Configure TLS Connections to Ops Manager
You can configure Ops Manager to encrypt connections from all MongoDB Agents to Ops Manager, from website clients to the Ops Manager Application, and from API clients to the REST API.
To encrypt connections, you can:
Set up an HTTPS proxy in front of Ops Manager, or
Run the Ops Manager Application over HTTPS, as described on this page.
The following procedure configures Ops Manager with a .pem
file that
contains the Ops Manager host's TLS certificate.
The MongoDB Agent uses HTTPS after successfully completing the procedure.
Prequisites
Add any TLS-related custom settings to your MongoDB Agent configuration.
Configure Ops Manager Application for TLS
Upload the certificate file to each Ops Manager host.
Upload your
.pem
file to each Ops Manager Application host. This certificate must be uploaded to each Ops Manager host so they can accept TLS connections.Change the owner of the
.pem
file to the user and group that own the Ops Manager process.Change the permissions of the
.pem
file so only the file owner can read and write the file.
Enable TLS for the Ops Manager Application.
Click Admin in the Ops Manager application to view the Admin interface.
Click the General tab
Click Ops Manager Config.
Click Web Server & Email.
Set the following options under Web Server heading:
OptionActionProvide the full URL for Ops Manager Application including port
8443
for HTTPS access.For example:
https://opsmanager.example.com:8443 Type the absolute file system path where the.pem
file is located on all Ops Manager hosts in this box.If you encrypted the HTTPS PEM Key File, type the password needed to decrypt it in this box.Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled Ops Manager. Ops Manager checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.
Accepted values are:
None
Required for Agents Only
Required for All Requests
Click Save.
(Optional) Change the minimum TLS version.
In Ops Manager Server 4.4.13 and later, the Ops Manager Application requires its clients to use TLS version 1.2 by default.
To change the minimum TLS version:
Click Admin in the Ops Manager application to view the
Admin
interface.Click the General tab
Click Ops Manager Config.
Click Custom.
Configure the minimum TLS version.
Enter
mms.minimumTLSVersion
in the Key box.Enter a minimum TLS version in the Value box.
The following values are accepted:
TLSv1
TLSv1.1
TLSv1.2
Click Save.
(Optional) Specify which TLS cipher suites you want to exclude.
To exclude specific TLS cipher suites from TLS connections with the Ops Manager Application.
Click Admin in the Ops Manager application to view the
Admin
interface.Click the General tab
Click Ops Manager Config.
Click Custom.
Enter
mms.disableCiphers
in the Key box.Enter a comma-separated list of cipher suites to disable in the Value box.
Important
Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention.
For example, use
TLS_RSA_WITH_NULL_SHA256
, notNULL-SHA256
.Click Save.
Restart each Ops Manager host to enable TLS.
Restart the Ops Manager Application per the instructions to Start and Stop Ops Manager Application.
Configure MongoDB Agents to use TLS
On each MongoDB host in your cluster:
Change mmsBaseUrl
and TLS settings.
Set or add the following properties where needed:
Option | Necessity | Action |
---|---|---|
Required | Set this value to match the URL you entered in the URL to Access Ops Manager box. IMPORTANT: Ensure that you update both this property and the
URL to Access Ops Manager box. Both values must
match. If Monitoring and Backup are enabled for the
MongoDB Agent, they use the URL to Access Ops
Manager configured on the Ops Manager server, unless the
| |
Conditional | Set this value to
If you set this value to | |
Conditional | If you are using your own self-signed Certificate Authority IMPORTANT: This Certificate Authority file must be in the same location on each MongoDB host in the same sharded cluster or replica set. Any MongoDB host that does not have the file in the same file location as the others may become unaccessible. Add the Certificate Authority for the
To learn how to download TLS certificates from another web site, see the OpenSSL Cookbook entry. | |
Conditional | If you set Client Certificate Mode in Ops Manager to
Required for Agents Only or Required for All
Requests , add this value and specify the absolute path to
the file containing the client's private key, certificate, and
optional intermediate certificates in .pem format . | |
Conditional | If you encrypted the
tlsMMSServerClientCertificate .pem file,
provide the password needed to decrypt it. |