a dedicated and responsible professional, and a technology enthusiast. He is a quick learner & curious to learn new technologies. His hobbies include listening music , playing video games.