Enable TLS for a Deployment

On this page

Considerations

Prerequisite
Procedures

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

For Cloud Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS, you must enable TLS for the Cloud Manager project.

Considerations

Topics Not in Scope

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities exceeds the scope of this tutorial. This tutorial assumes prior knowledge of TLS and access to valid X.509 certificates.

Note

If you want to reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.

Prerequisite

Get and Install the TLS Certificate on Each MongoDB Host

Acquire a TLS certificate for each host serving a MongoDB process. This certificate must include the FQDN for the hostname of this MongoDB host. The FQDN must be the Subject Alternative Name of this host. You must install this TLS certificate on the MongoDB host.

Procedures

Important

You must complete:

Set Existing Deployments to Use TLS, then
Enable TLS for the Project

before you click Review & Deploy.

Set Existing Deployments to Use TLS

If you wish to enable TLS for existing MongoDB deployments in your Cloud Manager project:

In MongoDB Cloud Manager, go to the Deployment page for your project.

If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.

Go to the Processes page.

Click the Processes tab for your deployment.

The Processes page displays.

Select the Clusters view for your deployment.

On the line listing the process, click Modify.

Expand the Advanced Configuration Options section.

Enable TLS for the Project

In MongoDB Cloud Manager, go to the Deployment page for your project.

If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.

Go to the Security page.

Click the Security tab for your deployment.

The Security page displays.

Go to the Security Settings dialog for your deployment.

Do one of the following actions:

If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.
If you have already configured TLS authentication, or authorization settings for this project, click Edit.

Choose your Authentication Mechanisms.

On the Select Authentication Mechanisms screen, enable one or more Authentication Mechanisms.
TLS works with all authentication mechanisms.
Click Next.

Specify the TLS Settings.

Field

Action

MongoDB Deployment Transport Layer Security (TLS)

Toggle this slider to ON.

TLS CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The MongoDB Agent uses this same Certificate Authority file to connect to every item in your deployment.

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:

Type the file path on all Linux hosts in the first box.
Type the file path on all Windows hosts in the second box.

This enables the net.tls.CAFile setting for the MongoDB processes in the project.

Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified.

Client Certificate Mode

Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

Accepted values are:

Optional	Every client may present a valid TLS certificate when connecting to MongoDB deployments. MongoDB Agents might use TLS certificates if you don't set the `mongod` `tlsMode` to `None`.
Required	Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.

Configure the MongoDB Agents.

In the Agent Auth Mechanism list, click the same authentication mechanisms that you did for the project.
Follow the procedure to configure the MongoDB Agent to use that authentication method:

Note

If you had TLS certificates for Legacy Agents, see What if I had TLS certificates for Legacy Backup or Monitoring Agents? at the end of this procedure for guidance.

Click Save to set your changes.

Click Review & Deploy to review your changes.

Cloud Manager displays your proposed changes.

If you are satisfied, click Confirm & Deploy.
If you want to make further configuration changes, click Cancel. Click Modify for the cluster to make additional changes.

If you updated to the MongoDB Agent from deployments that used Automation, the MongoDB Agent manages the TLS settings.
If you updated to the MongoDB Agent from deployments that did not use Automation but you had Backup Agents, Monitoring Agents, or both, you can set your Backup Agent and Monitoring Agent-specific settings during the Agent update or through the following procedure:

In MongoDB Cloud Manager, go to the Deployment page for your project.

If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.

Go to the Agents page.

Click the Agents tab for your deployment.

The Agents page displays.

Edit the configuration.

Click Downloads & Settings, Custom Configurations, and then Edit Custom Configuration.
Click .

Complete the Backup Configurations section.

Type the desired setting in the Setting box and its corresponding value in the Value box.
To add more than one Setting, click the + Add Setting link. Another row appears.
Repeat until all settings have been added.

Complete the Monitoring Configurations section.

Type the desired setting in the Setting box and the corresponding value in the Value box.
To add more than one Setting, click the + Add Setting link. Another row appears.
Repeat until all settings have been added.

You can click the to remove any settings that you have added.

If you are using Cloud Manager's monitoring only feature with a TLS-enabled cluster, you must complete the following steps to allow the MongoDB monitoring agent to connect to the TLS-enabled monitored cluster.

Enable SSL for Monitored Deployment.

Navigate to the Deployment list view, and click on the to the right of your targeted deployment.
Select Monitoring Settings > TLS & SSL.
Toggle the modal to the ON state.

Back

Firewall Configuration

Secure with Authentication