Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
  • Security >
  • Configure the Connections to the Backing MongoDB Instances

Configure the Connections to the Backing MongoDB Instances

Overview

If you set up your backing MongoDB instances to use access control or to run over SSL, then you must update Ops Manager’s configuration files with the necessary information for accessing the MongoDB instances.

The conf-mms.properties file configures the connection from Ops Manager to the Ops Manager Application database.

Prerequisites

This tutorial assumes you have:

Note

For information on deploying MongoDB with access control or to use SSL, see Security Concepts in the MongoDB manual.

Procedures

Configure Ops Manager to Connect to Backing Databases with Access Control

Ops Manager can authenticate with the Backing Databases using username/password (MONGODB-CR/SCRAM-SHA-1) or LDAP with the MongoDB Community edition. The MongoDB Enterprise Edition adds Kerberos and x.509 Client Certificate as authentication mechanisms.

If your Ops Manager Application database uses access control, you must configure Ops Manager to be able to connect to the database.

1

Open the conf-mms.properties file with elevated privileges.

Open the conf-mms.properties file in your preferred text editor with root (Linux) or Administrator (Windows) privileges.

This file configures Ops Manager’s connection to the Ops Manager Application Database.

2

Configure Ops Manager to connect to the Ops Manager Application Database.

mongo.mongoUri contains the connection string used to access the Ops Manager Application Database.

The mongo.mongoUri reference provides examples of the connection string format for each authentication mechanism and details the required permissions for the connecting user.

For an Ops Manager Application Database using Kerberos authentication, the mongo.mongoUri setting would resemble:

mongo.mongoUri=mongodb://username%40REALM.example.net@mydb1.example.net:
40000/?authMechanism=GSSAPI
3

(Optional) Configure any other authentication mechanism-specific settings.

Edit the following settings in conf-mms.properties:

If you are using Kerberos authentication, you must configure the Kerberos settings, as in the following:

jvm.java.security.krb5.kdc=kdc.example.com
jvm.java.security.krb5.realm=EXAMPLE.COM
mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM
mms.kerberos.keyTab=/path/to/mms.keytab

If you are using x.509 Client Certificate Authentication, you must also be connecting over TLS/SSL. The next section, Configure SSL Connections to the Ops Manager Application Database, covers the TLS/SSL configuration instructions.

4

Restart all the Ops Manager instances, including those with the Backup Daemon enabled.

If the Ops Manager Application Database is running over SSL, proceed to the SSL configuration tutorial.

Restart Ops Manager using the appropriate command for your platform:

sudo service mongodb-mms restart
<install_dir>/bin/mongodb-mms restart
  1. Click Control Panel.
  2. Click System and Security.
  3. Click Administrative Tools.
  4. Click Services.
  5. In the Services list, right-click on the MongoDB Ops Manager HTTP Service and click Restart.
  6. Optionally, in the Services list, right-click on the MongoDB Backup Daemon Service and click Restart.

Configure SSL Connections to the Ops Manager Application Database

1

Open the conf-mms.properties file with root (Linux) or Administrator (Windows) privileges.

This file configures Ops Manager’s connection to the Ops Manager Application Database.

2

Configure Ops Manager to connect to the Ops Manager Application Database over SSL.

Configure the following settings in conf-mms.properties:

mongo.ssl

Set this to true to indicate that the Ops Manager Application Database is using SSL.

mongodb.ssl.CAFile

Specify the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.

mongodb.ssl.PEMKeyFile

If the MongoDB instance is running with --sslCAFile option, specify the PEM file containing an x.509 certificate and private key.

mongodb.ssl.PEMKeyFilePassword

If the client PEM file contains an encrypted private key, specify the password for PEM file. To encrypt this password in the configuration file, use the Ops Manager credentialstool tool. See Encrypt User Credentials.

Important

On Microsoft Windows servers, file paths for mongodb.ssl.CAFile and mongodb.ssl.PEMKeyFile must escape their backslashes to work properly. If you store your SSL certificates in D:\Certificates, the file path would be written as D:\\Certificates\\pemkeyfile.pem.

3

Restart all the Ops Manager instances, including those with the Backup Daemon enabled.

If the Ops Manager Application Database is running over SSL, proceed to the SSL configuration tutorial.

Restart Ops Manager using the appropriate command for your platform:

sudo service mongodb-mms restart
<install_dir>/bin/mongodb-mms restart
  1. Click Control Panel.
  2. Click System and Security.
  3. Click Administrative Tools.
  4. Click Services.
  5. In the Services list, right-click on the MongoDB Ops Manager HTTP Service and click Restart.
  6. Optionally, in the Services list, right-click on the MongoDB Backup Daemon Service and click Restart.