Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Enable Kerberos Authentication for your Ops Manager Group

On this page

Overview

Ops Manager enables you to configure the Authentication Mechanisms that the Ops Manager Agents use to connect to your MongoDB deployments from within the Ops Manager interface. You can enable multiple authentication mechanisms for your group, but you must choose a single mechanism for the Agents to use to authenticate to your deployment.

MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server systems.

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configure Kerberos service principals for MongoDB, and add the Kerberos user principal. The Kerberos Authentication section of the MongoDB Manual provides more detail about using MongoDB with Kerberos.

Considerations

Kerberos (GSSAPI) is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable Kerberos (GSSAPI) for your Ops Manager group.

This tutorial describes how to enable Kerberos for your Ops Manager group, and how to configure your Ops Manager Agents to connect to your Kerberized deployment.

Setting up and configuring a Kerberos deployment is beyond the scope of this document. This tutorial assumes you have configured a Kerberos service principal for each Agent and you have a valid keytab file for each Agent.

If at any point you wish to reset the authentication settings for your group and start again, you can use the Clear Settings button in the Authentication & SSL Settings window to clear all authentication and security settings, automation users, and automation roles. You cannot clear the authentication and security settings if there are managed processes in your deployment. See: Clear Security Settings for more information.

Procedures

This procedure describes how to configure and enable Kerberos authentication when using Automation. If your Monitoring or Backup agents are not managed by Ops Manager, you must manually configure them to use Kerberos. See: Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos for instructions.

Configure an Existing Deployment for Kerberos-based Authentication

If you have one or more existing deployments managed by Ops Manager, the MongoDB deployment must be configured for Kerberos authentication before you can enable Kerberos authentication for your group.

1

Select the Deployment tab and then the Deployment page.

2

In the Processes view, select the process that you wish to edit, then click Modify.

Selecting the process opens the Properties view, which displays the standalone, replica set, or sharded cluster’s current configuration. Click Modify to edit the process configuration.

3

Expand the Advanced Options area.

4

Set the kerberosKeytab Startup option to point to the keytab file and click Apply.

If kerberosKeytab is not already set, use the Add Option button to add a new startup option, and select kerberosKeytab from the drop-down menu. Input the path to the keytab file as the value, and then click Apply.

When you have configured the Kerberos options for each deployment, you can proceed to enable Kerberos for your Ops Manager group.

Enable Kerberos for your Ops Manager Group

1

Select the Deployment tab and then the Deployment page.

2

Click the Ellipsis icon at the top of the page, and select Authentication & SSL Settings.

3

Select Kerberos (GSSAPI) and click Continue.

4

Configure SSL if desired, and click Continue.

If desired, enable SSL for the group. See: Enable SSL for a Deployment for SSL setup instructions.

SSL is not required for use with Kerberos (GSSAPI) authentication.

5

Select the Agent Auth Mechanism and configure the Ops Manager Agents.

If you enable more than one authenication mechanism, you must specify which authentication mechanism the Ops Manager agents should use to connect to your deployment. Choose Kerberos (GSSAPI).

Input the Kerberos Principal and Keytab path for each Agent. Ensure that you use the appropriate Keytab input field for your operating system.

You do not need to configure all of the agents: for example, if you are not using Backup, you do not need to configure the Backup agent.

6

Click Save.

7

Click Review & Deploy

8

Click Confirm & Deploy.

To view deployment progress, click View Agent Logs and select an agent at the top of the Agent Logs page. To check for updated entries, refresh the page.

If you diagnose an error and need to correct the deployment configuration, click Edit Configuration and then click Edit Configuration again. Then, reconfigure the deployment as needed.

When you complete your changes, click Review & Deploy and then Confirm & Deploy again.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.