Navigation
  • Security >
  • Configure SSL Connections to Ops Manager

Configure SSL Connections to Ops Manager

Overview

You can encrypt connections from the Monitoring and Backup Agents to Ops Manager, from website clients to the Ops Manager Admin interface, and from command-line clients, such as curl, to the REST API. You can encrypt connections in the following ways:

  • Set up an HTTPS proxy in front of Ops Manager.
  • Run the Ops Manager Application over HTTPS, as described here.

The following procedure configures Ops Manager with a .pem file that contains the Ops Manager host’s certificate and private key. If you are using automation, the Automation Agent automatically updates the Monitoring and Backup agents for HTTPS after successfully completing the procedure. If you are not using automation, you must manually configure all of the agents using the same procedure. By default, Ops Manager uses port 8443 for HTTPS access.

Run the Ops Manager Application Over HTTPS

To run the Ops Manager Application over HTTPS:

1

Configure the Ops Manager host for HTTPS.

  1. Upload your .pem file to the Ops Manager application host.

  2. Click Admin in the Ops Manager application to view the Admin interface.

  3. Click the General tab, then click Ops Manager Config.

  4. Set HTTPS PEM Key File to the file system path where the .pem file is located on the Ops Manager host.

  5. Set HTTPS PEM Key File Password to the password for the .pem file.

  6. Set URL to Access Ops Manager to the new URL and port 8443 for HTTPS access. The following is an example:

    https://mms.example.net:8443
    
  7. Click Save.

  8. (Optional) Configure the minimum TLS version.

    By default, TLS version 1.2 is the minimum required version for clients to connect to the Ops Manager application. To change the minimum TLS version,

    1. Click the CUSTOM tab.

    2. Enter mms.minimumTLSVersion in the Key field.

    3. Enter the minimum TLS version in the Value field.

      The following values are valid:

      • TLSv1
      • TLSv1.1
      • TLSv1.2
    4. Click Save.

  9. (Optional) Specify ciphers that Ops Manager clients may not use to connect to the Ops Manager application.

    1. Click the CUSTOM tab.
    2. Enter mms.disableCiphers in the Key field.
    3. Enter a comma-separated list of ciphers in the Value field.
    4. Click Save.
  10. Stop and restart the Ops Manager application.

    See Start and Stop Ops Manager Application for instructions.

2

Configure the Automation Agent for HTTPS on each host in your cluster.

  1. Open automation-agent.config in a text editor on each host in your cluster.

    See Automation Agent Configuration for information on where to find this configuration file.

  2. Set the mmsBaseUrl property to match the value you entered in the URL to Access Ops Manager field in the Ops Manager Admin interface.

  3. If you are using a certificate that is not signed by a proper certificate authority, set the sslRequireValidMMSServerCertificates property to false.

    Alternatively, upload your self-signed .ca file to each host in your cluster and set the sslTrustedMMSServerCertificate to the full path location of the file.

  4. Save your changes.

  5. Restart the Automation Agents for each host in your cluster.