Docs Menu
Docs Home
/
MongoDB Cloud Manager
/
Security
/
Secure MongoDB Deployments with Authentication

Enable Username and Password Authentication for your Cloud Manager Project

On this page

  • Overview
  • Considerations
  • Procedure

Overview

Cloud Manager enables you to configure the Authentication Mechanisms that all clients, including the Cloud Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.

MongoDB users can use usernames and passwords to authenticate themselves against a MongoDB database.

MongoDB Version
Default authentication mechanism
MongoDB 4.0 and later
Salted Challenge Response Authentication Mechanism (SCRAM) using the SHA-1 and SHA-256 hashing algorithms (SCRAM-SHA-1 and SCRAM-SHA-256).

SCRAM-SHA-1 and SCRAM-SHA-256

SCRAM-SHA-1 (RFC 5802) and SCRAM-SHA-256 (RFC 7677) are IETF standards that define best practice methods for implementation of challenge-response mechanisms for authenticating users with passwords.

SCRAM-SHA-1 and SCRAM-SHA-256 verify supplied user credentials using the user's name, password and authentication database. The authentication database is the database where the user was created.

Considerations

This tutorial describes how to enable Username and Password authentication for your Cloud Manager MongoDB deployment.

Note

The MongoDB Community version supports Username and Password authentication and x.509 authentication.

Note

If you want to reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.

Procedure

This procedure describes how to configure and enable username and password authentication when using Automation. If Cloud Manager does not manage your MongoDB Agents, you must manually configure them to use Usernames and Passwords. To learn how to configure authentication, see Configure MongoDB Agent for Authentication.

Note

If you configure the Cloud Manager application to authenticate using SCRAM-SHA-256, you cannot deploy pre-4.0 MongoDB clusters.

1

In MongoDB Cloud Manager, go to the Deployment page for your project.

  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If the Deployment page is not already displayed, click Deployment in the sidebar.

    The Deployment page displays.

2

Go to the Security page.

Click the Security tab for your deployment.

The Security page displays.

3

Go to the Security Settings dialog for your deployment.

Do one of the following actions:

  • If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.

  • If you have already configured TLS authentication, or authorization settings for this project, click Edit.

4

Specify the TLS Settings.

Field
Action
MongoDB Deployment Transport Layer Security (TLS)
Toggle this slider to ON.
TLS CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The MongoDB Agent uses this same Certificate Authority file to connect to every item in your deployment.

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.

  • Type the file path on all Windows hosts in the second box.

This enables the net.tls.CAFile setting for the MongoDB processes in the project.

Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified.

Client Certificate Mode

Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

Accepted values are:

Optional
Every client may present a valid TLS certificate when connecting to MongoDB deployments. MongoDB Agents might use TLS certificates if you don't set the mongod tlsMode to None.
Required
Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.
5

Choose the authentication mechanism.

In the MongoDB Deployment Authentication Mechanism section, select {{mechanism}} or {{mechanism2}}.

6

Configure {{mechanism}} or {{mechanism2}} for the Agent.

You can enable more than one authentication mechanism for your MongoDB deployment, but the Cloud Manager Agents can only use one authentication mechanism.

In the MongoDB Agent Connections to Deployment section, select {{mechanism}} and/or {{mechanism2}}.

Cloud Manager automatically generates the Agents' usernames and passwords.

Cloud Manager creates users for the agents with the required user roles in the admin database for each existing deployment in Cloud Manager. When you add a new deployment, Cloud Manager creates the required users in the new deployment.

7

Click Save Settings.

8

Click Review & Deploy to review your changes.

9

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.

Back

MongoDB Access Control Overview

Next

Enable LDAP Authentication