You were redirected from a different version of the documentation. Click here to go back.

Configure Backup Agent for SSL

Legacy Backup and Monitoring Agent has been removed

This Agent has been updated from your self-managed legacy Backup and Monitoring Agents to the MongoDB Agent.


If your MongoDB deployment uses SSL, then you must configure the Backup Agent to use SSL to connect to your deployment’s mongod and mongos instances.

Configuring the agent to use SSL involves specifying which certificate to use to sign MongoDB certificates and turning on the SSL option for the MongoDB instances in Cloud Manager.


To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.


Connections between Agents and MongoDB Instances

To use SSL for the Backup Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.


Cloud Manager can manage SSL for you if you are using Automation for the deployment. With Automation, Cloud Manager prompts you for the certificates to use to connect to the deployment, when you enable SSL and then configures the agents appropriately. See: Enable TLS for a Deployment for more information.


Login to the host running the Backup Agent.


Edit the Backup Agent configuration file to specify the settings for SSL certificates.

Edit the Backup Agent configuration file. The location of the file depends upon the platform running the Backup Agent.

Platform File Location
RHEL, CentOS, Amazon Linux, and Ubuntu /etc/mongodb-mms/backup-agent.config
OS X, Windows, and other Linux systems <installationDirectory>/local.config

Set the following settings if you use a Backup Agent that connects to an SSL-enabled MongoDB deployment.


Only sslTrustedServerCertificates is required. The other settings are optional.

Setting Value
sslClientCertificate Type the path to the SSL certificates the Backup Agent uses.

Type the password to decrypt the private key set in the file specified with the sslClientCertificate setting.

Required only if the client certificate PEM file is encrypted.

sslTrustedServerCertificates Type the path to the trusted Certificate Authority (CA) certificates.

Type true if Cloud Manager should validate SSL certificates or false to disable certificate verification.


Set this option to false only for testing purposes. It makes connections between Cloud Manager and MongoDB deployments susceptible to man-in-the-middle attacks.


The Backup Agent configuration file for a Backup Agent with SSL enabled should look similar to this:


See also

For additional information on these settings, see MongoDB TLS Settings.


Restart agent.

Use the shell command for the platform as specified in Start or Stop the Backup Agent.

Connections between Agents and Cloud Manager

The Backup Agents always use SSL when connecting to the Cloud Manager servers. For the settings used by the Backup Agent to connect to the Cloud Manager servers, see Cloud Manager Server TLS Settings.