Docs Menu
Docs Home
/ /
Security
Docs Home
/
Management
/
Ops Manager
/
Security
Docs Home
/
Management
/
Ops Manager
/
Security

Configure TLS Connections to Ops Manager

You can configure Ops Manager to encrypt connections from all MongoDB Agents to Ops Manager, from website clients to the Ops Manager Application, and from API clients to the REST API.

To encrypt connections, you can:

  • Set up an HTTPS proxy in front of Ops Manager, or

  • Run the Ops Manager Application over HTTPS, as described on this page.

The following procedure configures Ops Manager with a .pem file that contains the Ops Manager host's TLS certificate.

The MongoDB Agent uses HTTPS after successfully completing the procedure.

Tip

To learn more about .pem files, read the .pem file section in the MongoDB manual.

Prerequisites

  • Update to or install the MongoDB Agent.

  • Add any TLS-related custom settings to your MongoDB Agent configuration.

Configure Ops Manager Application for TLS

1

Upload the certificate file to each Ops Manager host

  1. Upload your .pem file to each Ops Manager Application host. This certificate must be uploaded to each Ops Manager host so they can accept TLS connections

  2. Change the owner of the .pem file to the user and group that own the Ops Manager process

  3. Change the permissions of the .pem file so only the file owner can read and write the file

2

Enable TLS for the Ops Manager Application

  1. Click Admin in the Ops Manager application to view the Admin interface

  2. Click the General tab

  3. Click Ops Manager Config

  4. Click Web Server & Email

  5. Set the following options under Web Server heading:

    Option
    Action

    URL to Access Ops Manager

    Provide the full URL for Ops Manager Application including port 8443 for HTTPS access.

    For example:

    https://opsmanager.example.com:8443

    HTTPS PEM Key File

    Type the absolute file system path where the .pem file is located on all Ops Manager hosts in this box.

    HTTPS PEM Key File Password

    If you encrypted the HTTPS PEM Key File, type the password needed to decrypt it in this box.

    Client Certificate Mode

    Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled Ops Manager. Ops Manager checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

    Accepted values are:

    • None

    • Required for Agents Only

    • Required for All Requests

  6. Click Save

3

(Optional) Change the minimum TLS version

In Ops Manager Server 4.4.13 and later, the Ops Manager Application requires its clients to use TLS version 1.2 by default.

To change the minimum TLS version:

  1. Click Admin in the Ops Manager application to view the Admin interface

  2. Click the General tab

  3. Click Ops Manager Config

  4. Click Custom

  5. Configure the minimum TLS version

  6. Enter mms.minimumTLSVersion in the Key box

  7. Enter a minimum TLS version in the Value box

    The following values are accepted:

    • TLSv1

    • TLSv1.1

    • TLSv1.2

  8. Click Save

4

(Optional) Specify which TLS cipher suites you want to exclude

To exclude specific TLS cipher suites from TLS connections with the Ops Manager Application.

  1. Click Admin in the Ops Manager application to view the Admin interface

  2. Click the General tab

  3. Click Ops Manager Config

  4. Click Custom

  5. Enter mms.disableCiphers in the Key box

  6. Enter a comma-separated list of cipher suites to disable in the Value box

    Important

    Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention.

    For example, use TLS_RSA_WITH_NULL_SHA256, not NULL-SHA256.

  7. Click Save

5

Restart each Ops Manager host to enable TLS

Restart the Ops Manager Application per the instructions to Start and Stop Ops Manager Application.

Configure MongoDB Agents to use TLS

On each MongoDB host in your cluster:

1

Open MongoDB Agent configuration file in your preferred text editor

The location of the MongoDB Agent configuration file depends on your platform:

/path/to/install/local.config
/etc/mongodb-mms/automation-agent.config
/etc/mongodb-mms/automation-agent.config
/path/to/install/local.config
2

Change mmsBaseUrl and TLS settings

Set or add the following properties where needed:

Option
Necessity
Action

mmsbaseurl

Required

Set this value to match the URL you entered in the URL to Access Ops Manager box.

IMPORTANT: Ensure that you update both this property and the URL to Access Ops Manager box. Both values must match. If Monitoring and Backup are enabled for the MongoDB Agent, they use the URL to Access Ops Manager configured on the Ops Manager server, unless the mmsBaseURL custom monitoring setting is set for the MongoDB Agent. For more information, see the MongoDB Agent Monitoring Settings.

tlsRequireValidMMSServerCertificates

Conditional

Set this value to true if all of the following apply:

  • You want the agent to validate TLS certificates of Ops Manager.

  • You signed the TLS certificates of your Ops Manager hosts with a known external Certificate Authority or self-signed Certificate Authority.

If you set this value to true, you must set httpsCAFile.

httpsCAFile

Conditional

If you are using your own self-signed Certificate Authority .pem files, add this property and set it to the absolute path to your Certificate Authority file on the MongoDB host.

IMPORTANT: This Certificate Authority file must be in the same location on each MongoDB host in the same sharded cluster or replica set. Any MongoDB host that does not have the file in the same file location as the others may become unaccessible.

Add the Certificate Authority for the downloads.mongodb.com certificate to this .pem file if you:

  1. Need your MongoDB Agents to download their MongoDB
    installers from the Internet,

  2. Use TLS to encrypt connections, and

  3. Signed your certificates with a private CA. (You set the httpsCAFile option.)

To learn how to download TLS certificates from another web site, see the OpenSSL Cookbook entry.

tlsMMSServerClientCertificate

Conditional

If you set Client Certificate Mode in Ops Manager to Required for Agents Only or Required for All Requests, add this value and specify the absolute path to the file containing the client's private key, certificate, and optional intermediate certificates in .pem format .

tlsMMSServerClientCertificatePassword

Conditional

If you encrypted the tlsMMSServerClientCertificate .pem file, provide the password needed to decrypt it.

3

Click Save

4

Restart the MongoDB Agent

Disable TLS for a Replica Set

To disable TLS for a replica set with Ops Manager, perform the following steps:

1

Access Project Settings

Navigate to the project settings for your replica set in Ops Manager.

2

Go to security settings

Go to the Security tab and select Settings.

3

Disable TLS

Toggle the MongoDB Deployment Transport Layer Security (TLS) slider to OFF.

Important

Remove any paths related to CA files or certificates or leave them blank.

4

Review & Deploy

To review your changes, click Review & Deploy.

To confirm your changes, click Confirm & Deploy.

5

Monitor Changes

After you deploy, monitor your replica set to ensure that connections are functioning as expected without TLS.

Back

Encrypt User Credentials

Next

Secure Application Database

On this page