-
Title
Configuring a SSL Connection for the MongoDB agent -
Description
How to configure a SSL connection for the MongoDB agent -
Resolution
The below instructions cover common steps used to configure a TLS/SSL connection from the MongoDB Agent client. For full information on secure connections and server-side configuration, refer to the Transport Encryption section of the MongoDB documentation for your version.
In order to use SSL, your MongoDB server must include SSL support and allow SSL connections.
The client requires a client certificate and certificate authority (CA) certificate. These certificates must be imported into the FglAM keystore. You can use the bundled keytool, which will be located in the Foglight Agent Manager\jre\1.8.0.72\jre\bin directory, or the equivalent on your system, with these commands:
keytool.exe -import -file ca.pem -keystore truststore -alias mongoCACert keytool.exe -import -file client.pem -keystore keystore -alias mongoClientCertificateIf you have not changed the password for the keystore, the default password will be “changeit”. Next, edit the baseline.jvmargs.config file in the Foglight Agent Manager\state\default\config directory and add the following parameters with file paths and passwords appropriate for your system. Escape any quotes with a ‘\’.
vmparameter.0 = "-Djavax.net.ssl.keyStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/keystore\""; vmparameter.1 = "-Djavax.net.ssl.keyStorePassword=changeit"; vmparameter.2 = "-Djavax.net.ssl.trustStore=\"C:/Foglight Agent Manager/jre/1.8.0.72/jre/bin/truststore\""; vmparameter.3 = "-Djavax.net.ssl.trustStorePassword=changeit";Then, restart the FglAM and continue with the agent configuration, setting the “Use TLS/SSL?” option in the Agent Properties to true. If the client certificate is not configured specifically for the FglAM host, you can also set the “Allow Invalid Cert Hostname?” option to true to allow the certificate to be used anyway.
-
Additional Information
External client certificates
If the client certificate was created externally (E.g. OpenSSL), then both the certificate and private key need to be imported into an existing Java keystore. Note that a private key cannot be imported directly to an existing keystore; a new keystore file must be created and then imported to an existing one (or use as is). For example:
To create new keystore with a private key and certificate:
openssl pkcs12 -export -in [certificate-file] -inkey [privatekey-file] -name [aliasname] -out [keystore]To import the certificate to an existing keystore:
keytool -importkeystore -deststorepass [password] -destkeystore [destination-keystore] -srckeystore [source-keystore] -srcalias [aliasname]Additional properties for the client certificate
The client certificate may need to following additional properties:
- keyUsage = digitalSignature
- extendedKeyUsage = clientAuth
Additional information on the MongoDB documentation: Use x.509 Certificates to Authenticate Clients