- Security >
- Enable SSL for a Deployment
Enable SSL for a Deployment¶
On this page
For Ops Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS/SSL, you must enable TLS/SSL for the Ops Manager project.
Considerations¶
Topics Not in Scope¶
A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.
Monitoring and Backup Agents with TLS/SSL¶
Starting with Ops Manager 1.8, Ops Manager automatically configures the Monitoring and Backup Agents to connect to the managed deployment over TLS/SSL when you activate TLS/SSL for the Ops Manager project. You do not need to manually configure the agents’ TLS/SSL settings.
If you are not using automation for a deployment, you can still configure the monitoring and backup agents manually. To learn how to configure these agents, see Configure Monitoring Agent for SSL and Configure Backup Agent for SSL.
MongoDB 2.6 Supports TLS/SSL in Enterprise Only¶
To enable TLS/SSL for a deployment in MongoDB 2.6 and earlier, you must use the MongoDB Enterprise Edition or create a custom build with TLS/SSL enabled. To configure the available MongoDB versions for your Ops Manager project, see Add a Custom MongoDB Build.
Note
If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.
Procedures¶
Important
You must complete:
before you click Review & Deploy.
Set Existing Deployments to Use TLS/SSL¶
Important
With the Client Certificate Mode setting, you can set if the client must present a TLS certificate to connect to the deployments in your project. If you enable TLS for your project, all deployment must use TLS.
If you wish to enable TLS/SSL for existing MongoDB deployments in your Ops Manager project:
Click Deployment, then click the Processes tab, and then the Topology view.¶
On the line listing the process, click Modify.¶
Expand the Advanced Configuration Options section.¶
Set the TLS/SSL startup options.¶
Click Add Option to add each of the following options:
Option Required Value sslMode
Required Select requireSSL
.sslPemKeyFile
Required Provide the absolute path to the server certificate. sslPemKeyPassword
Required Provide the PEM key file password if you encrypted it. sslFIPSMode
Optional Select true
if you want to enable FIPS mode.After adding each option, click Add.
When you have added the required options, click Save.
Enable TLS/SSL for the Project¶
Before using TLS/SSL in a deployment, you must enable TLS/SSL for the project. You can set TLS/SSL as optional or required for every deployment in the project.
On the Select Authentication Mechanisms screen, click Next.¶
If you wish to enable one or more Authentication Mechanisms for your Ops Manager project, select them and then click Next.
Specify the TLS/SSL Settings.¶
Field | Action | ||||
---|---|---|---|---|---|
Enable TLS/SSL | Toggle this slider to Yes. | ||||
TLS/SSL CA File Path | The TLS Certificate Authority file is a Type the file path to the TLS/SSL Certificate Authority file on every host running a MongoDB process:
This enables the |
||||
Client Certificate Mode |
Select if client applications or Ops Manager Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid. Accepted values are:
Note For backward compatibility, Ops Manager continues to allow you to set the net.ssl.weakCertificateValidation parameter in the MongoDB configuration file to implement TLS. |
Click Continue.
Configure the Ops Manager Agents.¶
Field | Action |
---|---|
Agent Auth Mechanism | In this list, click X.509 Client Certificate. |
Automation Agent Username | Type the MongoDB user name for the Automation Agent. |
Backup Agent Username | Type the MongoDB user name for the Backup Agent. |
Monitoring Agent Username | Type the MongoDB user name for the Monitoring Agent. |
Automation Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Automation Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Backup Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Backup Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Monitoring Agent PEM Key File | Type the file path on the Agent hosts to the PEM key file.
|
Monitoring Agent PEM Key Password | Optional. If you encrypted the Agent’s PEM key file, enter its password in this box. |
Click Save.
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.