Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported.

Configure MongoDB Agent to Use TLS

On this page

Ops Manager uses TLS to encrypts connections between MongoDB Agent and:

  • MongoDB instances.
  • Ops Manager.

Prerequisite

To configure the MongoDB Agent to use TLS, you must have the trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.

Procedures

Configure Connections between MongoDB Agent and MongoDB Instances

To use TLS for the MongoDB Agent’s connection to a MongoDB deployment, specify the deployment’s TLS settings when adding the deployment or editing the deployment’s settings.

Note

Ops Manager can manage TLS for you if you are using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable TLS and then configures the agents appropriately. To learn how to configure TLS, see Enable TLS for a Deployment.

1

Specify the absolute file path to your trusted CA certificate in the MongoDB Agent config file.

If you enabled TLS for your Ops Manager deployment, then you must configure the MongoDB Agent to use TLS. To configure the MongoDB Agent to use TLS, you must have the trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.

In the MongoDB Agent’s install directory, edit the configuration file to set sslTrustedMMSServerCertificate field to the path of a file containing one or more certificates in PEM format.

The location of the MongoDB Agent configuration file is C:\MMSData\Automation\automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

Example

Use the following command to connect through the mongo shell:

mongo --tls --tlsCAFile /etc/ssl/ca.pem example.net:27017

Then, modify the configuration file and set the following key/value pair:

sslTrustedMMSServerCertificate=/etc/ssl/ca.pem

Save the configuration file.

To learn more about these settings, see Ops Manager TLS Settings.

2

Restart the Agent.

Configure Connections between MongoDB Agent and Ops Manager

To ensure that the MongoDB Agent uses TLS when connecting to Ops Manager, configure Ops Manager to use TLS for all connections. The Configure TLS Connections to Ops Manager tutorial describes how to set up Ops Manager to run over TLS.

By default, the MongoDB Agent validates the Ops Manager TLS certificate.

If a trusted third party did not sign your certificate, you must configure the MongoDB Agent to trust Ops Manager.

To specify a self-signed certificate for Ops Manager that the MongoDB Agent should trust:

1

Install your certificate file to your Ops Manager configuration directory.

Copy your TLS certificate to your Ops Manager configuration directory:

The location of the MongoDB Agent configuration directory is C:\MMSData\Automation\.

Note

The MongoDB Agent configuration directory is named Automation to simplify upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/.

The location of the MongoDB Agent configuration file is /path/to/install/.

Then, set the mongodb-mms-agent system user as the owner of the TLS certificate. Grant that user read and write permissions on the certificate.

Example

For Linux operating systems, use the following commands to set ownership and permissions:

sudo cp -a mms-ssl-unified.pem /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.pem
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.pem
2

Edit the following parameter in the configuration file.

The location of the MongoDB Agent configuration file is C:\MMSData\Automation\automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

Example

The following setting specifies the sslTrustedMMSServerCertificate file as /etc/mongodb-mms/mms-ssl-unified.pem.

3

Restart the MongoDB Agent for the configuration update to take effect.

Example

sudo /etc/init.d/mongodb-mms-mongodb-agent restart

If you don’t want to have Ops Manager validate the SSL certificates, set Client Certificate Mode to None.