Configure Monitoring Agent for SSL¶
Ops Manager supports SSL for encrypting the following connections made by Monitoring Agents:
- Connections between the Monitoring Agents and MongoDB instances.
- Connections between the Monitoring Agents and Ops Manager.
To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
Connections between Agents and MongoDB Instances¶
In Ops Manager 1.8 and later, Ops Manager can manage SSL for you if you using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable SSL and then configures the agents appropriately. See: Enable SSL for a Deployment for more information.
Specify path to trusted CA certificate.¶
If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
In the agent’s install directory, edit the
monitoring-agent.config file to set
sslTrustedServerCertificates field to the path of a
file containing one or more certificates in PEM format. For example
if you would use the following command to connect through the
mongo --ssl --sslCAFile /etc/ssl/ca.pem example.net:27017
Then you would set:
By default, to connect to MongoDB instances using SSL requires a valid trusted certificate.
For testing purposes, however, you can set the
sslRequireValidServerCertificates setting to
bypass this check. When
false, you do not need to specify the path to the trusted CA
certificate in the
since Ops Manager will not verify the certificates. This configuration is
not recommended for production use as it makes
connections susceptible to man-in-the-middle attacks.
For additional information on these settings, including client certificate support, see MongoDB SSL Settings.
Restart the agent.¶
For additional information on SSL settings, including client certificate support, see MongoDB SSL Settings.
Connections between Agents and Ops Manager¶
To ensure that the Monitoring Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.
Starting with Ops Manager 1.4, the Monitoring Agent validates the SSL certificate of the Ops Manager by default.
If you are not using a certificate signed by a trusted 3rd party, you must configure the Monitoring Agent to trust Ops Manager.
To specify a self-signed certificate for Ops Manager that the Monitoring Agent should trust:
Copy your PEM certificate to
Issue the following sequence of commands:
sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/ sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt
Edit the following parameter in
Restart the Monitoring Agent for the configuration update to take effect.¶
sudo /etc/init.d/mongodb-mms-monitoring-agent restart