- Security >
- Configure the Connections to the Backing MongoDB Instances
Configure the Connections to the Backing MongoDB Instances¶
On this page
Overview¶
If you set up your backing MongoDB instances to use access control or to run over TLS/SSL, then you must update Ops Manager’s configuration files with the necessary information for accessing the MongoDB instances.
The conf-mms.properties
file configures the connection from
Ops Manager to the Ops Manager Application database.
Prerequisites¶
This tutorial assumes you have:
- deployed the Ops Manager Application Database
- deployed Snapshot Storage
- configured both databases to use access control and/or TLS/SSL.
Note
For information on deploying MongoDB with access control or to use TLS/SSL, see Security Concepts in the MongoDB manual.
Procedures¶
Configure Ops Manager to Connect to Backing Databases with Access Control¶
Ops Manager can authenticate with the Backing Databases using
username/password (MONGODB-CR
/SCRAM-SHA-1
) or LDAP with the
MongoDB Community edition. The MongoDB Enterprise Edition adds Kerberos
and x.509 Client Certificate as authentication mechanisms.
If your Ops Manager Application database uses access control, you must configure Ops Manager to be able to connect to the database.
Open the conf-mms.properties
file with elevated privileges.¶
Open the conf-mms.properties
file in your preferred text editor
with root
(Linux) or Administrator (Windows)
privileges.
This file configures Ops Manager’s connection to the Ops Manager Application Database.
Configure Ops Manager to connect to the Ops Manager Application Database.¶
mongo.mongoUri
contains the connection string used to
access the Ops Manager Application Database.
The mongo.mongoUri
reference provides examples of the
connection string format for each authentication mechanism and
details the required permissions for the connecting user.
For an Ops Manager Application Database using Kerberos authentication, the
mongo.mongoUri
setting would resemble:
(Optional) Configure any other authentication mechanism-specific settings.¶
Edit the following settings in conf-mms.properties
:
- Kerberos
- x.509
If you are using Kerberos authentication, you must configure the Kerberos settings, as in the following:
If you are using x.509 Client Certificate Authentication, you must also be connecting over TLS/SSL. The next section, Configure TLS/SSL Connections to Backing Databases, covers the TLS/SSL configuration instructions.
Restart all the Ops Manager instances, including those with the Backup Daemon enabled.¶
If the Ops Manager Application Database is running over SSL, proceed to the SSL configuration tutorial.
Restart Ops Manager using the appropriate command for your platform:
- DEB or RPM
- Archive
- Windows
- Click Control Panel.
- Click System and Security.
- Click Administrative Tools.
- Click Services.
- In the Services list, right-click on the MongoDB Ops Manager HTTP Service and click Restart.
- Optionally, in the Services list, right-click on the MongoDB Backup Daemon Service and click Restart.
Configure TLS/SSL Connections to Backing Databases¶
You can configure the Ops Manager Application database, blockstores, and Oplog store to use TLS/SSL using this procedure. All of these backing databases must use the same TLS/SSL settings and certificates.
Open the conf-mms.properties
file with root
(Linux) or Administrator (Windows) privileges.¶
This file configures Ops Manager’s connection to the Ops Manager Application Database.
Configure Ops Manager to connect to the Ops Manager Application Database over SSL.¶
Configure the following settings in conf-mms.properties
:
Option | Setting |
---|---|
mongo.ssl |
Set this to true to indicate that the
Ops Manager Application Database is using TLS/SSL. |
mongodb.ssl.CAFile |
Specify the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate. |
mongodb.ssl.PEMKeyFile |
If the MongoDB instance is running with --sslCAFile
option, specify the PEM file containing an x.509 certificate
and private key. |
mongodb.ssl.PEMKeyFilePassword |
If the client PEM file contains an encrypted private key,
specify the password for PEM file. To encrypt this password in
the configuration file, use the Ops Manager Important On Microsoft Windows servers, file paths for
|
Restart all the Ops Manager instances, including those with the Backup Daemon enabled.¶
If the Ops Manager Application Database is running over SSL, proceed to the SSL configuration tutorial.
Restart Ops Manager using the appropriate command for your platform:
- DEB or RPM
- Archive
- Windows
- Click Control Panel.
- Click System and Security.
- Click Administrative Tools.
- Click Services.
- In the Services list, right-click on the MongoDB Ops Manager HTTP Service and click Restart.
- Optionally, in the Services list, right-click on the MongoDB Backup Daemon Service and click Restart.