- Security >
- Enable SSL for a Deployment
Enable SSL for a Deployment¶
On this page
For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS/SSL, you must enable TLS/SSL for the Ops Manager project.
Considerations¶
Topics Not in Scope¶
A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.
Monitoring and Backup Agents with TLS/SSL¶
Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup Agents to connect to the managed deployment over TLS/SSL when you activate TLS/SSL for the Ops Manager project. You do not need to manually configure the agents’ TLS/SSL settings.
If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. To learn how to configure these agents, see Configure Monitoring Agent for SSL and Configure Backup Agent for SSL.
MongoDB 2.6 Supports TLS/SSL in Enterprise Only¶
To enable TLS/SSL for a deployment in MongoDB 2.6 and earlier, you must use the MongoDB Enterprise Edition or create a custom build with TLS/SSL enabled. To configure the available MongoDB versions for your Ops Manager project, see Configure Available MongoDB Versions.
Note
If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.
Procedures¶
Important
You must complete:
before you click Review & Deploy.
Set Existing Deployments to Use TLS/SSL¶
Changed in Ops Manager 2.0.3
Prior to Ops Manager version 2.0.3, if you enabled TLS/SSL on a project, all Ops Manager-managed MongoDB deployments in that project had to use TLS/SSL. With the Client Certificate Mode setting introduced in 2.0.3, you can set TLS/SSL certificates as optional or required for deployments in your project.
If you wish to enable TLS/SSL for existing MongoDB deployments in your Ops Manager project:
Click Deployment, then click the Processes tab, and then the Topology view.¶
On the line listing the process, click Modify.¶
Expand the Advanced Configuration Options section.¶
Set the TLS/SSL startup options.¶
Click Add Option to add each option.
Option Required Value sslMode
Required Select requireSSL
.sslPEMKeyFile
Required Type the absolute path to the client certificate .pem
file on the MongoDB host in this box.sslPEMKeyPassword
Conditional If you encrypted the sslPEMKeyFile
, type the password to decrypt it in this box.sslClusterFile
Optional Type the absolute path to the
.pem
file that contains the x.509 certificate file that members of a cluster or replica set use to authenticate with each other.If
sslClusterFile
does not specify the.pem
file for internal cluster authentication, the cluster uses the.pem
file you set as thesslPEMKeyFile
option.sslClusterPassword
Conditional If you encrypted the sslClusterFile
, type the password to decrypt it in this box.sslDisabledProtocols
Optional Type the versions of TLS that your deployment does not support. To specify multiple versions, type a comma-separated list of versions.
Accepted values are:
TLS1_0
TLS1_1
TLS1_2
After each option, click Add.
Enable TLS/SSL for the Project¶
Before using TLS/SSL in a deployment, you must enable TLS/SSL for the project. You can set TLS/SSL as optional or required for every deployment in the project.
On the Select Authentication Mechanisms screen, click Next.¶
If you wish to enable one or more Authentication Mechanisms for your Ops Manager project, select them and then click Next.
Specify the SSL Settings.¶
Field | Action | ||||
---|---|---|---|---|---|
Enable TLS/SSL | Toggle this slider to Yes. | ||||
TLS/SSL CA File Path | The TLS/SSL CA file is a
Type the file path to the SSL CA file on every host running a MongoDB process:
This enables the |
||||
Client Certificate Mode | Specify whether client TLS/SSL certificates are optional or required for every MongoDB deployment in the project.
|
Click Continue.
Configure the Ops Manager Agents.¶
Field | Action |
---|---|
Agent Auth Mechanism | In this list, click X.509 Client Certificate. |
Automation Agent Username | Type the MongoDB user name for the Automation Agent. |
Backup Agent Username | Type the MongoDB user name for the Backup Agent. |
Monitoring Agent Username | Type the MongoDB user name for the Monitoring Agent. |
Automation Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Automation Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Backup Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Backup Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Monitoring Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Monitoring Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Click Save.
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.