- Agents >
- Monitoring Agent >
- Configure Monitoring Agent for SSL
Configure Monitoring Agent for SSL¶
On this page
Overview¶
Ops Manager supports SSL for encrypting the following connections made by Monitoring Agents:
- Connections between the Monitoring Agents and MongoDB instances.
- Connections between the Monitoring Agents and Ops Manager.
Prerequisite¶
To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
Procedures¶
Connections between Agents and MongoDB Instances¶
To use SSL for the Monitoring Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.
Note
Ops Manager can manage TLS/SSL for you if you using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable TLS/SSL and then configures the agents appropriately.To learn how to configure TLS/SSL, see Enable SSL for a Deployment.
Specify path to trusted CA certificate.¶
If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.
In the agent’s install directory, edit the
monitoring-agent.config
file to set
sslTrustedServerCertificates
field to the path of a
file containing one or more certificates in PEM format. For example
if you would use the following command to connect through the
mongo shell:
Then you would set:
By default, the sslRequireValidServerCertificates
setting
is true
, and a valid trusted certificate is required to connect to
MongoDB instances using SSL.
When the Monitoring Agent is managed by
the Automation Agent, this setting cannot be set to false
. However,
you can set sslRequireValidServerCertificates
to false
if you install and configure the Monitoring Agent manually. When
sslRequireValidServerCertificates
is false
, you do
not need to set the sslTrustedServerCertificates
setting because Ops Manager will not verify the certificates.
Warning
Setting sslRequireValidServerCertificates
to false
makes connections between the Monitoring Agent and MongoDB databases
susceptible to man-in-the-middle
attacks. Setting sslRequireValidServerCertificates
to false
is recommended only for testing and not for production.
For additional information on these settings, including client certificate support, see MongoDB SSL Settings.
Restart the agent.¶
Connections between Agents and Ops Manager¶
To ensure that the Monitoring Agents use TLS/SSL when connecting to Ops Manager, configure Ops Manager to use TLS/SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over TLS/SSL, also known as HTTPS.
By default, the Monitoring Agent validates the Ops Manager TLS/SSL certificate.
If you are not using a certificate signed by a trusted 3rd party, you must configure the Monitoring Agent to trust Ops Manager.
To specify a self-signed certificate for Ops Manager that the Monitoring Agent should trust:
Copy your PEM certificate to /etc/mongodb-mms/
.¶
Issue the following sequence of commands:
Edit the following parameter in /etc/mongodb-mms/monitoring-agent.config
.¶
For example:
Restart the Monitoring Agent for the configuration update to take effect.¶
For example: