• Install On Prem MMS >
• Global Application Configuration >
• Configure On-Prem MongoDB Management Service to use HTTPS

Configure On-Prem MongoDB Management Service to use HTTPS

Overview

You can optionally configure the Jetty instances that serve the On-Prem MongoDB Management Service application to use HTTPS to encrypt connections between the MMS application, the MMS agent, and the web interface. Alternately, you can provide access to the MMS application using a load balancer that provides HTTPS access.

Before you can configure On Prem MMS Monitoring Jetty instances to use HTTPS, you must have a valid SSL certificate prepared in the right format. This page provides procedures for creating and preparing a valid SSL certificate.

Create and Prepare a Valid SSL Certificate

Create the certificate either through a 3rd-party authority or as a self-signed certificate. If you have an existing certificate, you can use that instead but still must prepare it. Preparing a certificate can involve converting its format and concatenating it with other certificates in a certificate chain.

Use the appropriate procedures in this section to generate and prepare the certificate. To generate certificates must have access to the openssl utility.

Create a New Certificate and Signing Request for a 3rd-party Certificate Authority

1

Create a new certificate and certificate signing request (CSR).

Issue the following command at the system prompt:

copy

openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key

2

Enter answers for the certificate’s meta data.

openssl prompts you to answer questions for the certificate’s meta data. Complete all prompts. The Common Name must have the same hostname value as the mms.centralUrl configuration.

Refer to the instructions provided by the certificate authority to ensure that they do not have any more requirements for the certificate signing authority or the certificate meta data.

3

Submit your new CSR to the 3rd-party certificate authority.

The certificate authority will return a signed certificate. Each certificate authority may have a different certificate signing procedure.

Create a Self-Signed Certificate

1

Create a self-signed certificate.

To generate a self-signed certificate, issue the following command at the system prompt:

copy

openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt

2

Enter answers for the certificate’s meta data.

openssl prompts for a private key passphrase, and for the answers to questions for the certificate’s meta data. Complete all prompts. The Common Name must have the same hostname value as the mms.centralUrl configuration.

Prepare the Certificate as a PEM Certificate

1

If the certificate is in DER format, convert it to PEM.

If the signed certificate is in DER format, convert the certificate to PEM format with the following command:

copy

openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt

2

If the CA uses a certificate chain, concatenate the certificates.

If the certificate authority uses a certificate chain, concatenate the certificates together to create a unified certificate, with a command that resembles the following:

copy

cat mms-ssl.crt <intermediate-certificate> <root-certificate> > mms-ssl-unified.crt

Replace <intermediate-certificate> with the intermediate certificate chain and <root-certificate> with the certificate authority’s root certificate.

Prepare the Certificate as a PKCS12 Certificate

1

Create a PKCS12-formatted keystore.

Combine the private key and signed certificate, or certificate chain, into a PKCS12-formatted keystore with the following command:

copy

openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12

2

Enter answers for the certificate’s meta data.

openssl prompts you to enter the private key passphrase as well as a new passphrase for the PKCS12 keystore.

Configure Jetty Instances to use HTTPS

Once you have created and prepared a valid SSL certificate, use the following sequence of procedures to configure the Jetty instances to use HTTPS to encrypt connections between the MMS application and the MMS agent.

Create Java Truststore

1

Import the PEM certificate into a Java truststore.

Import the PEM certificate into a Java truststore, so that the MMS server trusts its own mms.centralUrl when making HTTP requests. The default installation directory for the MMS server is /opt/mongodb/mms. If your installation uses a different directory, replace /opt/mongodb/mms with that path.

copy

/opt/mongodb/mms/jdk/bin/keytool -import -keystore mms-truststore.jks -file mms-ssl-unified.crt

2

Enter a Java keystore passphrase.

keytool prompts you to specify a Java keystore passphrase. Enter it and type yes to confirm import of the certificate.

Create Java Keystore

1

Convert the PKCS12 keystore into a Java Keystore.

Convert the PKCS12 keystore into a Java Keystore, so that the MMS server can access the required SSL infrastructure. The default installation directory for the MMS server is /opt/mongodb/mms. If your installation uses a different directory, replace /opt/mongodb/mms with that path.

copy

/opt/mongodb/mms/jdk/bin/keytool -importkeystore \
                                 -srckeystore mms-ssl.pkcs12 \
                                 -srcstoretype PKCS12 \
                                 -destkeystore mms-keystore.jks

2

Enter the PKCS12 keystore passphrase.

You must use the same passphrase for the Java keystore as for the PKCS12 key.

3

Enter a passphrase for the new Java keystore.

You must use the same passphrase for the Java keystore as for the PKCS12 key.

Set Truststore and Keystore Location and Permissions

1

Move the Java keystore and truststore files to the /etc/mongodb-mms directory.

Issue the following command to move the Java keystore and truststore files to the /etc/mongodb-mms directory:

copy

sudo mv mms-truststore.jks mms-keystore.jks /etc/mongodb-mms/

2

Set permissions.

Issue the following sequence of commands to set the appropriate permissions on the Java keystore and truststore files. If the MMS application server runs as a different user, change mongodb-mms in the chown command as needed.

copy

sudo chown mongodb-mms:root /etc/mongodb-mms/*.jks
sudo chmod 600 /etc/mongodb-mms/*.jks

Generate Credentials

1

Generate a credential pair for the MMS application to use to access the Java Keystore.

Issue the following command, replacing /opt/mongodb/mms with the path of the installation directory for the MMS server:

copy

/opt/mongodb/mms/bin/credentialstool --username keystore --password

credentialstool returns output that resembles the following:

copy

Your encrypted credentials pair:
Username: abcdef1234567890-76d41ae0a98c
Password: abcdef1234567890-2cc28e525d1f543464

2

Copy the credential pair.

Configure MMS Application to use SSL

1

Edit the mms.conf file to enable SSL.

Edit the mms.conf (e.g. /opt/mongodb/mms/conf/mms.conf) file to add the following options:

copy

JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464"

2

Edit the conf-mms.properties file to change the mms.centralUrl value to the new HTTPS information.

For example:

copy

mms.centralUrl=https://mms.example.net:8443

3

Configure MMS Application to use SSL.

For example:

copy

JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStorePath=/etc/mongodb-mms/mms-truststore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"

JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"

Restart MMS Application Server

Before you can access MMS using an HTTPS connection you must restart the MMS application server.

1

Restart the MMS application server.

copy

sudo /etc/init.d/mongodb-mms start

2

You can now connect to MMS by accessing the following URL in a web browser:

copy

https://mms.example.net:8443

←   Global Application Configuration Configure Users and Groups with LDAP for On-Prem MongoDB Management Service  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.