• Reference >
• Monitoring Agent >
• Configure Monitoring Agent for Access Control >
• Configure the Monitoring Agent for Kerberos

Configure the Monitoring Agent for Kerberos

MongoDB Enterprise provides support for Kerberos. Kerberos is a network authentication protocol available in MongoDB Enterprise version 2.4 or later. The Monitoring Agent can authenticate to MongoDB instances using Kerberos.

Important

Starting with Ops Manager 1.8 if Automation manages agents, Ops Manager can manage agent authentication. With an automated MongoDB deployment, you only need to specify the name for each agent in the Ops Manager user interface. Ops Manager then creates the MongoDB user specified for each agent and configures the appropriate access for that agent user.

• To learn how to automate your MongoDB deployment, see Add Existing MongoDB Processes to Ops Manager.
• To learn how to enable authentication for MongoDB users using Kerberos, see Enable Kerberos Authentication for your Ops Manager Group.

Prerequisites

Configure KDC to Issue Tickets with Four-Hour Minimum Lifetime

Kerberos tickets are only valid, or used to authenticate users, for a limited time. You must configure the Kerberos Key Distribution Center (KDC) to issue tickets that are valid for at least four hours. The Monitoring Agent periodically renews the ticket. The KDC service provides session tickets and temporary session keys to users and computers.

Add Kerberos as Authentication Mechanism for Deployment

In addition to adding the agent as a MongoDB user, you must also specify the host’s authentication settings. You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.

Configure Monitoring Agent Host to Use Kerberos

Two Kerberos-related files must be installed on any host running the Monitoring or Backup Agent:

• Create or configure the krb5.conf Kerberos configuration file.

  Platform	Default Path	Notes
  Linux	/etc/krb5.conf
  Mac OS X	/etc/krb5.conf (10.7+)	The configuration file has varied with previous versions of Mac OS X. Refer to the documentation for your Kerberos implemention for your version of Mac OS X to find out where the Kerberos configuration file is stored.
  Windows	%WINDIR%\krb5.ini	This is the default path for non-Active Directory-based Kerberos implementations. Refer to the documentation for your Kerberos implemention for your version of Windows to find out where the Kerberos configuration file is stored.

• Make sure kinit binary is located at /usr/bin/kinit. kinit obtains or renews a Kerberos ticket-granting ticket, which authenticates the agent using Kerberos.

  Note

  This file and location may be different on Windows or Mac OS X clients. Refer to the documentation for your Kerberos implemention to find out where the Kerberos ticket management binary is stored.

Create Kerberos Service Principal for the Monitoring Agent

1

Create or choose a Kerberos principal.

Create or choose a Kerberos principal for the Monitoring and/or Backup agent.

2

Generate a keytab for the Kerberos principal.

Generate a keytab for the Kerberos principal and copy it to the system where the agent runs. Ensure the user that will run the agent is the same user that owns the keytab file.

Create a User and Assign Roles for the Monitoring Agent SPN

After creating the Kerberos SPN, create a user with the same name as the Monitoring Agent’s SPN on the $external database. Grant this Monitoring Agent user the clusterMonitor role on the admin database.

From a mongo shell connected to your MongoDB deployment, issue the following command to create the user:

copy

db.getSiblingDB("$external").createUser(
   {
     user: "<Kerberos Principal>",
     roles: [ { role: "clusterMonitor", db: "admin" } ]
   }
)

See also

For more information on the required roles for previous versions of MongoDB, see Required Access for Monitoring Agent.

Edit the Monitoring Agent Configuration File

Edit the Monitoring Agent configuration file. The following table lists the default installation paths for some common platforms. Depending on your deployment, you may need to substitute the default path for the custom installation path used for your Ops Manager agent installation.

Operating System	Path
RHEL, Ubuntu	/etc/mongodb-mms/monitoring-agent.config
Linux Archive, Mac OS X	<userSelected>/monitoring-agent.config
Windows	C:\MMSData\Monitoring\local.config

1

Set the krb5Principal

Set the krb5Principal to the name of the Kerberos principal. For example:

copy

krb5Principal=mmsagent/instance@EXAMPLE.COM

2

Set the krb5Keytab

Set the krb5Keytab value to the complete absolute path of the keytab file. For example:

copy

krb5Keytab=/etc/mongodb-mms/mmsagent.keytab

3

Restart the agent.

←   Configure Monitoring Agent for LDAP Configure the Monitoring Agent User for x.509 Client Certificate Authentication  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.