- Reference >
- Backup Agent >
- Configure Backup Agent for Access Control >
- Configure Backup Agent User for x.509 Client Certificate Authentication
Configure Backup Agent User for x.509 Client Certificate Authentication¶
On this page
Ops Manager enables you to configure the Authentication Mechanisms that the Ops Manager Agents use to connect to your MongoDB deployments from within the Ops Manager interface. You can enable multiple authentication mechanisms for your group, but you must choose a single mechanism for the Agents to use to authenticate to your deployment.
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
In Ops Manager, x.509 Client Certificate (MONGODB-X509)
is only available on MongoDB Enterprise builds. If
you have existing deployments running on a MongoDB Community
build, you must upgrade them to MongoDB Enterprise before you can enable
x.509 Client Certificate (MONGODB-X509)
for your Ops Manager group.
Note
In Ops Manager 1.8 and later, Ops Manager can manage agent authentication for you if you use Automation to manage the agents. With Automation, Ops Manager creates the users for each agent and configures the agent appropriately. See: Enable x.509 Authentication for your Ops Manager Group for more information.
Considerations¶
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
In order to enable x.509 Authentication for Ops Manager, you must obtain valid certificates generated and signed by a single certificate authority. Refer to the Client x.509 Certificate in the MongoDB Manual for more about the certificate requirements.
Important
x.509 Client Certificate Authentication requires that SSL be enabled and configured for the deployment.
Procedures¶
This tutorial assumes that you have already configured your MongoDB deployment to use x.509 certificate authentication and SSL. If you have not done so, refer to the Use x.509 Certificates to Authenticate Clients and Configure mongod and mognos for TLS/SSL tutorials.
Create MongoDB User for the subject
¶
In order for the Backup Agent to connect to your MongoDB deployment, you
must create a user for the Monitoring Agent in the $external
database.
For x.509 certificate authentication, use the subject
value of your
client certificate as the username.
Use the following commands to create the users from a mongo shell connected to your MongoDB deployment:
MongoDB 3.0 or Later¶
MongoDB 2.6¶
See Required Access for Backup Agent for more information on the required access.
You can only associate an x.509 client certificate with a single user: each user must have its own certificate. However, you may use the same user for both the Backup and Monitoring agents. If you choose to use the same user for both agents, ensure that the user possesses the required permissions for both the backup agent and the monitoring agent.
Edit Agent Configuration File¶
x.509 requires that you configure the agent for SSL:
Specify path to trusted CA certificate.¶
If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
In the agent’s install directory, edit the
monitoring-agent.config
file to set
sslTrustedServerCertificates
field to the path of a
file containing one or more certificates in PEM format. For example
if you would use the following command to connect through the
mongo shell:
Then you would set:
By default, to connect to MongoDB instances using SSL requires a valid trusted certificate.
For testing purposes, however, you can set the
sslRequireValidServerCertificates
setting to false
to
bypass this check. When sslRequireValidServerCertificates
is false
, you do not need to specify the path to the trusted CA
certificate in the sslTrustedServerCertificates
setting,
since Ops Manager will not verify the certificates. This configuration is
not recommended for production use as it makes
connections susceptible to man-in-the-middle attacks.
For additional information on these settings, including client certificate support, see MongoDB SSL Settings.
Restart the agent.¶
Configure Monitoring Agent for SSL provides more details about configuring the Monitoring Agent for SSL.
Once you have configured the Backup agent, you still need to configure the x.509 Authentication mechanism in the Ops Manager interface, as in Enable x.509 Authentication for your Ops Manager Group.