Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Configure Monitoring Agent for SSL

On this page

Overview

Ops Manager supports SSL for encrypting the following connections made by Monitoring Agents:

  • Connections between the Monitoring Agents and MongoDB instances.
  • Connections between the Monitoring Agents and Ops Manager.

Prerequisite

To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

Procedures

Connections between Agents and MongoDB Instances

To use SSL for the Monitoring Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.

Then configure the agent to use SSL:

1

Specify path to trusted CA certificate.

If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

In the agent’s install directory, edit the monitoring-agent.config file to set sslTrustedServerCertificates field to the path of a file containing one or more certificates in PEM format. For example if you would use the following command to connect through the mongo shell:

copy 
mongo --ssl --sslCAFile /etc/ssl/ca.pem example.net:27017

Then you would set:

copy 
sslTrustedServerCertificates=/etc/ssl/ca.pem

By default, to connect to MongoDB instances using SSL requires a valid trusted certificate.

For testing purposes, however, you can set the sslRequireValidServerCertificates setting to false to bypass this check. When sslRequireValidServerCertificates is false, you do not need to specify the path to the trusted CA certificate in the sslTrustedServerCertificates setting, since Ops Manager will not verify the certificates. This configuration is not recommended for production use as it makes connections susceptible to man-in-the-middle attacks.

For additional information on these settings, including client certificate support, see MongoDB SSL Settings.

2

Restart agent.

Note

For additional information on SSL settings, including client certificate support, see MongoDB SSL Settings.

Connections between Agents and Ops Manager

To ensure that the Monitoring Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure SSL Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.

Starting with Ops Manager 1.4, the Monitoring Agent validates the SSL certificate of the Ops Manager by default.

If you are not using a certificate signed by a trusted 3rd party, you must configure the Monitoring Agent to trust Ops Manager.

To specify a self-signed certificate for Ops Manager that the Monitoring Agent should trust:

1

Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

copy 
sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt
2

Edit the following parameter in /etc/mongodb-mms/monitoring-agent.config.

For example:

copy 
sslTrustedMMSServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt
3

Restart the Monitoring Agent for the configuration update to take effect.

For example:

copy 
sudo /etc/init.d/mongodb-mms-monitoring-agent restart

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.