Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.
  • Security >
  • Enable SSL for a Deployment

Enable SSL for a Deployment

On this page

For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS/SSL, you must enable TLS/SSL for the Ops Manager project.

Considerations

Topics Not in Scope

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.

Monitoring and Backup Agents with TLS/SSL

Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup Agents to connect to the managed deployment over TLS/SSL when you activate TLS/SSL for the Ops Manager project. You do not need to manually configure the agents’ TLS/SSL settings.

If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. To learn how to configure these agents, see Configure Monitoring Agent for SSL and Configure Backup Agent for SSL.

MongoDB 2.6 Supports TLS/SSL in Enterprise Only

To enable TLS/SSL for a deployment in MongoDB 2.6 and earlier, you must use the MongoDB Enterprise Edition or create a custom build with TLS/SSL enabled. To configure the available MongoDB versions for your Ops Manager project, see Add a Custom MongoDB Build.

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.

Procedures

Important

You must complete:

  1. Set Existing Deployments to Use TLS/SSL, then
  2. Enable SSL for the Project

before you click Review & Deploy.

Set Existing Deployments to Use TLS/SSL

Important

With the Client Certificate Mode setting, you can set if the client must present a TLS certificate to connect to the deployments in your project. If you enable TLS for your project, all deployment must use TLS.

If you wish to enable TLS/SSL for existing MongoDB deployments in your Ops Manager project:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Configuration Options section.

4

Set the TLS/SSL startup options.

  1. Click Add Option to add each of the following options:

    Option Required Value
    sslMode Required Select requireSSL.
    sslPemKeyFile Required Provide the absolute path to the server certificate.
    sslPemKeyPassword Required Provide the PEM key file password if you encrypted it.
    sslFIPSMode Optional Select true if you want to enable FIPS mode.
  2. After adding each option, click Add.

  3. When you have added the required options, click Save.

Enable TLS/SSL for the Project

Before using TLS/SSL in a deployment, you must enable TLS/SSL for the project. You can set TLS/SSL as optional or required for every deployment in the project.

1
2

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Ops Manager project, select them and then click Next.

3

Specify the TLS/SSL Settings.

Field Action
Enable TLS/SSL Toggle this slider to Yes.
TLS/SSL CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The Monitoring and Backup Agents use this same Certificate Authority file to connect to every item in your deployment.

Type the file path to the TLS/SSL Certificate Authority file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.
  • Type the file path on all Windows hosts in the second box.

This enables the net.ssl.CAFile setting for the MongoDB processes in the project.

Client Certificate Mode

Select if client applications or Ops Manager Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

Accepted values are:

OPTIONAL Every client may present a valid TLS certificate when connecting to MongoDB deployments. Ops Manager Agents might use TLS certificates if you don’t set the mongod tlsMode to None.
REQUIRED Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.

Note

For backward compatibility, Ops Manager continues to allow you to set the net.ssl.weakCertificateValidation parameter in the MongoDB configuration file to implement TLS.

Click Continue.

4

Configure the Ops Manager Agents.

Field Action
Agent Auth Mechanism In this list, click X.509 Client Certificate.
Automation Agent Username Type the MongoDB user name for the Automation Agent.
Backup Agent Username Type the MongoDB user name for the Backup Agent.
Monitoring Agent Username Type the MongoDB user name for the Monitoring Agent.
Automation Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Automation Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Backup Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Backup Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Monitoring Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Monitoring Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.

Click Save.

5

Click Review & Deploy to review your changes.

6

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.