Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.

Encrypt User Credentials

For configuration settings that store credentials, you can either store the credentials in plain text or use the Ops Manager credentialstool to encrypt the credentials. If you choose to store credentials in plain text, reduce the permissions on the conf-mms.properties file on each server.

Protect Plain Text Passwords

If you choose to store credentials in plain text, reduce the permissions on the conf-mms.properties file on each server.

Operating System Permission Changes
Linux sudo chmod 600 <install_dir>/conf/conf-mms.properties
Windows Restrict access to only the users and/or groups that need to modify conf-mms.properties.

Important

When installed with rpm or deb packages on Linux systems, the credentialstool tool requires root (sudo) privileges, because it reads the /etc/mongodb-mms/gen.key file. Ops Manager uses the gen.key to encrypt sensitive data in the database and configuration files.

Use the credentialstool to generate encrypted credentials for the MongoDB deployments:

1

Run the shell command to create a pair of encrypted credentials.

Operating System Command
Linux / Mac OS X
sudo <install_dir>/bin/credentialstool --username <username> --password
Windows
<install_dir>\bin\credentialstool.bat --username <username> --password
Substitutions
<username> Your MongoDB username
<install_dir> Path where Ops Manager was installed.
2

Enter the password when prompted.

The credentialstool then outputs the encrypted credential pair.

3

Add the encrypted credentials to the conf-mms.properties file.

  1. Enter the encrypted credential pair in the mongo.mongoUri settings where needed.

  2. Add the mongo.encryptedCredentials setting and set it to true.

    Example

    mongo.mongoUri=mongodb://da83ex3s:a4fbcf3a1@mydb1.example.net:40000/admin
    mongo.encryptedCredentials=true
    

    Important

    The conf-mms.properties file can contain multiple mongo.mongoUri settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.mongoUri settings.