Fix This Page
Navigation
You were redirected from a different version of the documentation. Click here to go back.

Enable x.509 Authentication for your Ops Manager Group

Overview

Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your groups, but you must choose only one mechanism for the Agents.

MongoDB supports x.509 client and member certificate authentication for use with a secure TLS/SSL connection. The x.509 authentication allows users and other members to authenticate to servers with certificates rather than with a username and password.

In Ops Manager, x.509 Client Certificate (MONGODB-X509) is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable x.509 Client Certificate (MONGODB-X509) for your Ops Manager group.

Note

As of Ops Manager 2.0, using x.509 certificates for membership authentication is supported.

Prerequisites

Important

A full description of Public Key Infrastructure (PKI), including certificates and Certificate Authorities, is beyond the scope of this tutorial. This tutorial assumes prior knowledge of SSL and PKI as well as access to valid x.509 certificates.

To enable x.509 Authentication for Ops Manager, you must:

  • Obtain valid certificate files (PEM Key files) generated and signed by a single certificate authority (CA) for:

    • Certificate Only in PEM file:
      • The CA itself
    • Certificate and Private Key in PEM file:
      • Each agent (Automation, Monitoring if used and Backup if used)
      • Each hostname of a managed MongoDB server (if member X.509 authentication is used)
      • Each client that may attach to the MongoDB instance
  • Generate LDAPv3 distinguished name from each Agents’ PEM Key file. Consult the documentation for whichever SSL implementation you use.

    Example

    For OpenSSL, the command to generate the LDAPv3 DN from a PEM Key File called automation.pem is:

    openssl x509 -in automation.pem -inform PEM -subject -nameopt RFC2253
    

Note

See Client x.509 Certificate in the MongoDB Manual for certificate requirements.

Important

If at any point you wish to reset the authentication settings for your group and start again, see Clear Security Settings for more information.

Procedures

These procedures describe how to configure and enable x.509 authentication when using Automation. If Ops Manager does not manage your Monitoring or Backup agents, you must manually configure them to use x.509 authentication.

Prepare an Existing Deployment for x.509 Certificate Authentication

Important

X.509 Client Certificate authentication requires SSL. If Ops Manager manages one or more existing deployments, SSL must be enabled on each process in the MongoDB deployment before enabling x.509 authentication.

Note

If SSL is already enabled, you may skip this procedure.

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the SSL startup options.

  1. Click Add Option to add each option.

    Option Value
    sslmode Select requireSSL.
    sslPemKeyFile Provide the path to the client certificate.
    sslPemKeyPassword If you encrypted the PEM key file, provide its password.
  2. When you have added the required settings, click Apply.

Configure an Existing Deployment for x.509 Member Certificate Authentication

Note

This procedure is optional. It enables members of a replica set or sharded cluster to also use x.509 certificates to authenticate each other. If it is not configured, replica set and sharded cluster members can still authenticate with each other using keyFile authentication.

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the x.509 startup options.

  1. Click Add Option to add each option.

    Option Value
    clusterAuthMode Select x509.
    clusterFile Provide the path to the member PEM Key file.
  2. When you have added the required settings, click Apply.

When you have configured the SSL options for each deployed process, you can proceed to enable x.509 authentication for your Ops Manager group.

Enable x.509 Client Certificate Authentication for your Ops Manager Group

1
2

Select X.509 Certificates.

  1. Select X.509 Client Certificate (MONGODB-X509).
  2. Click Next.
3

Configure the LDAP Authorization Settings. (Optional)

Important

Using LDAP Authorization, MongoDB 3.4 allows authenticating users via LDAP, Kerberos, or X.509 certificates without requiring local user documents in the $external database. When such a user successfully authenticates, MongoDB performs a query against the LDAP server to retrieve all groups which that LDAP user possesses and transforms those groups into their equivalent MongoDB roles.

This feature is available only for MongoDB 3.4 or later.

If you do not use LDAP Authorization, you can click Skip.

If you use LDAP Authorization, complete the following steps.

  1. Enter values for the following fields:

    Setting Value
    Authorization Query Template Specify a template for an LDAP query URL to retrieve the list of LDAP groups for an LDAP user.
    User to Distinguished Name Mapping Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.
  2. Click Use LDAP Authorization.

  3. Provide the following values:

    Setting Value
    Servers Specify the hostname:port combination of one or more LDAP servers.
    Transport Security Select TLS to encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select None.
    Timeout (ms) Specify how long an authentication request should wait before timing out.
    Bind Method

    Select either Simple or SASL.

    Important

    If you choose the Simple bind method, select TLS from the Transport Security because the Simple bind method passes the password in plain text.

    SASL Mechanisms Specify which SASL authentication service MongoDB uses with the LDAP server.
    Query User Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.
    Query Password Specify the password with which MongoDB binds when connecting to an LDAP server.
    LDAP User Cache Invalidation Interval (s) Specify how long MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.
  4. Click Next.

4

Enable and configure SSL.

  1. Provide the following settings:

    Setting Action
    Enable SSL Click Yes.
    SSL CA File Path Provide the path on the server to the certificate authority PEM Key file.
    Client Certificate Mode Click REQUIRED.
  2. Click Next.

5

Configure X.509 Client Certificate (MONGODB-X509) for the Agents.

You can enable more than one authentication mechanism for your MongoDB deployment, but the Ops Manager Agents can only use one authentication mechanism. Select X.509 Client Certificate (MONGODB-X509) to connect to your MongoDB deployment.

  1. Click X.509 Client Certificate (MONGODB-X509) in the Agent Auth Mechanism drop-down menu.

  2. For each Agent, provide:

    Setting Value
    <Agent> Username Enter the LDAPv3 distinguished name derived from the Agent’s PEM Key file.
    <Agent> PEM Key file Provide the path and filename for the Agent’s PEM Key file on the server on the line for the appropriate operating system.
    <Agent> PEM Key Password Provide the password to the PEM Key file if it was encrypted.
    <Agent> LDAP Group DN

    Enter the Distinguished Name for the Agent’s LDAP Group.

    Note

    You only need to provide the Agent’s LDAP Group DN if you use LDAP Authorization.

  3. Click Save.

Only configure the Agents you installed.

Example

If you did not install the Backup Agent, do not configure the Backup agent.

6

Click Review & Deploy to review your changes.

7

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.
8

Create MongoDB Roles for LDAP Groups. (Optional)

After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.