- Install On-Prem MMS >
- Configure On-Prem MongoDB Management Service Jetty Instances to use HTTPS
Configure On-Prem MongoDB Management Service Jetty Instances to use HTTPS¶
On this page
Overview¶
You can optionally configure the Jetty instances that serve the On-Prem MongoDB Management Service application to use HTTPS to encrypt connections between the MMS application and the MMS agent as well as the web interface. Alternately, you can provide access to the MMS application using a load balancer that provides HTTPS access.
Prerequisites¶
Before configuring MMS and Jetty, you must create and prepare a valid
SSL certificate. You must also have access to the openssl
library
on your system:
Generate Certificate¶
Existing Certificate Signed by trusted Certificate Authority¶
If you have an existing certificate, you do not need to generate a new certificate. Proceed to the Prepare the Certificate section to complete the prerequisites.
Create New Certificate and Signing Request for a 3rd Party Certificate Authority¶
Issue the following command at the system prompty to create a new certificate and certificate signing request (CSR):
openssl
will prompt you to answer questions for the certificate’s meta data. Complete all prompts. The Common Name must have the same hostname value as themms.centralUrl
configuration.Refer to the instructions provided by the certificate authority to ensure that they do not have any more requirements for the certificate signing authority or the certificate meta data.
Submit your new CSR to the 3rd-party certificate authority. The certifiacte authority will return a signed certificate.
Each certificate authority may have a different certificate signing procedure.
When you have a signed certificate, proceed to the Prepare the Certificate section to complete the prerequisites.
Self-Signed Certificate¶
To generate a self-signed certificate, issue the following command at the system prompt.
openssl
will prompt for a private key passphrase, and for the
answers to questions for the certificate’s meta data. Complete all
prompts. The Common Name must have the
same hostname value as the mms.centralUrl
configuration.
Prepare the Certificate¶
Create PEM Certificate¶
If the signed certifcate is PEM format, convert the certificate to PEM format with the following command:
If the certificate authority uses a certificate chain, concatenate the certificates together to create a unified certificate, with a command that resembles the following:
Replace <intermediate-certificate>
with the intermediate
certificate chain and <root-certificate>
with the certificate
authority’s root certificate.
Create PKCS12 Certificate¶
Combine the private key and signed certificate, or certificate chain, into a PKCS12-formatted keystore with the following command:
openssl
will prompt for the private key passphrase as well as a
new passphrase for the PKCS12 keystore.
Procedure¶
Create Java Keystore¶
Generate Keystore¶
Convert the PKCS12 keystore into a Java Keystore, so that the MMS server can access the required SSL infrastructure:
Replace /opt/mongodb/mms
with the path of the installation
directory for the MMS server. /opt/mongodb/mms
is the default
installation directory.
keytool
will prompt for the PKCS12 keystore passphrase, as well as
for a passphrase for the new Java keystore. You can use the same
passphrase for Java as for PKCS12 because you can delete the PKCS12 file
(i.e. mms-ssl.pkcs12
) after generating the Java Key store.
Set Keystore Location and Permission¶
Issue the following sequence of commands to move the Java keystore
file to the /etc/mongodb-mms
directory and set the appropriate
permissions:
sudo cp -a mms-keystore.jks /etc/mongodb-mms/ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks
If the MMS application server runs as a different user, change
mongodb-mms
in the chown
command as needed.
Generate Credentials¶
Issue the following command to generate a credential pair for the MMS application to use to access the Java Keystore:
Replace /opt/mongodb/mms
with the path of the installation
directory for the MMS server.
credentialstool
will return output that resembles the following:
Configure MMS Application to use SSL¶
Edit the mms.conf
(e.g. /opt/mongodb/mms/conf/mms.conf
) file
and add the following options:
Modify the values as required by your configuration. Edit the
conf-mms.properties
file to change the mms.centralUrl
value
to reflect the new HTTPS information. For example:
Restart MMS Application Server¶
Before you can access MMS using an HTTPS connection you must restart the MMS application server:
You can now connect to MMS by accessing the following URL in a web browser: