Navigation
You were redirected from a different version of the documentation. Click here to go back.
  • Security >
  • Enable SSL for a Deployment

Enable SSL for a Deployment

On this page

Overview

For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses SSL, you must enable SSL for the Ops Manager group. The SSL settings apply to all deployments managed by Ops Manager.

Important

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, x.509 certificates, and Certificate Authorities is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.

Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup agents to connect to the managed deployment over SSL when you activate SSL for the Ops Manager group. You no longer need to manually configure the agents’ SSL settings.

If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. See: Configure Monitoring Agent for SSL and Configure Backup Agent for SSL for more information.

Note

If Ops Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your group.

To remove all authentication and security settings as well as the users and roles you created using Ops Manager, click Clear Settings in the Authentication & SSL Settings dialog box .

See Clear Security Settings for more information.

To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.

For information on other group-wide settings, see Create a Group.

Procedures

Warning

For MongoDB 2.6 and below, you must use the MongoDB Enterprise Edition, which includes SSL, or add a custom build with SSL enabled. To configure the available MongoDB versions, see: Configure Available MongoDB Versions.

Ensure Existing Deployments are Using SSL

If you wish to enable SSL for an Ops Manager group that includes MongoDB deployments, use the following procedure to ensure that the MongoDB deployments are configured to use SSL:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the SSL startup options.

  1. Click Add Option to add each option.

    Option Value
    sslmode Select requireSSL.
    sslPemKeyFile Provide the path to the client certificate.
    sslPemKeyPassword If you encrypted the PEM key file, provide its password.
  2. When you have added the required settings, click Apply.

Enable SSL for the Group

You can manage both SSL and non-SSL MongoDB deployments in the same group.

Important

Prior to Ops Manager version 2.0.3, if you enable SSL, all MongoDB deployments in the group that are managed by Ops Manager must use SSL.

1
2

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Ops Manager group, select them and then click Next.

3

Toggle the Enable SSL slider to Yes.

4

Specify the path to the SSL CA file and choose the Client Certificate Mode, then click Continue.

The SSL CA file is a .pem file that contains the root certificate chain from the Certificate Authority. The Monitoring and Backup Agents use the CA file for connections to your deployment.

The Client Certificate Mode specifies whether client certificates are required for each mongod and mongos in the deployment.

5

Provide SSL credentials for the Ops Manager Agents

Specify the path to the .pem file that contains both the TLS/SSL certificate and key for each agent. If needed, specify the password to de-crypt the .pem certificate-key file.

Ensure you use the correct input box for your operating system.

6

Click Review & Deploy to review your changes.

7

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.