Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Configure MongoDB Agent to Use TLS

On this page

Ops Manager uses TLS to encrypts connections between MongoDB Agent and:

  • MongoDB instances.
  • Ops Manager.

Prerequisite

To configure the MongoDB Agent to use TLS, you must:

  • Have the trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.
  • Ensure that all TLS certificates contain the Subject Alternative Name field.

Procedures

Configure Connections between MongoDB Agent and MongoDB Instances

To use TLS for the MongoDB Agent’s connection to a MongoDB deployment, specify the deployment’s TLS settings when adding the deployment or editing the deployment’s settings.

Note

Ops Manager can manage TLS for you if you are using Automation for the deployment. With Automation, Ops Manager prompts you for the certificates to use to connect to the deployment when you enable TLS and then configures the agents appropriately. To learn how to configure TLS, see Enable TLS for a Deployment.

Configure Connections between MongoDB Agent and Ops Manager

To ensure that the MongoDB Agent uses TLS when connecting to Ops Manager, configure Ops Manager to use TLS for all connections. The Configure TLS Connections to Ops Manager tutorial describes how to set up Ops Manager to run over TLS.

By default, the MongoDB Agent validates the Ops Manager TLS certificate.

If a trusted third party did not sign your certificate, you must configure the MongoDB Agent to trust Ops Manager.

To specify a self-signed certificate for Ops Manager that the MongoDB Agent should trust:

1

Install your certificate file to your Ops Manager configuration directory.

Copy your TLS certificate to your Ops Manager configuration directory:

The location of the MongoDB Agent configuration directory is C:\MMSData\Automation\.

Note

The MongoDB Agent configuration directory is named Automation to simplify upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/.

The location of the MongoDB Agent configuration file is /path/to/install/.

Then, set the mongodb system user as the owner of the TLS certificate. Grant that user read and write permissions on the certificate.

Example

For Linux operating systems, use the following commands to set ownership and permissions:

copy 
sudo cp -a mms-ssl-unified.pem /etc/mongodb-mms/
sudo chown mongod:mongod /etc/mongodb-mms/mms-ssl-unified.pem
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.pem

Then, set the mongod system user as the owner of the TLS certificate. Grant that user read and write permissions on the certificate.

Example

For Linux operating systems, use the following commands to set ownership and permissions:

copy 
sudo cp -a mms-ssl-unified.pem /etc/mongodb-mms/
sudo chown mongod:mongod /etc/mongodb-mms/mms-ssl-unified.pem
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.pem

Then, set the system user (username of the MongoDB Agent) as the owner of the TLS certificate. Grant that user read and write permissions on the certificate.

Example

For Linux operating systems, use the following commands to set ownership and permissions:

copy 
sudo cp -a mms-ssl-unified.pem /etc/mongodb-mms/
sudo chown mongod:mongod /etc/mongodb-mms/mms-ssl-unified.pem
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.pem
2

Edit the following parameter in the configuration file.

The location of the MongoDB Agent configuration file is C:\MMSData\Automation\automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /etc/mongodb-mms/automation-agent.config.

Note

The MongoDB Agent configuration file is named automation-agent.config as a way to enable easier upgrades for those using legacy agents.

The location of the MongoDB Agent configuration file is /path/to/install/local.config.

Example

The following setting specifies the httpsCAFile file as /etc/mongodb-mms/mms-ssl-unified.pem.

3

Restart the MongoDB Agent for the configuration update to take effect.

Example

copy 
sudo /etc/init.d/mongodb-mms-automation-agent restart

If you don’t want to have Ops Manager validate the SSL certificates, set Client Certificate Mode to None.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.