• Security >
• Enable SSL for a Deployment

Enable SSL for a Deployment

Overview

In order for Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses SSL, you must enable SSL for the Ops Manager group. The SSL settings apply to all deployments managed by Ops Manager.

Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup agents to connect to the managed deployment over SSL when you activate SSL for the Ops Manager group. You no longer need to manually configure the agents’ SSL settings.

If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. See: Configure Monitoring Agent for SSL and Configure Backup Agent for SSL for more information.

If at any point you wish to reset the authentication settings for your group and start again, you can use the Clear Settings button in the Authentication & SSL Settings window to clear all authentication and security settings, automation users, and automation roles. You cannot clear the authentication and security settings if there are managed processes in your deployment. See: Clear Security Settings for more information.

For information on other group-wide settings, see Manage Groups.

Procedures

Warning

For MongoDB 2.6 and below, you must use the MongoDB Enterprise Edition, which includes SSL, or add a custom build with SSL enabled. To configure the available MongoDB versions, see: Configure Available MongoDB Versions.

Ensure Existing Deployments are Using SSL

If you wish to enable SSL for an Ops Manager group that includes MongoDB deployments, use the following procedure to ensure that the MongoDB deployments are configured to use SSL:

1

Select the Deployment tab and then the Deployment page.

2

In the Processes view, select the process that you wish to edit, then click Modify.

Selecting the process opens the Properties view, which displays the standalone, replica set, or sharded cluster’s current configuration. Click Modify to edit the process configuration.

3

Expand the Advanced Options area.

4

Set the sslmode, sslPemKeyFile, and sslPemKeyPassword startup options and click Apply.

If sslmode, sslPemKeyFile, and optionally sslPemKeyPassword are not already set, use the Add Option button to add the options.

Set sslmode to requireSSL, allowSSL, or preferSSL.

Input the path to the client certificate as the value for the sslPemKeyFile field. If you are using an encrypted PEM key file, use sslPemKeyPassword to specify the password.

When you have added the required settings, click Apply.

Enable SSL for the Group

Important

If you enable SSL, all MongoDB deployments in the group that are managed by Ops Manager must use SSL.

1

Select the Deployment tab and then the Deployment page.

2

Click the Ellipsis icon at the top of the page, and select Authentication & SSL Settings.

3

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Ops Manager group, select them and then click Next.

Click Next to move to the SSL screen.

4

Toggle the Enable SSL slider to Yes.

5

Specify the path to the SSL CA file and choose the Client Certificate Mode, then click Continue.

The SSL CA file is a .pem file that contains the root certificate chain from the Certificate Authority. The Monitoring and Backup Agents use the CA file for connections to your deployment.

The Client Certificate Mode specifies whether client certificates are required for each mongod and mongos in the deployment.

• OPTIONAL: Ops Manager starts each mongod and mongos process with both net.ssl.CAFile and net.ssl.allowConnectionsWithoutCertificates. As such, mongod and mongos processes need not possess client certificates.
• REQUIRED:: Ops Manager starts each mongod and mongos with the net.ssl.CAFile setting. Each mongod and mongos must possess a client certificate.

6

Provide SSL credentials for the the Ops Manager Agents

Specify the path to the .pem file that contains both the TLS/SSL certificate and key for each agent. If needed, specify the password to de-crypt the .pem certificate-key file.

Ensure you use the correct input box for your operating system.

7

Click Confirm & Deploy.

To view deployment progress, click View Agent Logs and select an agent at the top of the Agent Logs page. To check for updated entries, refresh the page.

If you diagnose an error and need to correct the deployment configuration, click Edit Configuration and then click Edit Configuration again. Then, reconfigure the deployment as needed.

When you complete your changes, click Review & Deploy and then Confirm & Deploy again.

←   Configure the Connections to the Backing MongoDB Instances Configure Users and Groups with LDAP for Ops Manager  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.