Configure Backup Agent for SSL¶
If your MongoDB deployment uses SSL, then you must configure the Backup
Agent to use SSL to connect to your deployment’s
Configuring the agent to use SSL involves specifying which certificate to use to sign MongoDB certificates and turning on the SSL option for the MongoDB instances in Ops Manager.
To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
Connections between Agents and MongoDB Instances¶
In Ops Manager 1.8 and later, Ops Manager can manage SSL for you if you using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable SSL and then configures the agents appropriately. See: Enable SSL for a Deployment for more information.
Login to the host running the Backup Agent.¶
Edit the Backup Agent configuration file to specify the settings for SSL certificates.¶
Edit the Backup Agent configuration file. The location of the file depends upon the platform running the Backup Agent.
|RHEL, CentOS, Amazon Linux, and Ubuntu||
|OS X, Windows, and other Linux systems||
Set the following settings if you use a Backup Agent that connects to an SSL-enabled MongoDB deployment.
sslTrustedServerCertificates is required. The other settings are
||Type the path to the SSL certificates the Backup Agent uses.|
Type the password to decrypt the private key set in the file
specified with the
Required only if the client certificate PEM file is encrypted.
||Type the path to the trusted Certificate Authority (CA) certificates.|
Set this option to
The Backup Agent configuration file for a Backup Agent with SSL enabled should look similar to this:
sslClientCertificate=<certDirectory>/sslCertificate.pem sslClientCertificatePassword='thisFakePassword' sslTrustedServerCertificates=<certDirectory>/sslCACert.pem sslRequireValidServerCertificates=true
For additional information on these settings, see MongoDB SSL Settings.
Connections between Agents and Ops Manager¶
To ensure that the Backup Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.
Starting with Ops Manager 1.4, the Backup Agent validates the SSL certificate of the Ops Manager server by default.
If you are not using a certificate signed by a trusted 3rd party, you must configure the Backup Agent to trust the Ops Manager server.
To specify a self-signed certificate of the Ops Manager server that the Backup Agent should trust:
Copy your PEM certificate to
Issue the following sequence of commands:
sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/ sudo chown mongodb-mms-backup-agent:mongodb-mms-backup-agent /etc/mongodb-mms/mms-ssl-unified.crt sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt