Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.

Enable Username and Password Authentication for your Ops Manager Project

Overview

Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.

MongoDB users can use usernames and passwords to authenticate themselves against a MongoDB database.

MongoDB Version Default authentication mechanism
MongoDB 4.0 Salted Challenge Response Authentication Mechanism (SCRAM) using the SHA-1 and SHA-256 hashing algorithms (SCRAM-SHA-1 and SCRAM-SHA-256).
MongoDB 3.0 to 3.6 Salted Challenge Response Authentication Mechanism (SCRAM) using the SHA-1 hashing algorithm (SCRAM-SHA-1).
MongoDB 2.8 and earlier MongoDB Challenge and Response (MONGODB-CR).

SCRAM-SHA-1 and SCRAM-SHA-256

SCRAM-SHA-1 (RFC 5802) and SCRAM-SHA-256 (RFC 7677) are IETF standards that define best practice methods for implementation of challenge-response mechanisms for authenticating users with passwords.

SCRAM-SHA-1 and SCRAM-SHA-256 verify supplied user credentials using the user’s name, password and authentication database. The authentication database is the database where the user was created.

Considerations

This tutorial describes how to enable Username and Password authentication for your Ops Manager MongoDB deployment.

Note

The MongoDB Community version supports Username and Password authentication and x.509 authentication.

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.

Procedure

This procedure describes how to configure and enable username and password authentication when using Automation. If your Monitoring or Backup agents are not managed by Ops Manager, you must manually configure them to use Usernames and Passwords. See Configure Monitoring Agent for Authentication and Configure Backup Agent for Authentication for instructions.

Note

If you configure the Ops Manager application to authenticate using SCRAM-SHA-256, you cannot deploy pre-4.0 MongoDB clusters.

1
2

Check Username/Password (MONGODB-CR/SCRAM-SHA-1) or Username/Password (SCRAM-SHA-256), then click Next.

3

Configure SSL if desired.

  1. Toggle the Enable SSL slider to Yes.
  2. Click Next.

Note

See Enable SSL for a Deployment for SSL setup instructions.

SSL is not required for use with Username/Password (MONGODB-CR/SCRAM-SHA-1) or authentication.

4

Configure Username/Password (MONGODB-CR/SCRAM-SHA-1) or Username/Password (SCRAM-SHA-256) for the Agents.

You can enable more than one authentication mechanism for your MongoDB deployment, but the Ops Manager Agents can only use one authentication mechanism. Select Username/Password (MONGODB-CR/SCRAM-SHA-1) to connect to your MongoDB deployment.

  1. Check Username/Password (MONGODB-CR/SCRAM-SHA-1) and/or Username/Password (SCRAM-SHA-256) from Agent Auth Mechanism.

    Ops Manager automatically generates the Agents’ usernames and passwords.

    Ops Manager creates users for the agents with the required user roles in the admin database for each existing deployment in Ops Manager. When you add a new deployment, Ops Manager creates the required users in the new deployment.

  2. Click Save.

5

Click Review & Deploy to review your changes.

6

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.

7

Create MongoDB Roles for LDAP Groups. (Optional)

After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.