- Agents >
- MongoDB Agent >
- Configure MongoDB Agent to Use TLS
Configure MongoDB Agent to Use TLS¶
On this page
Ops Manager uses TLS to encrypts connections between MongoDB Agent and:
- MongoDB instances.
- Ops Manager.
Prerequisite¶
To configure the MongoDB Agent to use TLS, you must have the trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.
Procedures¶
Configure Connections between MongoDB Agent and MongoDB Instances¶
To use TLS for the MongoDB Agent’s connection to a MongoDB deployment, specify the deployment’s TLS settings when adding the deployment or editing the deployment’s settings.
Note
Ops Manager can manage TLS for you if you are using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable TLS and then configures the agents appropriately. To learn how to configure TLS, see Enable TLS for a Deployment.
Specify the absolute file path to your trusted CA certificate in the MongoDB Agent config file.¶
If you enabled TLS for your Ops Manager deployment, then you must configure the MongoDB Agent to use TLS. To configure the MongoDB Agent to use TLS, you must have the trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.
In the MongoDB Agent’s install directory, edit the configuration
file to set sslTrustedMMSServerCertificate
field to the
path of a file containing one or more certificates in PEM format.
- Windows
- macOS
- Ubuntu/Debian
- RHEL/CentOS/SLES/AMZ
- Linux
The location of the MongoDB Agent configuration file is
C:\MMSData\Automation\automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/local.config
.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/local.config
.
Example
Use the following command to connect through the
mongo
shell:
Then, modify the configuration file and set the following key/value pair:
Save the configuration file.
To learn more about these settings, see Ops Manager TLS Settings.
Restart the Agent.¶
Configure Connections between MongoDB Agent and Ops Manager¶
To ensure that the MongoDB Agent uses TLS when connecting to Ops Manager, configure Ops Manager to use TLS for all connections. The Configure TLS Connections to Ops Manager tutorial describes how to set up Ops Manager to run over TLS.
By default, the MongoDB Agent validates the Ops Manager TLS certificate.
If a trusted third party did not sign your certificate, you must configure the MongoDB Agent to trust Ops Manager.
To specify a self-signed certificate for Ops Manager that the MongoDB Agent should trust:
Install your certificate file to your Ops Manager configuration directory.¶
Copy your TLS certificate to your Ops Manager configuration directory:
- Windows
- macOS
- Ubuntu/Debian
- RHEL/CentOS/SLES/AMZ
- Linux
The location of the MongoDB Agent configuration directory is
C:\MMSData\Automation\
.
Note
The MongoDB Agent configuration directory is named
Automation
to simplify upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/
.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/
.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/
.
The location of the MongoDB Agent configuration file is
/path/to/install/
.
Then, set the mongodb-mms-agent
system user as the owner of the
TLS certificate. Grant that user read and write permissions on the
certificate.
Example
For Linux operating systems, use the following commands to set ownership and permissions:
Edit the following parameter in the configuration file.¶
- Windows
- macOS
- Ubuntu/Debian
- RHEL/CentOS/SLES/AMZ
- Linux
The location of the MongoDB Agent configuration file is
C:\MMSData\Automation\automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/local.config
.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/local.config
.
Example
The following setting specifies the
sslTrustedMMSServerCertificate
file as
/etc/mongodb-mms/mms-ssl-unified.pem
.
Restart the MongoDB Agent for the configuration update to take effect.¶
Example
If you don’t want to have Ops Manager validate the SSL certificates, set
Client Certificate Mode
to None.