- Security >
- Enable Authentication for an Ops Manager Group >
- Enable SCRAM-SHA-1 / MONGODB-CR Authentication for your Ops Manager Group
Enable SCRAM-SHA-1 / MONGODB-CR Authentication for your Ops Manager Group¶
On this page
Overview¶
Ops Manager enables you to configure the Authentication Mechanisms that the Ops Manager Agents use to connect to your MongoDB deployments from within the Ops Manager interface. You can enable multiple authentication mechanisms for your group, but you must choose a single mechanism for the Agents to use to authenticate to your deployment.
In MongoDB 3.0 and later, MongoDB’s default authentication mechanism is
a challenge and response mechanism (SCRAM-SHA-1). Previously, MongoDB
used MongoDB Challenge and Response (MONGODB-CR) as the default.
SCRAM-SHA-1¶
SCRAM-SHA-1 is an IETF standard, RFC 5802, that defines best practice
methods for implementation of challenge-response mechanisms for
authenticating users with passwords.
SCRAM-SHA-1 verifies supplied user credentials against the user’s name,
password and database. The user’s database is the database where the
user was created, and the user’s database and the user’s name together
serves to identify the user.
MONGODB-CR¶
MONGODB-CR is a challenge-response mechanism that authenticates
users through passwords.
MONGODB-CR verifies supplied user credentials against the user’s name,
password and database. The user’s database is the database where the
user was created, and the user’s database and the user’s name together
serve to identify the user.
Considerations¶
This tutorial describes how to enable Username/Password
(MONGODB-CR/SCRAM-SHA-1) authentication for your Ops Manager
deployment. Username/Password authentication is the only authentication
mechanism available in Ops Manager when using the MongoDB Community version.
Note
If Ops Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your group.
To remove all authentication and security settings as well as the users and roles you created using Ops Manager, click Clear Settings in the Authentication & SSL Settings dialog box .
See Clear Security Settings for more information.
To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.
Procedure¶
This procedure describes how to configure and enable MONGODB-CR / SCRAM-SHA-1
authentication when using Automation. If your Monitoring or Backup
agents are not managed by Ops Manager, you must manually configure them to
use MONGODB-CR / SCRAM-SHA-1. See:
Configure Monitoring Agent for MONGODB-CR and
Configure Backup Agent for MONGODB-CR for instructions.
Click the Deployment tab, then click the Deployment page.¶
Check Username/Password (MONGODB-CR/SCRAM-SHA-1), then click Next.¶
Configure SSL if desired, and click Continue.¶
If desired, enable SSL for the group.
Note
See Enable SSL for a Deployment for SSL setup instructions.
SSL is not required for use with Username/Password (MONGODB-CR/SCRAM-SHA-1) authentication.
Configure the Authentication Mechanism for the Agents.¶
If you enable more than one authentication mechanism, you must specify which one of the authentication mechanisms the Ops Manager agents should use to connect to your deployment.
Select Username/Password (MONGODB-CR/SCRAM-SHA-1) from the Agent Auth Mechanism drop-down menu.
Ops Manager automatically generates the Agents’ usernames and passwords.
Ops Manager creates users for the agents with the required user roles in the admin database for each existing deployment in Ops Manager. When you add a new deployment, Ops Manager creates the required users in the new deployment.
Click Save.
You do not need to configure all of the agents, only the ones you installed.
Example
If you did not install the Backup agent, you do not need to configure the Backup agent.
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If they are acceptable, click Confirm & Deploy.
- If they are unacceptable, click Cancel and you can make additional changes.