- Install On Prem MMS >
- Global Application Configuration >
- Configure On-Prem MongoDB Management Service to use HTTPS
Configure On-Prem MongoDB Management Service to use HTTPS¶
On this page
Overview¶
You can optionally configure the Jetty instances that serve the On-Prem MongoDB Management Service application to use HTTPS to encrypt connections between the MMS application, the MMS agent, and the web interface. Alternately, you can provide access to the MMS application using a load balancer that provides HTTPS access.
Before you can configure On Prem MMS Monitoring Jetty instances to use HTTPS, you must have a valid SSL certificate prepared in the right format. This page provides procedures for creating and preparing a valid SSL certificate.
Create and Prepare a Valid SSL Certificate¶
Create the certificate either through a 3rd-party authority or as a self-signed certificate. If you have an existing certificate, you can use that instead but still must prepare it. Preparing a certificate can involve converting its format and concatenating it with other certificates in a certificate chain.
Use the appropriate procedures in this section to generate and prepare the
certificate. To generate certificates must have access to the
openssl
utility.
Create a New Certificate and Signing Request for a 3rd-party Certificate Authority¶
Create a new certificate and certificate signing request (CSR).¶
Issue the following command at the system prompt:
Enter answers for the certificate’s meta data.¶
openssl
prompts you to answer questions for the certificate’s
meta data. Complete all prompts. The Common Name must have the
same hostname value as the mms.centralUrl
configuration.
Refer to the instructions provided by the certificate authority to ensure that they do not have any more requirements for the certificate signing authority or the certificate meta data.
Submit your new CSR to the 3rd-party certificate authority.¶
The certificate authority will return a signed certificate. Each certificate authority may have a different certificate signing procedure.
Create a Self-Signed Certificate¶
Create a self-signed certificate.¶
To generate a self-signed certificate, issue the following command at the system prompt:
Enter answers for the certificate’s meta data.¶
openssl
prompts for a private key passphrase, and for the answers to
questions for the certificate’s meta data. Complete all prompts. The
Common Name must have the same hostname value as the
mms.centralUrl
configuration.
Prepare the Certificate as a PEM Certificate¶
If the certificate is in DER format, convert it to PEM.¶
If the signed certificate is in DER format, convert the certificate to PEM format with the following command:
If the CA uses a certificate chain, concatenate the certificates.¶
If the certificate authority uses a certificate chain, concatenate the certificates together to create a unified certificate, with a command that resembles the following:
Replace <intermediate-certificate>
with the intermediate certificate
chain and <root-certificate>
with the certificate authority’s root
certificate.
Prepare the Certificate as a PKCS12 Certificate¶
Create a PKCS12-formatted keystore.¶
Combine the private key and signed certificate, or certificate chain, into a PKCS12-formatted keystore with the following command:
Enter answers for the certificate’s meta data.¶
openssl
prompts you to enter the private key passphrase as well as a
new passphrase for the PKCS12 keystore.
Configure Jetty Instances to use HTTPS¶
Once you have created and prepared a valid SSL certificate, use the following sequence of procedures to configure the Jetty instances to use HTTPS to encrypt connections between the MMS application and the MMS agent.
Create Java Truststore¶
Import the PEM certificate into a Java truststore.¶
Import the PEM certificate into a Java truststore, so that the MMS
server trusts its own mms.centralUrl
when making HTTP requests.
The default installation directory for the MMS server is
/opt/mongodb/mms
. If your installation uses a different directory,
replace /opt/mongodb/mms
with that path.
Enter a Java keystore passphrase.¶
keytool
prompts you to specify a Java keystore passphrase. Enter it
and type yes
to confirm import of the certificate.
Create Java Keystore¶
Convert the PKCS12 keystore into a Java Keystore.¶
Convert the PKCS12 keystore into a Java Keystore, so that the MMS
server can access the required SSL infrastructure.
The default installation directory for the MMS server is
/opt/mongodb/mms
. If your installation uses a different directory,
replace /opt/mongodb/mms
with that path.
Enter the PKCS12 keystore passphrase.¶
You must use the same passphrase for the Java keystore as for the PKCS12 key.
Enter a passphrase for the new Java keystore.¶
You must use the same passphrase for the Java keystore as for the PKCS12 key.
Set Truststore and Keystore Location and Permissions¶
Move the Java keystore and truststore files to the /etc/mongodb-mms
directory.¶
Issue the following command to move the Java keystore and truststore
files to the /etc/mongodb-mms
directory:
Set permissions.¶
Issue the following sequence of commands to set the appropriate
permissions on the Java keystore and truststore files. If the MMS
application server runs as a different user, change mongodb-mms
in
the chown
command as needed.
Generate Credentials¶
Generate a credential pair for the MMS application to use to access the Java Keystore.¶
Issue the following command, replacing /opt/mongodb/mms
with the
path of the installation directory for the MMS server:
credentialstool
returns output that resembles the following:
Copy the credential pair.¶
Configure MMS Application to use SSL¶
Edit the mms.conf
file to enable SSL.¶
Edit the mms.conf
(e.g. /opt/mongodb/mms/conf/mms.conf
) file
to add the following options:
Edit the conf-mms.properties
file to change the mms.centralUrl
value to the new HTTPS information.¶
For example:
Configure MMS Application to use SSL.¶
For example: