Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
  • Install On-Prem MMS >
  • Configure On-Prem MongoDB Management Service Jetty Instances to use HTTPS

Configure On-Prem MongoDB Management Service Jetty Instances to use HTTPS

On this page

Overview

You can optionally configure the Jetty instances that serve the On-Prem MongoDB Management Service application to use HTTPS to encrypt connections between the MMS application and the MMS agent as well as the web interface. Alternately, you can provide access to the MMS application using a load balancer that provides HTTPS access.

Prerequisites

Before configuring MMS and Jetty, you must create and prepare a valid SSL certificate. You must also have access to the openssl library on your system:

Generate Certificate

Existing Certificate Signed by trusted Certificate Authority

If you have an existing certificate, you do not need to generate a new certificate. Proceed to the Prepare the Certificate section to complete the prerequisites.

Create New Certificate and Signing Request for a 3rd Party Certificate Authority

  1. Issue the following command at the system prompty to create a new certificate and certificate signing request (CSR):

    copy 
    openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key

    openssl will prompt you to answer questions for the certificate’s meta data. Complete all prompts. The Common Name must have the same hostname value as the mms.centralUrl configuration.

    Refer to the instructions provided by the certificate authority to ensure that they do not have any more requirements for the certificate signing authority or the certificate meta data.

  2. Submit your new CSR to the 3rd-party certificate authority. The certifiacte authority will return a signed certificate.

Each certificate authority may have a different certificate signing procedure.

When you have a signed certificate, proceed to the Prepare the Certificate section to complete the prerequisites.

Self-Signed Certificate

To generate a self-signed certificate, issue the following command at the system prompt.

copy 
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt

openssl will prompt for a private key passphrase, and for the answers to questions for the certificate’s meta data. Complete all prompts. The Common Name must have the same hostname value as the mms.centralUrl configuration.

Prepare the Certificate

Create PEM Certificate

If the signed certifcate is PEM format, convert the certificate to PEM format with the following command:

copy 
openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt

If the certificate authority uses a certificate chain, concatenate the certificates together to create a unified certificate, with a command that resembles the following:

copy 
cat mms-ssl.crt <intermediate-certificate> <root-certificate> > mms-ssl-unified.crt

Replace <intermediate-certificate> with the intermediate certificate chain and <root-certificate> with the certificate authority’s root certificate.

Create PKCS12 Certificate

Combine the private key and signed certificate, or certificate chain, into a PKCS12-formatted keystore with the following command:

copy 
openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12

openssl will prompt for the private key passphrase as well as a new passphrase for the PKCS12 keystore.

Procedure

Create Java Keystore

Generate Keystore

Convert the PKCS12 keystore into a Java Keystore, so that the MMS server can access the required SSL infrastructure:

copy 
/opt/mongodb/mms/jdk/bin/keytool -importkeystore \
                                 -srckeystore mms-ssl.pkcs12 \
                                 -srcstoretype PKCS12 \
                                 -destkeystore mms-keystore.jks

Replace /opt/mongodb/mms with the path of the installation directory for the MMS server. /opt/mongodb/mms is the default installation directory.

keytool will prompt for the PKCS12 keystore passphrase, as well as for a passphrase for the new Java keystore. You can use the same passphrase for Java as for PKCS12 because you can delete the PKCS12 file (i.e. mms-ssl.pkcs12) after generating the Java Key store.

Set Keystore Location and Permission

Issue the following sequence of commands to move the Java keystore file to the /etc/mongodb-mms directory and set the appropriate permissions:

sudo cp -a mms-keystore.jks /etc/mongodb-mms/ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks

If the MMS application server runs as a different user, change mongodb-mms in the chown command as needed.

Generate Credentials

Issue the following command to generate a credential pair for the MMS application to use to access the Java Keystore:

copy 
/opt/mongodb/mms/bin/credentialstool --username keystore --password

Replace /opt/mongodb/mms with the path of the installation directory for the MMS server.

credentialstool will return output that resembles the following:

copy 
Your encrypted credentials pair:
Username: abcdef1234567890-76d41ae0a98c
Password: abcdef1234567890-2cc28e525d1f543464

Configure MMS Application to use SSL

Edit the mms.conf (e.g. /opt/mongodb/mms/conf/mms.conf) file and add the following options:

copy 
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464"

Modify the values as required by your configuration. Edit the conf-mms.properties file to change the mms.centralUrl value to reflect the new HTTPS information. For example:

copy 
mms.centralUrl=https://mms.example.net:8443

Restart MMS Application Server

Before you can access MMS using an HTTPS connection you must restart the MMS application server:

copy 
sudo /etc/init.d/mongodb-mms start

You can now connect to MMS by accessing the following URL in a web browser:

copy 
https://mms.example.net:8443

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.