- Security >
- Enable Authentication for an Ops Manager Group >
- Enable SCRAM-SHA-1 / MONGODB-CR Authentication for your Ops Manager Group
Enable SCRAM-SHA-1 / MONGODB-CR Authentication for your Ops Manager Group¶
On this page
Overview¶
Ops Manager enables you to configure the Authentication Mechanisms that the Ops Manager Agents use to connect to your MongoDB deployments from within the Ops Manager interface. You can enable multiple authentication mechanisms for your group, but you must choose a single mechanism for the Agents to use to authenticate to your deployment.
In MongoDB 3.0 and later, MongoDB’s default authentication mechanism is
a challenge and response mechanism (SCRAM-SHA-1). Previously, MongoDB
used MongoDB Challenge and Response (MONGODB-CR) as the default.
SCRAM-SHA-1¶
SCRAM-SHA-1 is an IETF standard, RFC 5802, that defines best practice
methods for implementation of challenge-response mechanisms for
authenticating users with passwords.
SCRAM-SHA-1 verifies supplied user credentials against the user’s name,
password and database. The user’s database is the database where the
user was created, and the user’s database and the user’s name together
serves to identify the user.
MONGODB-CR¶
MONGODB-CR is a challenge-response mechanism that authenticates
users through passwords.
MONGODB-CR verifies supplied user credentials against the user’s name,
password and database. The user’s database is the database where the
user was created, and the user’s database and the user’s name together
serve to identify the user.
Considerations¶
This tutorial describes how to enable Username/Password
(MONGODB-CR/SCRAM-SHA-1) authentication for your Ops Manager
deployment. Username/Password authentication is the only authentication
mechanism available in Ops Manager when using the MongoDB Community version.
If at any point you wish to reset the authentication settings for your group and start again, you can use the Clear Settings button in the Authentication & SSL Settings window to clear all authentication and security settings, automation users, and automation roles. You cannot clear the authentication and security settings if there are managed processes in your deployment. See: Clear Security Settings for more information.
Procedure¶
This procedure describes how to configure and enable MONGODB-CR / SCRAM-SHA-1
authentication when using Automation. If your Monitoring or Backup
agents are not managed by Ops Manager, you must manually configure them to
use MONGODB-CR / SCRAM-SHA-1. See:
Configure Monitoring Agent for MONGODB-CR and
Configure Backup Agent for MONGODB-CR for instructions.
Select the Deployment tab and then the Deployment page.¶
Click the Ellipsis icon at the top of the page, and select Authentication & SSL Settings.¶
Select Username/Password (MONGODB-CR/SCRAM-SHA-1) and click Continue.¶
Configure SSL if desired, and click Continue.¶
If desired, enable SSL for the group. See: Enable SSL for a Deployment for SSL setup instructions.
SSL is not required for use with Username/Password (MONGODB-CR/SCRAM-SHA-1) authentication.
Select the Agent Auth Mechanism and configure the Ops Manager Agents.¶
If you enable more than one authenication mechanism, you must specify which authentication mechanism the Ops Manager agents should use to connect to your deployment. Choose Username/Password (MONGODB-CR/SCRAM-SHA-1).
Ops Manager automatically generates the Agents’ usernames and passwords.
Ops Manager creates users for the Monitoring and Backup Agent with the required user roles in the admin database for each existing deployment in Ops Manager. When you add a new deployment, Ops Manager creates the required users in the new deployment.
You do not need to configure all of the agents: for example, if you are not using Backup, you do not need to configure the Backup agent.