Navigation
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on 31 July 2021.

Configure Automation Agent for SSL

On this page

Ops Manager supports SSL for encrypting the following connections made by Automation Agents:

  • Connections between the Automation Agents and MongoDB instances.
  • Connections between the Automation Agents and Ops Manager.

Prerequisite

To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

Procedures

Connections between Agent and MongoDB Instances

To use SSL for the Automation Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.

Note

Ops Manager can manage TLS/SSL for you if you are using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable TLS/SSL and then configures the agents appropriately. To learn how to configure TLS/SSL, see Enable TLS for a Deployment.

Connections between Agent and Ops Manager

To ensure that the Automation Agents use TLS/SSL when connecting to Ops Manager, configure Ops Manager to use TLS/SSL for all connections. The Configure TLS Connections to Ops Manager tutorial describes how to set up Ops Manager to run over TLS/SSL, also known as HTTPS.

By default, the Automation Agent validates the Ops Manager TLS/SSL certificate.

If you are not using a certificate signed by a trusted third party, you must configure the Automation Agent to trust Ops Manager.

To specify a self-signed certificate for Ops Manager that the Automation Agent should trust:

1

Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt
2

Edit the following parameters in the configuration file.

C:\MMSData\Automation\automation-agent.config
/path/to/install/local.config
/etc/mongodb-mms/automation-agent.config
/etc/mongodb-mms/automation-agent.config
/path/to/install/local.config

Note

We highly recommend you specify the optional tlsMMServerClientCertificate parameter.

httpsCAFile=/etc/mongodb-mms/mms-ssl-unified.crt
tlsRequireValidMMSServerCertificates=true # optional
tlsMMSServerClientCertificate=/etc/pki/tls/certs/client.pem # optional: depends on mms.https.ClientCertificateMode
3

Restart the Automation Agent for the configuration update to take effect.

sudo systemctl restart mongodb-mms-automation-agent