You were redirected from a different version of the documentation. Click here to go back.

Configure Monitoring Agent for SSL

Legacy Monitoring Agent has been removed

This Agent has been updated from your self-managed legacy Monitoring Agent to the MongoDB Agent.


Cloud Manager supports SSL for encrypting the following connections made by Monitoring Agents:

  • Connections between the Monitoring Agents and MongoDB instances.
  • Connections between the Monitoring Agents and Cloud Manager.


To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.


Connections between Agents and MongoDB Instances

To use SSL for the Monitoring Agent’s connection to a MongoDB host, specify the host’s SSL settings when adding the host or by editing the host’s settings.


Cloud Manager can manage TLS/SSL for you if you using Automation for the deployment. With Automation, Cloud Manager prompts you for the certificates to use to connect to the deployment when you enable TLS/SSL and then configures the agents appropriately.To learn how to configure TLS/SSL, see Enable TLS for a Deployment.


Specify path to trusted CA certificate.

If your MongoDB deployment uses SSL, then you must configure the Monitoring Agent to use SSL. To configure the agent to use SSL, you must have a trusted CA certificate that signed the MongoDB instance’s certificate.

In the agent’s install directory, edit the monitoring-agent.config file to set sslTrustedServerCertificates field to the path of a file containing one or more certificates in PEM format. For example if you would use the following command to connect through the mongo shell:

mongo --ssl --sslCAFile /etc/ssl/ca.pem

Then you would set:


By default, the sslRequireValidServerCertificates setting is true, and a valid trusted certificate is required to connect to MongoDB instances using SSL.

When the Monitoring is managed by the Automation, this setting cannot be set to false. However, you can set sslRequireValidServerCertificates to false if you install and configure the Monitoring manually. When sslRequireValidServerCertificates is false, you do not need to set the sslTrustedServerCertificates setting because Cloud Manager will not verify the certificates.


Setting sslRequireValidServerCertificates to false makes connections between the Monitoring and MongoDB databases susceptible to man-in-the-middle attacks. Setting sslRequireValidServerCertificates to false is recommended only for testing and not for production.

For additional information on these settings, including client certificate support, see MongoDB TLS Settings.


Restart the agent.

Connections between Agents and Cloud Manager

Monitoring Agents connect to Cloud Manager using TLS/SSL.