- MongoDB Agent >
- Configure MongoDB Agent for Externally Sourced Configuration File Values
Configure MongoDB Agent for Externally Sourced Configuration File Values¶
On this page
New in version 4.2.
MongoDB supports using expansion directives in configuration files to load externally sourced values. If you have advanced auditing or compliance needs, you can:
- Store the MongoDB process configuration (
mongod
ormongos
) in memory so that passwords are not stored on disk, and - Read MongoDB Agent configurationpasswords from a shell command rather than directly from the MongoDB Agent configuration file.
Store MongoDB Process Configuration Files in Memory¶
By default, the MongoDB Agent writes MongoDB process configuration files on disk on its host. These configuration files might contain the following credentials:
net.tls.certificateKeyFilePassword
net.tls.clusterPassword
security.kmip.clientCertificatePassword
security.ldap.bind.queryPassword
To avoid storing these credentials on disk for auditing or compliance
reasons, you can store the MongoDB process configuration in memory by
setting enableLocalConfigurationServer
to true
in the
MongoDB Agent configuration file.
When the mongod
configuration is served from
memory, the mongod
configuration file on disk includes only a
__rest
expansion directive
that defines the URL of the full configuration file. The mongod
process then securely requests the full configuration file from its
local MongoDB Agent using the URL in the __rest
expansion directive.
Considerations¶
Impacts Availability of MongoDB Deployments¶
When this feature is enabled, the MongoDB Agent doesn’t store the MongoDB process configuration on disk. If the Ops Manager app server is unavailable and the MongoDB Agent attempts to restart, then the MongoDB Agent stops running because it doesn’t have the necessary configuration information. If a MongoDB process crashes while the MongoDB Agent isn’t running, then the MongoDB Agent can’t restart the process.
Limits Importing Existing MongoDB Deployments¶
You cannot import MongoDB processes that have configuration files with credentials stored in memory. When the configuration is stored in memory, MongoDB redacts any credentials after use. Therefore, MongoDB can’t retrieve the credentials necessary to import the process.
Remove Passwords from the MongoDB Agent Configuration File¶
You can specify that the MongoDB Agents’ passwords are called from a shell command rather than read directly from the MongoDB Agent configuration file. To use this feature, add the following settings to the MongoDB Agent’s configuration file: