- Security >
- Enable SSL for a Deployment
Enable SSL for a Deployment¶
On this page
Overview¶
For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses SSL, you must enable SSL for the Ops Manager group. The SSL settings apply to all deployments managed by Ops Manager.
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, x.509 certificates, and Certificate Authorities is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup agents to connect to the managed deployment over SSL when you activate SSL for the Ops Manager group. You no longer need to manually configure the agents’ SSL settings.
If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. See: Configure Monitoring Agent for SSL and Configure Backup Agent for SSL for more information.
Note
If Ops Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your group.
To remove all authentication and security settings as well as the users and roles you created using Ops Manager, click Clear Settings in the Authentication & SSL Settings dialog box .
See Clear Security Settings for more information.
To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.
For information on other group-wide settings, see Create a Group.
Procedures¶
Warning
For MongoDB 2.6 and below, you must use the MongoDB Enterprise Edition, which includes SSL, or add a custom build with SSL enabled. To configure the available MongoDB versions, see: Configure Available MongoDB Versions.
Important
You must complete both of the following procedures in the order given before you click Review & Deploy.
Ensure Existing Deployments are Using SSL¶
If you wish to enable SSL for an Ops Manager group that includes MongoDB deployments, use the following procedure to ensure that the MongoDB deployments are configured to use SSL:
Click Deployment, then click the Processes tab, and then the Topology view.¶
On the line listing the process, click Modify.¶
Expand the Advanced Options area.¶
Set the SSL startup options.¶
Click Add Option to add each option.
Option Value sslmode
Select requireSSL
.sslPemKeyFile
Provide the path to the client certificate. sslPemKeyPassword
If you encrypted the PEM key file, provide its password. When you have added the required settings, click Apply.
Enable SSL for the Group¶
You can manage both SSL and non-SSL MongoDB deployments in the same group.
Important
Prior to Ops Manager version 2.0.3, if you enable SSL, all MongoDB deployments in the group that are managed by Ops Manager must use SSL.
On the Select Authentication Mechanisms screen, click Next.¶
If you wish to enable one or more Authentication Mechanisms for your Ops Manager group, select them and then click Next.
Toggle the Enable SSL slider to Yes.¶
Specify the path to the SSL CA file and choose the Client Certificate Mode, then click Continue.¶
The SSL CA file is a .pem
file that contains the root certificate chain
from the Certificate Authority. The Monitoring and Backup Agents use the CA
file for connections to your deployment.
The Client Certificate Mode specifies whether client certificates are required for each mongod and mongos in the deployment.
- OPTIONAL: Ops Manager starts each mongod and
mongos process with both
net.ssl.CAFile
andnet.ssl.allowConnectionsWithoutCertificates
. As such, mongod and mongos processes need not possess client certificates. - REQUIRED:: Ops Manager starts each mongod and
mongos with the
net.ssl.CAFile
setting. Each mongod and mongos must possess a client certificate.
Provide SSL credentials for the Ops Manager Agents¶
Specify the path to the .pem
file that contains both the TLS/SSL
certificate and key for each agent. If needed, specify the password
to de-crypt the .pem certificate-key file.
Ensure you use the correct input box for your operating system.
Click Review & Deploy to review your changes.¶
Important
Ensure that your existing deployments use SSL before you click Review & Deploy.
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If you are satisfied, click Confirm & Deploy.
- Otherwise, click Cancel and you can make additional changes.