Navigation
  • Security >
  • Enable SSL for a Deployment

Enable SSL for a Deployment

On this page

For Cloud Manager to monitor, deploy, or back up a MongoDB deployment that uses TLS/SSL, you must enable TLS/SSL for the Cloud Manager project.

Considerations

Topics Not in Scope

A full description of Transport Layer Security, public key infrastructure, X.509 certificates, and Certificate Authorities is beyond the scope of this tutorial. This tutorial assumes prior knowledge of TLS/SSL and access to valid X.509 certificates.

MongoDB 2.6 Supports TLS/SSL in Enterprise Only

To enable TLS/SSL for a deployment in MongoDB 2.6 and earlier, you must use the MongoDB Enterprise Edition or create a custom build with TLS/SSL enabled. To configure the available MongoDB versions for your Cloud Manager project, see Configure Available MongoDB Versions.

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.

Procedures

Important

You must complete:

  1. Set Existing Deployments to Use TLS/SSL, then
  2. Enable SSL for the Project

before you click Review & Deploy.

Set Existing Deployments to Use TLS/SSL

If you wish to enable TLS/SSL for existing MongoDB deployments in your Cloud Manager project:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the TLS/SSL startup options.

  1. Click Add Option to add each option.

    Option Value
    sslmode Select requireSSL.
    sslPemKeyFile Provide the path to the client certificate.
    sslPemKeyPassword If you encrypted the PEM key file, provide its password.
  2. When you have added the required settings, click Apply.

Enable TLS/SSL for the Project

Before using TLS/SSL in a deployment, you must enable TLS/SSL for the project. You can set TLS/SSL as optional or required for every deployment in the project.

1
2

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Cloud Manager project, select them and then click Next.

3

Specify the SSL Settings.

Field Action
Enable TLS/SSL Toggle this slider to Yes.
TLS/SSL CA File Path

The TLS/SSL CA file is a .pem-format certificate file that contains the root certificate chain from the CA. The Monitoring and Backup Agents use this same CA file to connect to every item in your deployment.

Type the file path to the SSL CA file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.
  • Type the file path on all Windows hosts in the second box.

This enables the net.ssl.CAFile setting for the MongoDB processes in the project.

Client Certificate Mode

Specify whether client TLS/SSL certificates are optional or required for every MongoDB deployment in the project.

OPTIONAL

You may choose which MongoDB deployments in this project TLS/SSL-encrypted network connections.

  • If you start a MongoDB deployment with TLS/SSL, all Agents connect with that deployment with TLS/SSL.
  • If you start a MongoDB deployment without TLS/SSL, all Agents connect with that deployment without TLS/SSL.
REQUIRED Every MongoDB deployment in this project starts with TLS/SSL-encrypted network connections. All Agents must use TLS/SSL to connect to any MongoDB deployment.

Click Continue.

4

Configure the Cloud Manager Agents.

Field Action
Agent Auth Mechanism In this list, click X.509 Client Certificate.
Automation Agent Username Type the MongoDB user name for the Automation Agent.
Backup Agent Username Type the MongoDB user name for the Backup Agent.
Monitoring Agent Username Type the MongoDB user name for the Monitoring Agent.
Automation Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Automation Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Backup Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Backup Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.
Monitoring Agent PEM Key File

Type the file path on the Agent hosts to the PEM key file.

  • The first box is for all Linux Agent hosts.
  • The second box is for all Windows Agent hosts.
Monitoring Agent PEM Key Password Optional. If you encrypted the Agent’s PEM key file, enter its password in this box.

Click Save.

5

Click Review & Deploy to review your changes.

6

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.