Docs Home → MongoDB Ops Manager
Configure the MongoDB Agent for Kerberos
On this page
MongoDB Enterprise supports Kerberos. Kerberos is a network authentication protocol. The MongoDB Agent can authenticate to MongoDB instances that run Kerberos.
Prerequisites
Configure KDC to Issue Tickets with Four-Hour Minimum Lifetime
Kerberos tickets can authenticate users for a limited time. You must configure the Kerberos Key Distribution Center (KDC) to issue tickets that are valid for four hours or longer. The MongoDB Agent periodically renews the ticket. The KDC service provides session tickets and temporary session keys to users and hosts.
Add Kerberos as Authentication Mechanism for Deployment
The MongoDB Agent interacts with the MongoDB databases in your deployment as a MongoDB user would. As a result, you must configure your MongoDB deployment and the MongoDB Agent to support authentication.
You can specify the deployment's authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the MongoDB Agent to use. The MongoDB Agent can use any supported authentication mechanism.
For the purposes of this tutorial, you must ensure the following:
Your deployment supports Kerberos authentication and
MongoDB Agent uses Kerberos authentication.
To learn how to enable Kerberos authentication, see Enable Kerberos Authentication for your Ops Manager Project.
Configure MongoDB Agent Host to Use Kerberos
Two Kerberos-related files must be installed on any host running Monitoring or Backup:
Create or configure the krb5.conf Kerberos configuration file.
PlatformDefault PathNotesLinux/etc/krb5.conf
Windows%WINDIR%\krb5.ini
This is the default path for non-Active Directory-based Kerberos implementations. Refer to the documentation for your Kerberos implemention for your version of Windows to find out where the Kerberos configuration file is stored.On Linux systems: ensure kinit binary is located at
/usr/bin/kinit
.kinit
obtains or renews a Kerberos ticket-granting ticket, which authenticates the Agent using Kerberos.
Procedures
Create Kerberos User Principal for the MongoDB Agent
Create or choose a Kerberos User Principal Name (UPN) for the MongoDB Agent.
An UPN is formatted in two parts so the service can be uniquely identified across the Kerberos realm:
Component | Description |
---|---|
Service name | The name of one service a host is providing to the Kerberos
realm, such as pop or ftp . |
Kerberos realm | A set of managed hosts and services that share the same Kerberos database. NoteBy Kerberos naming convention, the |
Example
In a Kerberos realm set as EXAMPLE.COM
, the MongoDB Agent
would set its UPN to: mongodb-agent@EXAMPLE.COM
Generate a keytab
file for the Kerberos UPN of the MongoDB Agent.
Generate a keytab
file (*.keytab
) for the MongoDB Agent UPN and copy it to the
host that runs the MongoDB Agent. Ensure that the operating system
user that runs the MongoDB Agent is the same operating system user
that owns the keytab
file.