Configure the Connections to the Application Database
On this page
If your Ops Manager Application Database uses
authentication or TLS, update the connection settings from Ops Manager
to the Ops Manager Application database in the conf-mms.properties file.
Prerequisites
This tutorial assumes you deployed the Ops Manager Application Database and configured it to use authentication, TLS, or both.
Tip
See also:
To learn how to deploy MongoDB with access control or to use TLS, see Security Concepts in the MongoDB manual.
Configure Ops Manager to Authenticate with Application Databases
Ops Manager can authenticate with the Ops Manager Application databases using one of the following methods:
Using MongoDB Community
Username and Password (
MONGODB-CR/SCRAM-SHA-1/SCRAM-SHA-256)LDAP
X.509 Client Certificates
Using MongoDB Enterprise
Username and Password (
MONGODB-CR/SCRAM-SHA-1/SCRAM-SHA-256)LDAP
Kerberos
X.509 Client Certificates
If your Ops Manager Application database uses authentication, you must configure Ops Manager to be able to connect to the database.
Open the conf-mms.properties file with elevated privileges.
Open the conf-mms.properties file in your preferred text editor
with root privileges.
This file configures Ops Manager's connection to the Ops Manager Application Database.
Configure Ops Manager to connect to the Ops Manager Application Database.
mongo.mongoUri contains the connection string used to
access the Ops Manager Application Database. The connection string
must include the following when applicable:
All members of the replica set, if the Ops Manager Application database is a replica set.
Authentication credentials for the
authentication mechanismused on the Ops Manager Application database.
The mongo.mongoUri reference provides examples of the
connection string format for each authentication mechanism and
details the required permissions for the connecting user.
These include any connection string options that a MongoDB database could use. These options include, but aren't limited to, TLS, set read and write concerns, and authentication.
Example
For an Ops Manager Application Database using Kerberos authentication, the
mongo.mongoUri setting might resemble:
mongo.mongoUri=mongodb://username%40REALM.example.net@mydb1.example.net: 40000/?authMechanism=GSSAPI
Optional: Configure any other authentication mechanism-specific settings.
Edit the following settings in conf-mms.properties:
If you are using Kerberos authentication, you must configure the Kerberos settings, as in the following:
jvm.java.security.krb5.kdc=kdc.example.com jvm.java.security.krb5.realm=EXAMPLE.COM mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM mms.kerberos.keyTab=/path/to/mms.keytab
If you are using x.509 Client Certificate Authentication, you must also be connecting over TLS/SSL. The next section, Configure TLS Connections to Application Database, covers the TLS/SSL configuration instructions.
Restart all the Ops Manager instances, including those with the Backup Daemon enabled.
If the Ops Manager Application Database runs using TLS, proceed to the SSL configuration tutorial.
Restart Ops Manager using the appropriate command for your platform:
sudo service mongodb-mms restart
<install_dir>/bin/mongodb-mms restart
Configure TLS Connections to Application Database
To enable TLS connections to the Ops Manager Application database, follow this procedure.
Open the conf-mms.properties file with root privileges.
This file configures Ops Manager's connection to the Ops Manager Application Database.
Configure Ops Manager to connect to the Ops Manager Application Database over SSL.
Configure the following settings in conf-mms.properties:
Option | Setting |
|---|---|
Specify the PEM file that contains the root certificate chain
from the Certificate Authority that signed the MongoDB server
certificate. | |
If the MongoDB instance is running with The | |
If the client PEM file contains an encrypted private key,
specify the password for PEM file. To encrypt this password in
the configuration file, use the Ops Manager credentialstool
tool. See credentialstool. |