This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Configure Backup Agent for SSL


If your MongoDB deployment uses SSL, then you must configure the Backup Agent to use SSL to connect to your deployment’s mongod and mongos instances.

Configuring the agent to use SSL involves specifying which certificate to use to sign MongoDB certificates and turning on the SSL option for the MongoDB instances in Ops Manager.


To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.


Connections between Agents and MongoDB Instances

To use SSL for the Backup Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.

Then configure the agent to use SSL:


Specify path to trusted CA certificate.

Edit the Backup Agent configuration file to set the sslTrustedServerCertificates field to the path of a file containing one or more certificates in PEM format. For example:


The agent configuration file is located in either the agent install directory or the /etc/mongodb-mms/ directory, depending on your operating system.

By default, to connect to MongoDB instances using SSL requires a valid trusted certificate. For testing purposes, however, you can set the sslRequireValidServerCertificates setting to False to bypass this check. This configuration is not recommended for production use as it makes the connection insecure.

For additional information on these settings, see MongoDB SSL Settings.


Restart agent.

Connections between Agents and Ops Manager

To ensure that the Backup Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.

Starting with Ops Manager 1.4, the Backup Agent validates the SSL certificate of the Ops Manager server by default.

If you are not using a certificate signed by a trusted 3rd party, you must configure the Backup Agent to trust the Ops Manager server.

To specify a self-signed certificate of the Ops Manager server that the Backup Agent should trust:


Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-backup-agent:mongodb-mms-backup-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt

Edit the following parameter in the Backup Agent configuration file.

For example:


Restart the Backup Agent for the configuration update to take effect.