Navigation

Security Overview

Overview

Cloud Manager provides configurable encryption, authentication, and authorization to ensure the security of your Cloud Manager agents and MongoDB deployments. Cloud Manager supports SSL, MONGODB-CR, LDAP, and Kerberos.

SSL Encryption

Cloud Manager can use SSL for encrypting communications for the following Monitoring Agent and Backup Agent connections:

Access Control and Authentication

MongoDB uses Role-Based Access Control (RBAC) to determine access to a MongoDB system. When run with access control, MongoDB requires users to authenticate themselves to determine their access.

If you enable authentication for your deployments, the Cloud Manager agents authenticate to the deployments as MongoDB users with appropriate privileges.

If a MongoDB deployment runs with access control, the Monitoring and Backup Agents must authenticate to the deployment as MongoDB users with appropriate access. See the following:

For an overview on authenticating with the supported mechanisms, see MONGODB-CR, LDAP, and Kerberos.

MONGODB-CR

Cloud Manager can use the MongoDB Challenge-Response, i.e. MONGODB-CR, authentication mechanism to authenticate to a MongoDB deployment. For more information, see the MONGODB-CR section on the Authentication page in the MongoDB manual.

If your MongoDB deployment uses MONGODB-CR for authentication, you must create a MongoDB user for the Cloud Manager agents as well as specify the host’s authentication settings.

To create a MongoDB user, see Configure Monitoring Agent for MONGODB-CR and Configure Backup Agent for MONGODB-CR.

You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.

LDAP

Cloud Manager agents can use the LDAP authentication mechanism to authenticate to the MongoDB deployment.

If your MongoDB deployment uses LDAP for authentication, you must create a MongoDB user for the Cloud Manager agents as well as specify the host’s authentication settings.

To create a MongoDB user for the agents, see Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.

You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.

Kerberos

If your MongoDB deployment uses Kerberos for authentication, you must create the Kerberos Principal for the Cloud Manager agents, create a MongoDB user for that Kerberos Principal, edit the agent’s configuration file, and specify the host’s authentication settings.

If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.

To create a Kerberos Principal and the associated MongoDB user as well as edit the configuration file, see Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos.

You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.