Navigation
  • Security >
  • Configure SSL Connections to Ops Manager

Configure SSL Connections to Ops Manager

You can configure Ops Manager to encrypt connections from all Agents to Ops Manager, from website clients to the Ops Manager Application, and from API clients to the REST API.

To encrypt connections, you can:

  • Set up an HTTPS proxy in front of Ops Manager, or
  • Run the Ops Manager Application over HTTPS, as described on this page.

The following procedure configures Ops Manager with a .pem file that contains the Ops Manager host’s TLS/SSL certificate.

  • If you are using automation, the Automation Agent updates the agents to use HTTPS after successfully completing the procedure.
  • If you are not using automation, you must configure all of the agents using the same procedure. By default, Ops Manager accesses HTTPS on port 8443.

See also

Configure Ops Manager Application for TLS/SSL

1

Upload the certificate file to each Ops Manager host.

  1. Upload your .pem file to each Ops Manager Application host. This certificate must be uploaded to each Ops Manager host so they can accept TLS/SSL connections.
  2. Change the owner of the .pem file to the user and group that own the Ops Manager process.
  3. Change the permissions of the .pem file so only the file owner can read and write the file.
2

Configure the Ops Manager Application for TLS/SSL.

  1. Click Admin in the Ops Manager application to view the Admin interface.

  2. Click the General tab

  3. Click Ops Manager Config.

  4. Click Web Server & Email.

  5. Set the following options under Web Server heading:

    URL to Access Ops Manager

    Provide the full URL for Ops Manager Application including port 8443 for HTTPS access.

    Example

    https://opsmanager.example.com:8443
    
    HTTPS PEM Key File Type the absolute file system path where the .pem file is located on all Ops Manager hosts in this box.
    HTTPS PEM Key File Password If you encrypted the HTTPS PEM Key File, type the password needed to decrypt it in this box.
    Client Certificate Mode

    Select which client hosts must connect to Ops Manager using TLS/SSL. Ops Manager checks for certificates from these client hosts when they try to connect. If you leave this setting as None, connections with Ops Manager may be encrypted, but are not required to be.

    Accepted values are:

    • None
    • Required for Agents Only
    • Required for All Requests
  6. Click Save.

3

(Optional) Change the minimum TLS version for TLS/SSL.

By default, TLS version 1.2 is the minimum required version for clients to connect to the Ops Manager application.

To change the minimum TLS version:

  1. Click Admin in the Ops Manager application to view the Admin interface.

  2. Click the General tab

  3. Click Ops Manager Config.

  4. Click Custom.

  5. Configure the minimum TLS version.

  6. Enter mms.minimumTLSVersion in the Key box.

  7. Enter a minimum TLS version in the Value box.

    The following values are accepted:

    • TLSv1
    • TLSv1.1
    • TLSv1.2
  8. Click Save.

4

(Optional) Specify excluded TLS cipher suites for TLS/SSL.

To exclude specific TLS cipher suites from TLS connections with the Ops Manager Application.

  1. Click Admin in the Ops Manager application to view the Admin interface.

  2. Click the General tab

  3. Click Ops Manager Config.

  4. Click Custom.

  5. Enter mms.disableCiphers in the Key box.

  6. Enter a comma-separated list of cipher suites to disable in the Value box.

    Important

    Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention.

  7. Click Save.

5

Restart each Ops Manager host to enable TLS/SSL.

Restart the Ops Manager Application per the instructions to Start and Stop Ops Manager Application.

Configure Automation Agents to use TLS/SSL

On each MongoDB host in your cluster:

1

Open automation-agent.config in a text editor.

The location of the Automation Agent configuration file depends on your platform:

Platform Installation Method Default Config File Path
RHEL, CentOS, Amazon Linux and Ubuntu package manager /etc/mongodb-mms/automation-agent.config
macOS or other Linux distributions tar /path/to/install/local.config
Windows msi C:\MMSData\Automation\automation-agent.config
2

Change mmsBaseUrl and TLS/SSL settings.

Set or add the following properties where needed:

mmsBaseUrl Required Set this value to match the URL you entered in the URL to Access Ops Manager box.
sslRequireValidMMSServerCertificates Conditional

Set this value to true if all of the following apply:

  • You want the agent to validate TLS/SSL certificates of Ops Manager.
  • You signed the TLS/SSL certificates of your Ops Manager hosts with a known external Certificate Authority or self-signed Certificate Authority.

Note

If you set this value to true, you must set sslTrustedMMSServerCertificate.

sslTrustedMMSServerCertificate Conditional

If you are using your own self-signed Certificate Authority .pem files, add this property and set it to the absolute path to your Certificate Authority file on the MongoDB host.

Important

This Certificate Authority file must be in the same location on each MongoDB host in the same sharded cluster or replica set. Any MongoDB host that does not have the file in the same file location as the others may become unaccessible.

sslMMSServerClientCertificate Conditional If you set Client Certificate Mode in Ops Manager to Required for Agents Only or Required for All Requests, add this value and specify the absolute path to the file containing the client’s private key, certificate, and optional intermediate certificates in .pem format .
sslMMSServerClientCertificatePassword Conditional If you encrypted the sslMMSServerClientCertificate .pem file, provide the password needed to decrypt it.
3

Click Save.

4

Restart the Automation Agent.