Navigation
  • Security >
  • Enable SSL for a Deployment

Enable SSL for a Deployment

On this page

Overview

For Cloud Manager to monitor, deploy, or back up a MongoDB deployment that uses SSL, you must enable SSL for the Cloud Manager project. The SSL settings apply to all deployments managed by Cloud Manager.

Important

A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, x.509 certificates, and Certificate Authorities is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.

Note

If Cloud Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your project.

To remove all authentication and security settings as well as the users and roles you created using Cloud Manager, click Clear Settings in the Authentication & SSL Settings dialog box .

See Clear Security Settings for more information.

To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.

Procedures

Warning

For MongoDB 2.6 and below, you must use the MongoDB Enterprise Edition, which includes SSL, or add a custom build with SSL enabled. To configure the available MongoDB versions, see: Configure Available MongoDB Versions.

Important

You must complete both of the following procedures in the order given before you click Review & Deploy.

Ensure Existing Deployments are Using SSL

If you wish to enable SSL for a Cloud Manager project that includes MongoDB deployments, use the following procedure to ensure that the MongoDB deployments are configured to use SSL:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the SSL startup options.

  1. Click Add Option to add each option.

    Option Value
    sslmode Select requireSSL.
    sslPemKeyFile Provide the path to the client certificate.
    sslPemKeyPassword If you encrypted the PEM key file, provide its password.
  2. When you have added the required settings, click Apply.

Enable SSL for the Project

You can manage both SSL and non-SSL MongoDB deployments in the same project.

1
2

On the Select Authentication Mechanisms screen, click Next.

If you wish to enable one or more Authentication Mechanisms for your Cloud Manager group, select them and then click Next.

3

Toggle the Enable SSL slider to Yes.

4

Specify the path to the SSL CA file and choose the Client Certificate Mode, then click Continue.

The SSL CA file is a .pem file that contains the root certificate chain from the Certificate Authority. The Monitoring and Backup Agents use the CA file for connections to your deployment.

The Client Certificate Mode specifies whether client certificates are required for each mongod and mongos in the deployment.

  • OPTIONAL: Cloud Manager starts each mongod and mongos process with both net.ssl.CAFile and net.ssl.allowConnectionsWithoutCertificates. As such, mongod and mongos processes need not possess client certificates.
  • REQUIRED:: Cloud Manager starts each mongod and mongos with the net.ssl.CAFile setting. Each mongod and mongos must possess a client certificate.
5

Provide SSL credentials for the Cloud Manager Agents

Specify the path to the .pem file that contains both the TLS/SSL certificate and key for each agent. If needed, specify the password to de-crypt the .pem certificate-key file.

Ensure you use the correct input box for your operating system.

6

Click Review & Deploy to review your changes.

Important

Ensure that your existing deployments use SSL before you click Review & Deploy.

7

Review and approve your changes.

Cloud Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.