Navigation

Configure the Automation Agent for x.509 Client Certificate Authentication

Cloud Manager enables you to configure the Authentication Mechanisms that all clients, including the Cloud Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.

MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.

Note

Cloud Manager can manage Agent authentication for you if you enable Automation. With Automation, Cloud Manager creates the users for each Agent and configures the Agent appropriately. To learn more about authentication, see Enable x.509 Authentication for your Cloud Manager Project.

Considerations

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.

Prerequisites

To enable x.509 Authentication for Cloud Manager, you must obtain valid certificates generated and signed by a single certificate authority. Refer to the Client x.509 Certificate in the MongoDB Manual for more about the certificate requirements.

x.509 Client Certificate Authentication requires you to enable and configure TLS/SSL for the deployment.

Procedures

This tutorial assumes that you have already configured your MongoDB deployment to use x.509 certificate authentication and SSL. If you have not done so, refer to the Use x.509 Certificates to Authenticate Clients and Configure mongod and mognos for TLS/SSL tutorials.

Create MongoDB User for the subject

For the Automation Agent to connect to your MongoDB deployment, you must create a user for the Automation Agent in the $external database.

For x.509 certificate authentication, use the subject value of your client certificate as the username.

Use the following commands to create the users from a mongo shell connected to your MongoDB deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
   db.getSiblingDB("$external").createUser(
     {
       user : "<x.509 subject>",
       roles : [ 
         { role : "clusterAdmin", db : "admin" },
         { role : "readWriteAnyDatabase", db : "admin" },
         { role : "userAdminAnyDatabase", db : "admin" },
         { role : "dbAdminAnyDatabase", db : "admin" },
         { role : "backup", db : "admin" },
         { role : "restore", db : "admin" }
       ]
     }
   )

For more information on the required access, see Required Access for Automation Agent.

You can only associate an x.509 client certificate with a single user; each user must have its own certificate.

Edit Agent Configuration File

x.509 requires that you configure the agent for TLS/SSL:

1

Specify path to trusted CA certificate.

If your Ops Manager deployment uses TLS, then you must configure the Automation Agent to use TLS. To configure the agent to use TLS, you must have a trusted Certificate Authority certificate that signed the MongoDB instance’s certificate.

In the agent’s install directory, edit the configuration file to set sslTrustedMMSServerCertificate field to the path of a file containing one or more certificates in PEM format.

C:\MMSData\Automation\automation-agent.config
/path/to/install/local.config
/path/to/install/local.config
/etc/mongodb-mms/automation-agent.config
/etc/mongodb-mms/automation-agent.config

Example

If you would use the following command to connect through the mongo shell:

mongo --tls --tlsCAFile /etc/ssl/ca.pem example.net:27017

Then you would modify the configuration file, setting this key/value pair:

sslTrustedMMSServerCertificate=/etc/ssl/ca.pem

To learn more about these settings, see Cloud Manager SSL Settings.

2

Restart the agent.

Configure Automation Agent for SSL provides more details about configuring the Automation Agent for TLS/SSL.

Once you have configured the Automation Agent, you still need to configure the x.509 Authentication mechanism in the Cloud Manager interface, as described in Enable x.509 Authentication for your Cloud Manager Project.