Security¶
On this page
Overview¶
On-Prem MongoDB Management Service provides configurable encryption, authentication, and authorization to ensure the security of your On-Prem MongoDB Management Service agents, On-Prem MongoDB Management Service deployments, and MongoDB deployments. On-Prem MongoDB Management Service supports SSL, MONGODB-CR, LDAP, and Kerberos.
Encryption¶
On-Prem MongoDB Management Service uses SSL for encrypting communications for Monitoring Agent and Backup Agent connections to MongoDB instances and with the On-Prem MongoDB Management Service server.
MMS does not support SSL for its communications with the backing MongoDB instances that host the MMS Application Database and MMS Backup Blockstore Database.
For information regarding On-Prem MongoDB Management Service and SSL, see SSL.
Access Control and Authentication¶
MongoDB uses Role-Based Access Control (RBAC) to determine access to a MongoDB system. When run with access control, MongoDB requires users to authenticate themselves to determine their access.
If the Backing instance runs with access control, On-Prem MongoDB Management Service Application Server must authenticate to its Backing instances as a user with appropriate access.
If a MongoDB deployment runs with access control, On-Prem MongoDB Management Service agents must authenticate to the deployment as a MongoDB user with appropriate MongoDB user roles [1].
For an overview on authenticating with the supported mechanisms, see MONGODB-CR, LDAP, and Kerberos.
SSL¶
SSL encrypts the connections made by Monitoring Agents and Backup Agents to both MongoDB instances and to On-Prem MongoDB Management Service servers. SSL encryption ensures communications are readable only by the intended parties.
MMS does not support SSL for its communications with the backing MongoDB instances that host the MMS Application Database and MMS Backup Blockstore Database.
Agents can use SSL when communicating with the On-Prem MongoDB Management Service servers and when communicating with the MongoDB deployment.
If the MongoDB deployment uses SSL, you must configure the On-Prem MongoDB Management Service agents as well as specify the host’s Use SSL settings.
To configure the agent, see Configure Monitoring Agent for SSL and Configure Backup Agent for SSL.
You can specify the host’s SSL settings when adding the host or you can edit the SSL setting for an exiting host.
MONGODB-CR¶
Application Configuration Settings¶
The On-Prem MongoDB Management Service Application can use MongoDB Challenge-Response, i.e.
MONGODB-CR, to authenticate to the backing MongoDB instances.
See mongo.mongoUri and
MongoDB Access Control Considerations for more information.
Agent Configuration¶
If your MongoDB deployment uses MONGODB-CR for authentication, you
must create a MongoDB user for the On-Prem MongoDB Management Service agents as well as specify the
host’s authentication settings.
To create a MongoDB user, see Add Monitoring Agent User for MONGODB-CR and Configure Backup Agent for MONGODB-CR.
You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.
LDAP¶
On-Prem MongoDB Management Service agents can use the LDAP authentication mechanism to connect to the MongoDB deployment. Additionally, and independently, the On-Prem MongoDB Management Service Application Server can use LDAP authentication to its Backing MongoDB instances.
Application Configuration Settings¶
To configure LDAP authentication between the On-Prem MongoDB Management Service application and
the backing MongoDB instances, see
Configure Users and Groups with LDAP for On-Prem MongoDB Management Service,
mongo.mongoUri, LDAP Settings, and
MongoDB Access Control Considerations.
Agent Configuration¶
If your MongoDB deployment uses LDAP for authentication, you must create a MongoDB user for the On-Prem MongoDB Management Service agents as well as specify the host’s authentication settings.
To create a MongoDB user for the agents, see Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.
You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.
Kerberos¶
Application Configuration Settings¶
To enable Kerberos authentication between the MMS application and
its backing database, see
Kerberos Settings, mongo.mongoUri,
and MongoDB Access Control Considerations.
Agent Configuration¶
If your MongoDB deployment uses Kerberos for authentication, you must create the Kerberos Principal for the On-Prem MongoDB Management Service agents, create a MongoDB user for that Kerberos Principal, edit the agent’s configuration file, and specify the host’s authentication settings.
If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.
To create a Kerberos Principal and the associated MongoDB user as well as edit the configuration file, see Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos.
You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.
Two-Factor Authentication¶
To activate and manage two-factor authentication, which users and administrators use to authenticate to the MMS interface see: Two-Factor Authentication and Manage Two-Factor Authentication for On Prem MMS.
| [1] | MongoDB user roles are separate from On-Prem MongoDB Management Service user roles. |