This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported.

Configure Backup Agent for SSL


If your MongoDB deployment uses SSL, then you must configure the Backup Agent to use SSL to connect to your deployment’s mongod and mongos instances.

Configuring the agent to use SSL involves specifying which certificate to use to sign MongoDB certificates and turning on the SSL option for the MongoDB instances in Ops Manager.


To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.


Connections between Agents and MongoDB Instances

To use SSL for the Backup Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.


In Ops Manager 1.8 and later, Ops Manager can manage SSL for you if you using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable SSL and then configures the agents appropriately. See: Enable TLS for a Deployment for more information.


Login to the host running the Backup Agent.


Edit the Backup Agent configuration file to specify the settings for SSL certificates.

Edit the Backup Agent configuration file. The location of the file depends upon the platform running the Backup Agent.

Platform File Location
RHEL, CentOS, Amazon Linux, and Ubuntu /etc/mongodb-mms/backup-agent.config
OS X, Windows, and other Linux systems <installationDirectory>/local.config

Set the following settings if you use a Backup Agent that connects to an SSL-enabled MongoDB deployment.


Only sslTrustedServerCertificates is required. The other settings are optional.

Setting Value
sslClientCertificate Type the path to the SSL certificates the Backup Agent uses.

Type the password to decrypt the private key set in the file specified with the sslClientCertificate setting.

Required only if the client certificate PEM file is encrypted.

sslTrustedServerCertificates Type the path to the trusted Certificate Authority (CA) certificates.

Type true if Ops Manager should validate SSL certificates or false to disable certificate verification.


Set this option to false only for testing purposes. It makes connections between Ops Manager and MongoDB deployments susceptible to man-in-the-middle attacks.


The Backup Agent configuration file for a Backup Agent with SSL enabled should look similar to this:


See also

For additional information on these settings, see MongoDB TLS Settings.


Restart agent.

Use the shell command for the platform as specified in Start or Stop the Backup Agent.

Connections between Agents and Ops Manager

To ensure that the Backup Agents use SSL when connecting to Ops Manager, Configure Ops Manager to use SSL for all connections. The Configure TLS Connections to Ops Manager tutorial describes how to set up Ops Manager to run over HTTPS.

Starting with Ops Manager 1.4, the Backup Agent validates the SSL certificate of the Ops Manager server by default.

If you are not using a certificate signed by a trusted 3rd party, you must configure the Backup Agent to trust the Ops Manager server.

To specify a self-signed certificate of the Ops Manager server that the Backup Agent should trust:


Copy your PEM certificate to /etc/mongodb-mms/.

Issue the following sequence of commands:

sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-backup-agent:mongodb-mms-backup-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt

Edit the following parameter in the Backup Agent configuration file.

For example:


Restart the Backup Agent for the configuration update to take effect.