Navigation

Configure Backup Agent for SSL

Overview

If your MongoDB deployment uses SSL, then you must configure the Backup Agent to use SSL to connect to your deployment’s mongod and mongos instances.

Configuring the agent to use SSL involves specifying which certificate to use to sign MongoDB certificates and turning on the SSL option for the MongoDB instances in Ops Manager.

Prerequisite

To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

Procedures

Connections between Agents and MongoDB Instances

To use SSL for the Backup Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.

Note

In Ops Manager 1.8 and later, Ops Manager can manage SSL for you if you using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable SSL and then configures the agents appropriately. See: Enable SSL for a Deployment for more information.

1

Login to the host running the Backup Agent.

2

Edit the Backup Agent configuration file to specify the settings for SSL certificates.

Edit the Backup Agent configuration file. The location of the file depends upon the platform running the Backup Agent.

Platform File Location
RHEL, CentOS, Amazon Linux, and Ubuntu /etc/mongodb-mms/backup-agent.config
OS X, Windows, and other Linux systems <installationDirectory>/local.config

Set the following settings if you use a Backup Agent that connects to an SSL-enabled MongoDB deployment.

Note

Only sslTrustedServerCertificates is required. The other settings are optional.

Setting Value
sslClientCertificate Type the path to the SSL certificates the Backup Agent uses.
sslClientCertificatePassword

Type the password to decrypt the private key set in the file specified with the sslClientCertificate setting.

Required only if the client certificate PEM file is encrypted.

sslTrustedServerCertificates Type the path to the trusted Certificate Authority (CA) certificates.
sslRequireValidServerCertificates

Type true if Ops Manager should validate SSL certificates or false to disable certificate verification.

Warning

Set this option to false only for testing purposes. It makes connections between Ops Manager and MongoDB deployments susceptible to man-in-the-middle attacks.

Example

The Backup Agent configuration file for a Backup Agent with SSL enabled should look similar to this:

sslClientCertificate=<certDirectory>/sslCertificate.pem
sslClientCertificatePassword='thisFakePassword'
sslTrustedServerCertificates=<certDirectory>/sslCACert.pem
sslRequireValidServerCertificates=true

See also

For additional information on these settings, see MongoDB SSL Settings.

3

Restart agent.

Use the shell command for the platform as specified in Start or Stop the Backup Agent.

Connections between Agents and Ops Manager

To ensure that the Backup Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.

Starting with Ops Manager 1.4, the Backup Agent validates the SSL certificate of the Ops Manager server by default.

If you are not using a certificate signed by a trusted 3rd party, you must configure the Backup Agent to trust the Ops Manager server.

To specify a self-signed certificate of the Ops Manager server that the Backup Agent should trust:

1

Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-backup-agent:mongodb-mms-backup-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt
2

Edit the following parameter in the Backup Agent configuration file.

For example:

sslTrustedMMSBackupServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt
3

Restart the Backup Agent for the configuration update to take effect.