Navigation
  • Security >
  • Enable SSL for a Deployment

Enable SSL for a Deployment

On this page

For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS/SSL, you must enable TLS/SSL for the Ops Manager project.

Considerations

Topics Not in Scope

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.

Monitoring and Backup Agents with TLS/SSL

Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup Agents to connect to the managed deployment over TLS/SSL when you activate TLS/SSL for the Ops Manager project. You do not need to manually configure the agents’ TLS/SSL settings.

If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. To learn how to configure these agents, see Configure Monitoring Agent for SSL and Configure Backup Agent for SSL.

MongoDB 2.6 Supports TLS/SSL in Enterprise Only

To enable TLS/SSL for a deployment in MongoDB 2.6 and earlier, you must use the MongoDB Enterprise Edition or create a custom build with TLS/SSL enabled. To configure the available MongoDB versions for your Ops Manager project, see Configure Available MongoDB Versions.

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.

Procedures

Important

You must complete:

  1. Set Existing Deployments to Use TLS/SSL, then
  2. Enable SSL for the Project

before you click Review & Deploy.

Set Existing Deployments to Use TLS/SSL

Changed in Ops Manager 2.0.3

Prior to Ops Manager version 2.0.3, if you enabled TLS/SSL on a project, all Ops Manager-managed MongoDB deployments in that project had to use TLS/SSL. With the Client Certificate Mode setting introduced in 2.0.3, you can set TLS/SSL certificates as optional or required for deployments in your project.

If you wish to enable TLS/SSL for existing MongoDB deployments in your Ops Manager project:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Configuration Options section.

4

Set the TLS/SSL startup options.

  1. Click Add Option to add each option.

    Option Required Value
    sslMode Required Select requireSSL.
    sslPEMKeyFile Required Type the absolute path to the client certificate .pem file on the MongoDB host in this box.
    sslPEMKeyPassword Conditional If you encrypted the sslPEMKeyFile, type the password to decrypt it in this box.
    sslClusterFile Optional

    Type the absolute path to the .pem file that contains the x.509 certificate file that members of a cluster or replica set use to authenticate with each other.

    If sslClusterFile does not specify the .pem file for internal cluster authentication, the cluster uses the .pem file you set as the sslPEMKeyFile option.

    sslClusterPassword Conditional If you encrypted the sslClusterFile, type the password to decrypt it in this box.
    sslDisabledProtocols Optional

    Type the versions of TLS that your deployment does not support. To specify multiple versions, type a comma-separated list of versions.

    Accepted values are:

    • TLS1_0
    • TLS1_1
    • TLS1_2
  2. After each option, click Add.

Enable TLS/SSL for the Project

Before using TLS/SSL in a deployment, you must enable TLS/SSL for the project. You can set TLS/SSL as optional or required for every deployment in the project.

1
2

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Ops Manager project, select them and then click Next.

3

Specify the SSL Settings.

Field Action
Enable TLS/SSL Toggle this slider to Yes.
TLS/SSL CA File Path

The TLS/SSL CA file is a .pem-format certificate file that contains the root certificate chain from the CA. The Monitoring and Backup Agents use this same CA file to connect to every item in your deployment.

Type the file path to the SSL CA file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.
  • Type the file path on all Windows hosts in the second box.

This enables the net.ssl.CAFile setting for the MongoDB processes in the project.

Client Certificate Mode

Specify whether client TLS/SSL certificates are optional or required for every MongoDB deployment in the project.

OPTIONAL

You may choose which MongoDB deployments in this project use TLS/SSL-encrypted network connections.

  • If you start a MongoDB deployment with TLS/SSL, all Agents connect to that deployment with TLS/SSL.
  • If you start a MongoDB deployment without TLS/SSL, all Agents connect to that deployment without TLS/SSL.
REQUIRED Every MongoDB deployment in this project starts with TLS/SSL-encrypted network connections. All Agents must use TLS/SSL to connect to any MongoDB deployment.

Click Continue.

4

Configure the Ops Manager Agents.

Field Action
Agent Auth Mechanism In this list, click X.509 Client Certificate.
Automation Agent Username Type the MongoDB user name for the Automation Agent.
Backup Agent Username Type the MongoDB user name for the Backup Agent.
Monitoring Agent Username Type the MongoDB user name for the Monitoring Agent.
Automation Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Automation Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Backup Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Backup Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Monitoring Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Monitoring Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.

Click Save.

5

Click Review & Deploy to review your changes.

6

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.