Navigation
  • Security >
  • Enable TLS for a Deployment

Enable TLS for a Deployment

On this page

For Cloud Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS, you must enable TLS for the Cloud Manager project.

Considerations

Topics Not in Scope

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.

Procedures

Important

You must complete:

  1. Set Existing Deployments to Use TLS, then
  2. Enable TLS for the Project

before you click Review & Deploy.

Set Existing Deployments to Use TLS

If you wish to enable TLS for existing MongoDB deployments in your Cloud Manager project:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Configuration Options section.

4

Set the TLS/SSL startup options.

  1. Click Add Option to add each of the following options:

    Option Required Value
    tlsMode Required Select requireTLS.
    tlsCertificateKeyFile Required Provide the absolute path to the server certificate.
    tlsCertificateKeyFilePassword Required Provide the PEM key file password if you encrypted it.
    tlsFIPSMode Optional Select true if you want to enable FIPS mode.
  2. After adding each option, click Add.

  3. When you have added the required options, click Save.

Enable TLS for the Project

1
2

Choose your Authentication Mechanisms.

  1. On the Select Authentication Mechanisms screen, enable one or more Authentication Mechanisms.

    TLS works with all authentication mechanisms.

  2. Click Next.

3

Specify the TLS Settings.

Field Action
Enable TLS Toggle this slider to Yes.
TLS CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The MongoDB Agent uses this same Certificate Authority file to connect to every item in your deployment.

Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.
  • Type the file path on all Windows hosts in the second box.

This enables the net.tls.CAFile setting for the MongoDB processes in the project.

Client Certificate Mode

Specify whether client TLS certificates are optional or required for every MongoDB deployment in the project.

OPTIONAL

You may choose which MongoDB deployments in this project use TLS-encrypted network connections.

mongod tlsMode All Agents Connect with TLS
allowTls, preferTls, or requireTls Yes
None No
REQUIRED Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.

Click Continue.

4

Configure the MongoDB Agents.

  1. In the Agent Auth Mechanism list, click the same authentication mechanisms that you did for the project.
  2. Follow the procedure to configure the MongoDB Agent to use that authentication method:

Note

If you had TLS certificates for Legacy Agents, see What if I had TLS certificates for Legacy Backup or Monitoring Agents? at the end of this procedure for guidance.

5

Click Save to set your changes.

6

Click Review & Deploy to review your changes.

Cloud Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. If you want to make further configuration changes, click Cancel. Click Modify for the cluster to make additional changes.

What if I had TLS certificates for Legacy Backup or Monitoring Agents?

  • If you updated to the MongoDB Agent from deployments that used Automation, the MongoDB Agent manages the TLS settings.

  • If you updated to the MongoDB Agent from deployments that did not use Automation but you had Backup Agents, Monitoring Agents, or both, you can set your Backup Agent and Monitoring Agent-specific settings during the Agent update or through the following procedure:

    1. Navigate to Deployment arrow right icon Agents arrow right icon Downloads & Settings arrow right icon Custom Configurations arrow right icon Edit Custom Configuration.
    2. Click pencil icon .
    3. Under the Backup Configurations section:
      1. Type the desired setting in the Setting box and its corresponding value in the Value box.
      2. To add more than one Setting, click the + Add Setting link. Another row appears.
      3. Repeat until all settings have been added.
    4. Under the Monitoring Configurations section:
      1. Type the desired setting in the Setting box and the corresponding value in the Value box.
      2. To add more than one Setting, click the + Add Setting link. Another row appears.
      3. Repeat until all settings have been added.

    You can click the trash icon to remove any settings that you have added.