[DOCS-12152] Clarify how to configure client certificate and CA file for oplog store and blockstore Created: 19/Oct/18  Updated: 29/Oct/23  Resolved: 04/May/19

Status: Closed
Project: Documentation
Component/s: Ops Manager
Affects Version/s: 4.0.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Dmitry Ryabtsev Assignee: Anthony Sansone (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified
Environment:

https://docs.opsmanager.mongodb.com/current/tutorial/configure-ssl-connection-to-backing-mongodb


Attachments: PNG File check_box.png    
Sub-Tasks:
Key
Summary
Type
Status
Assignee
DOCS-12679 Backport DOCS-12152 Add to v4.1 Backport Sub-Task Closed Anthony Sansone  
DOCS-12680 Backport DOCS-12152 Add to v4.0 Backport Sub-Task Closed Anthony Sansone  
Participants:
Days since reply: 4 years, 40 weeks, 4 days ago
Epic Link: DOCSP-1743
Story Points: 0.2

 Description   

Description

In the UI for both, oplog store and blockstore configuration, we only have the `Use TLS/SSL` check box:

However there is no way to configure client certificate location or CA file from the UI.

I suspect that the answer is that SSL needs to be enabled for the Application Database and that mongodb.ssl.CAFile, mongodb.ssl.PEMKeyFile and mongodb.ssl.PEMKeyFilePassword from conf-mms.properties will be used for the oplog store.

Consequently, it is not possible to use a different set of certificates for blockstore/oplog store than those that are used for the App DB.

But it is not really obvious from the documentation:

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 04/May/19 ]

Author:

{'name': 'Anthony Sansone', 'username': 'atsansone', 'email': 'tony.sansone@mongodb.com'}

Message: (DOCS-12680): Backport DOCS-12152-add to v4.0

(cherry picked from commit b98e1ae831128128827ac482cb4060f202ab86de)
Branch: v4.0
https://github.com/10gen/mms-docs/commit/b88cc2f3c6462016f9b5654231faf7e528442c3b

Comment by Githook User [ 04/May/19 ]

Author:

{'name': 'Anthony Sansone', 'username': 'atsansone', 'email': 'tony.sansone@mongodb.com'}

Message: (DOCS-12679): Backport DOCS-12152-add to v4.1

(cherry picked from commit b98e1ae831128128827ac482cb4060f202ab86de)
Branch: v4.1
https://github.com/10gen/mms-docs/commit/89bd7fe6b33c5fe7ce1696dd08bc1ea3d1f404aa

Comment by Githook User [ 04/May/19 ]

Author:

{'name': 'Anthony Sansone', 'username': 'atsansone', 'email': 'tony.sansone@mongodb.com'}

Message: (DOCS-12152): Added TLS info to backing database pages.
Branch: master
https://github.com/10gen/mms-docs/commit/077824a581d337190019ff3ef8190de94e5dad9b

Comment by Emilio Scalise [ 30/Jan/19 ]

I am reopening this case because while the Configure the Connections to the Backing MongoDB Instances page clarifies that the mongo.ssl.* configuration settings will apply to all the connection to all the backing databases, this is not mentioned in the Ops Manager configuration reference page.

Additionally, this should be clearly mentioned in the following pages for the blockstore db, s3 blockstore and oplog db configuration docs pages:

https://docs.opsmanager.mongodb.com/current/tutorial/manage-blockstore-storage/#provide-the-blockstore-details
https://docs.opsmanager.mongodb.com/current/tutorial/manage-s3-blockstore-storage/#provide-the-s3-blockstore-details
https://docs.opsmanager.mongodb.com/current/tutorial/manage-oplog-storage/#in-the-mongodb-connection-column-update-any-values-that-need-to-be-changed-in-the-following-fields

Comment by Githook User [ 20/Nov/18 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCS-12152-v4.0): Updated SSL information.
Branch: v4.0
https://github.com/10gen/mms-docs/commit/7f83a999d8aae31dfbd8edd13584a87e05cc98fb

Comment by Githook User [ 19/Nov/18 ]

Author:

{'name': 'Anthony Sansone', 'email': 'tony.sansone@mongodb.com', 'username': 'atsansone'}

Message: (DOCS-12152): Updated SSL information.
Branch: master
https://github.com/10gen/mms-docs/commit/748955d7f6a26c6010ada1d032d85236e2a2cd8b

Comment by John Morales [ 23/Oct/18 ]

Confirmed, both of dmitry.ryabtsev's points are correct:

  • SSL needs to be enabled for the Application Database and that mongodb.ssl.CAFile, mongodb.ssl.PEMKeyFile and mongodb.ssl.PEMKeyFilePassword from conf-mms.properties will be used for the oplog store.
  • It is not possible to use a different set of certificates for blockstore/oplog store than those that are used for the App DB.
Comment by Isabel Peters [ 22/Oct/18 ]

delegating to brs team. john.morales

Comment by Anthony Sansone (Inactive) [ 22/Oct/18 ]

isabel.peters: Can you confirm that the SSL settings in the conf-mms.properties are the only place to set SSL for the blockstore and oplog store?

Generated at Thu Feb 08 08:04:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.