• User Guide >
• Monitoring Agent >
• Configure Monitoring Agent for SSL

Configure Monitoring Agent for SSL

On-Prem MongoDB Management Service supports SSL for encrypting the following connections made by Monitoring Agents:

• Connections between the Monitoring Agents and MongoDB instances.
• Connections between the Monitoring Agents and On-Prem MongoDB Management Service servers.

Connections between Agents and MongoDB Instances

1

Specify path to trusted CA certificate.

If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

In the agent’s install directory, edit the monitoring-agent.config file to set sslTrustedServerCertificates field to the path of a file containing one or more certificates in PEM format. For example:

copy

sslTrustedServerCertificates=/path/to/mongodb-certs.pem

By default, to connect to MongoDB instances using SSL requires a valid trusted certificate. For testing purposes, however, you can set the sslRequireValidServerCertificates setting to False to bypass this check. This configuration is not recommended for production use as it makes the connection insecure.

For additional information on these settings, see MongoDB SSL Settings.

2

Restart agent.

In addition to configuring the agents, you must also specify the host’s SSL settings. You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.

Connections between Agents and MMS Servers

To ensure that the Monitoring Agents use SSL when connecting to the On-Prem MongoDB Management Service servers, use an HTTPS proxy in front of On-Prem MongoDB Management Service.

SSL Certificate Validation

Starting with On-Prem MongoDB Management Service 1.4, the Monitoring Agent validates the SSL certificate of the MMS server by default.

If you are not using a certificate signed by a trusted 3rd party, you must configure the Monitoring Agent to trust the MMS server.

To specify a self-signed certificate of the MMS server that the Monitoring Agent should trust:

1

Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

copy

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt

2

Edit the following parameter in /etc/mongodb-mms/monitoring-agent.config.

For example:

copy

sslTrustedMMSServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt

3

Restart the Monitoring Agent for the configuration update to take effect.

For example:

copy

sudo /etc/init.d/mongodb-mms-monitoring-agent restart

Configuration Settings

For the settings used by the Monitoring Agent to connect to the On-Prem MongoDB Management Service servers, see MMS Server SSL Settings.

Additional Information

For information about MongoDB and SSL, see /tutorial/configure-ssl.

←   Configure the Monitoring Agent for Kerberos Configure Hardware Monitoring with munin-node  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.