Navigation

Security Overview

Cloud Manager provides configurable encryption, authentication, and authorization to ensure the security of your MongoDB Agents and MongoDB deployments. Cloud Manager supports TLS, SCRAM-SHA-1 and SCRAM-SHA-256, LDAP, and Kerberos.

TLS Encryption

Cloud Manager can use TLS for encrypting communications for when the MongoDB Agent connects to:

  • Cloud Manager.
  • MongoDB instances that use TLS. You must set each MongoDB host’s Use TLS setting in Cloud Manager and must configure the agent’s TLS settings. See Configure MongoDB Agent to Use TLS.

Access Control and Authentication

MongoDB uses Role-Based Access Control (RBAC) to determine access to a MongoDB system. When run with access control, MongoDB requires users to authenticate themselves and then determines that user’s permissions.

If your MongoDB deployment uses authentication and the MongoDB Agent:

  • Uses Automation to manage the deployment, Cloud Manager creates the appropriate MongoDB user, gives it all necessary roles, and authenticates to the deployments as that MongoDB user.
  • Does not use Automation to manage the deployment, you must create a MongoDB user for the MongoDB Agent Monitoring and Backup functions with appropriate access.

Note

Kerberos and LDAP authentication is available with MongoDB Enterprise only.

SCRAM-SHA-1 and SCRAM-SHA-256

Cloud Manager can use the SCRAM-SHA-1 and SCRAM-SHA-256 authentication mechanisms to authenticate a user on a MongoDB deployment. To learn about SCRAM, see the SCRAM page in the MongoDB manual.

If your MongoDB deployment uses SCRAM authentication and the MongoDB Agent:

  • Uses Automation to manage the deployment, Cloud Manager creates the appropriate MongoDB user and gives it all necessary roles.
  • Does not use Automation to manage the deployment, you must create a MongoDB user for the MongoDB Agent Monitoring and Backup functions.

LDAP

The MongoDB Agent can use the LDAP authentication mechanism to authenticate to the MongoDB deployment.

If your MongoDB deployment uses LDAP for authentication, you must create a MongoDB user for the MongoDB Agent and specify the host’s authentication settings when you:

Kerberos

The MongoDB Agent can use the Kerberos authentication mechanism to authenticate to the MongoDB deployment.

If your MongoDB deployment uses Kerberos for authentication, you must: