- Security >
- Enable SSL for a Deployment
Enable SSL for a Deployment¶
For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses SSL, you must enable SSL for the Ops Manager group. The SSL settings apply to all deployments managed by Ops Manager.
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, x.509 certificates, and Certificate Authorities is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup agents to connect to the managed deployment over SSL when you activate SSL for the Ops Manager group. You no longer need to manually configure the agents’ SSL settings.
If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. See: Configure Monitoring Agent for SSL and Configure Backup Agent for SSL for more information.
If Ops Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your group.
To remove all authentication and security settings as well as the users and roles you created using Ops Manager, click Clear Settings in the Authentication & SSL Settings dialog box .
See Clear Security Settings for more information.
To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.
For information on other group-wide settings, see Create a Group.
For MongoDB 2.6 and below, you must use the MongoDB Enterprise Edition, which includes SSL, or add a custom build with SSL enabled. To configure the available MongoDB versions, see: Configure Available MongoDB Versions.
Ensure Existing Deployments are Using SSL¶
If you wish to enable SSL for an Ops Manager group that includes MongoDB deployments, use the following procedure to ensure that the MongoDB deployments are configured to use SSL:
Click Deployment, then click the Processes tab, and then the Topology view.¶
On the line listing the process, click Modify.¶
Expand the Advanced Options area.¶
Set the SSL startup options.¶
Click Add Option to add each option.
Provide the path to the client certificate.
If you encrypted the PEM key file, provide its password.
When you have added the required settings, click Apply.
Enable SSL for the Group¶
You can manage both SSL and non-SSL MongoDB deployments in the same group.
Prior to Ops Manager version 2.0.3, if you enable SSL, all MongoDB deployments in the group that are managed by Ops Manager must use SSL.
Toggle the Enable SSL slider to Yes.¶
Specify the path to the SSL CA file and choose the Client Certificate Mode, then click Continue.¶
The SSL CA file is a
.pem file that contains the root certificate
chain from the Certificate Authority.
The Monitoring and Backup Agents use the CA file for connections to
The Client Certificate Mode specifies whether client
certificates are required for each
in the deployment.
- OPTIONAL: Ops Manager starts each
mongosprocess with both
net.ssl.allowConnectionsWithoutCertificates. As such,
mongosprocesses need not possess client certificates.
- REQUIRED:: Ops Manager starts each
mongosmust possess a client certificate.
Provide SSL credentials for the Ops Manager Agents¶
Specify the path to the
.pem file that contains both the TLS/SSL
certificate and key for each agent. If needed, specify the password
to de-crypt the .pem certificate-key file.
Ensure you use the correct input box for your operating system.
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If you are satisfied, click Confirm & Deploy.
- Otherwise, click Cancel and you can make additional changes.