Verify MongoDB Signatures
On this page
You can require that the MongoDB Agent verifies the signature file after it downloads the MongoDB binary by enabling a setting in the Ops Manager Resource Specification. Once you enable signature verification, the MongoDB Agent requires signature files for all MongoDB deployments that your Ops Manager instance manages. You can enable signature verification for local or remote deployments.
Prerequisites
Your Ops Manager server must run over HTTPS so the MongoDB Agent downloads the signature files. To learn more, see Configure Ops Manager to Run over HTTPS.
Procedure
In the Ops Manager Resource Specification, add
spec.configuration.mms.featureFlag.automation.verifyDownloads
and set to enabled
.
For example:
spec: configuration: mms.featureFlag.automation.verifyDownloads=enabled
Note
Once you enable signature verification, the MongoDB Agent requires signature files for all MongoDB binaries that it downloads.
Ensure the MongoDB Agent can locate the MongoDB binary and its signature (.sig) file from the same directory, the location of which depends on whether your deployment is local or remote.
If your Ops Manager instance can access the Internet or a custom HTTPS server and you download the MongoDB binary from the official sources, the MongoDB Agent automatically downloads the signature file along with the MongoDB binary.
If you don't download the MongoDB binary from the official sources, configure your HTTPS server to locate the MongoDB binary and its signature file from the same link.
If your Ops Manager instance can't access the Internet, the MongoDB binary
and its signature file are stored in /mongodb-ops-manager/mongodb-releases/
by default. Ensure the signature file is named the same as the MongoDB
binary and both are in the same directory. For example:
/mongodb-ops-manager/mongodb-releases/mongodb-linux-x86_64-rhel80-4.2.8.tgz.sig /mongodb-ops-manager/mongodb-releases/mongodb-linux-x86_64-rhel80-4.2.8.tgz
Save and apply the Ops Manager Resource Specification.
kubectl apply -f <my-ops-manager-resource-specification>.yaml
After you've applied the Ops Manager Resource Specification, the MongoDB Agent performs a rolling restart on the cluster nodes, reconciling the changes.