[DOCS-3101] OnPrem1.4: Updates to instructions for configuring Jetty to run HTTPS Created: 09/Apr/14  Updated: 16/Mar/15  Resolved: 06/May/14

Status: Closed
Project: Documentation
Component/s: Cloud Manager
Affects Version/s: None
Fix Version/s: v1.3.5, mms-1.4

Type: Improvement Priority: Critical - P2
Reporter: John Morales Assignee: Bob Grabar
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-3049 Port "Configure Jetty HTTPS" tutorial... Closed
Participants:
Days since reply: 9 years, 24 weeks, 1 day ago

 Description   

On-Prem 1.4 brings some configuration changes for the Configuring Jetty for HTTPS. Details are below, but the highlights to the change are:

  • Now a distinction between keystore and truststore
  • The monitoring agent now validates SSL certificates by default

Details

1.) Typo here

-If the signed certifcate is PEM format, convert the certificate...
+If the signed certifcate is DER format, convert the certificate...

2.) New section at start of "Procedure" heading, before "Create Java Keystore"

Create Java Truststore
Generate Truststore
Import the PEM certificate into a Java truststore, so that the MMS server trusts its own "mms.centralUrl" when making HTTP requests:
 
/opt/mongodb/mms/jdk/bin/keytool -import -keystore mms-truststore.jks -file mms-ssl-unified.crt 
 
Replace /opt/mongodb/mms with the path of the installation directory for the MMS server. /opt/mongodb/mms is the default installation directory.
 
keytool will prompt to specify a Java keystore passphrase, as well as a yes/no confirmation to import the certificate.

3.) Set Truststore and Keystore Location and Permissions

Issue the following sequence of commands to move the Java keystore and truststore files to the /etc/mongodb-mms directory and set the appropriate permissions:
 
sudo mv mms-truststore.jks mms-keystore.jks /etc/mongodb-mms/
sudo chown mongodb-mms:root /etc/mongodb-mms/*.jks
sudo chmod 600 /etc/mongodb-mms/*.jks
If the MMS application server runs as a different user, change mongodb-mms in the chown command as needed.

4.) Configure MMS Application to use SSL

JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStorePath=/etc/mongodb-mms/mms-truststore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"
 
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"

5.) New section after "Restart MMS Application Server"

Starting with On-Prem MMS 1.4, the monitoring agent validates the SSL certificate of the MMS server by default. This means the monitoring agent must be configured to trust the MMS server if not using a certificate signed by a trusted 3rd party.
 
To specify a self-signed certificate of the MMS server that the monitoring agent should trust, first copy your PEM certificate to /etc/mongodb-mms/
 
sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/
sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt
sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt
 
Then edit the following parameter in /etc/mongodb-mms/monitoring-agent.config:
 
sslTrustedMMSServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt
 
Restart your monitoring agent for the configuration update to take effect:
 
sudo /etc/init.d/mongodb-mms-monitoring-agent restart



 Comments   
Comment by Githook User [ 02/Sep/14 ]

Author:

{u'username': u'bgrabar', u'name': u'Bob Grabar', u'email': u'bob.grabar@10gen.com'}

Message: DOCS-3101: same passphrase is required for Java as for PKCS12
Branch: next
https://github.com/10gen/mms-docs/commit/739b0ac5eec5026b1e7d1813dcfdb1384b0c571a

Comment by Githook User [ 06/May/14 ]

Author:

{u'username': u'bgrabar', u'name': u'Bob Grabar', u'email': u'bob.grabar@10gen.com'}

Message: DOCS-3101: same passphrase is required for Java as for PKCS12
Branch: master
https://github.com/10gen/mms-docs/commit/739b0ac5eec5026b1e7d1813dcfdb1384b0c571a

Comment by Githook User [ 06/May/14 ]

Author:

{u'username': u'bgrabar', u'name': u'Bob Grabar', u'email': u'bob.grabar@10gen.com'}

Message: DOCS-3101: same passphrase is required for Java as for PKCS12
Branch: v1.4
https://github.com/10gen/mms-docs/commit/9fc0917fc06385e42de575d847c790ebd9679c1e

Comment by Cailin Nelson [ 09/Apr/14 ]

Note - there is also a known issue in MMS OnPrem 1.4.0 (will be fixed in 1.4.1) wherein to make this work you must also make the following changes in the conf-mms.properties file:

BASE_SSL_PORT=8080
BACKUP_BASE_SSL_PORT=8081

Generated at Thu Feb 08 07:44:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.