Docs Home → MongoDB Ops Manager
Configure the MongoDB Agent for X.509 Authentication
On this page
Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.
MongoDB supports X.509 certificate authentication for use with a secure TLS connection. X.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
Note
With Automation, Ops Manager manages MongoDB Agent authentication for you. To learn more about authentication, see Enable x.509 Authentication for your Ops Manager Project.
Considerations
A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities exceeds the scope of this tutorial. This tutorial assumes prior knowledge of TLS and access to valid X.509 certificates.
Prerequisites
To enable X.509 Authentication for Ops Manager, you must obtain valid TLS certificates that a single certificate authority (CA) generated and signed. To learn more about the certificate requirements, see Client x.509 Certificate in the MongoDB Manual.
X.509 Client Certificate Authentication requires you to enable and configure TLS for the deployment.
Procedures
This tutorial assumes that you have already configured your MongoDB deployment to use X.509 certificate authentication and TLS. If you have not done so, refer to the Use X.509 Certificates to Authenticate Clients and Configure mongod and mongos for TLS tutorials.
Create MongoDB User from the X.509 subject
Edit MongoDB Agent Configuration File
To use X.509 authentication, you must configure the MongoDB Agent for TLS:
Specify the absolute file path to your trusted CA certificate in the MongoDB Agent config file.
If you enabled TLS for your Ops Manager deployment, then you must configure the MongoDB Agent to use TLS. To configure the MongoDB Agent to use TLS, you must have the trusted Certificate Authority certificate that signed the MongoDB instance's certificate.
In the MongoDB Agent's install directory, edit the configuration
file to set httpsCAFile
field to the
path of a file containing one or more certificates in PEM format.
Example
Use the following command to connect through mongosh
:
mongosh --tls --tlsCAFile /etc/ssl/ca.pem example.net:27017
Then, modify the configuration file and set the following key/value pair:
httpsCAFile=/etc/ssl/ca.pem
Save the configuration file.
To learn more about these settings, see Ops Manager TLS Settings.
Configure MongoDB Agent to Use TLS provides more details about configuring the MongoDB Agent for TLS.
After you configure the MongoDB Agent, configure the X.509 Authentication mechanism in the Ops Manager interface, as described in Enable x.509 Authentication for your Ops Manager Project.