Security - HenryGP/om_ansible GitHub Wiki
Table of contents
HTTPS for Ops Manager server
By default, the Ops Manager server will be listening to port 8080 using HTTP. To enable https:
- Modify
om_https
the vars/om-install-vars.yaml file:om_https: true
- Rebuild the images to apply the changes to the provisioner node.
The server will be using a certificate named omserver_server.pem
which is generated in runtime at the moment of provisioning and placed in /certs on the omserver
container.
When the changes are deployed, Ops Manager will be listening to port 8443 using HTTPS. Accessing locally to your Ops Manager with the browser will be possible through the URL: https://localhost:8443
.
SSL for clients and servers
SSL certificates are generated in the ssl-creation.yaml task for clientAuth, serverAuth and both in the case of configuring Replica Sets with clusterAuth x509. All certificates are distributed by the provisioner and placed in the /certs directory of every corresponding host in the infrastructure.
LDAP
When using Docker, om_ansible will provision an additional container with an LDAP server ready to be used with Ops Manager or any of the managed deployments.
MongoDB database users
User | MemberOf |
---|---|
uid=dba,ou=dbUsers,dc=tsdocker,dc=com | cn=dbAdmin,ou=dbRoles,dc=tsdocker,dc=com |
uid=writer,ou=dbUsers,dc=tsdocker,dc=com | cn=readWriteAnyDatabase,ou=dbRoles,dc=tsdocker,dc=com |
uid=reader,ou=DbUsers,dc=tsdocker,dc=com | cn=read,ou=dbRoles,dc=tsdocker,dc=com |
Ops Manager Agents
User | MemberOf |
---|---|
uid=mms-automation,ou=dbUsers,dc=tsdocker,dc=com | cn=automation,ou=dbRoles,dc=tsdocker,dc=com |
uid=mms-monitoring,ou=dbUsers,dc=tsdocker,dc=com | cn=monitoring,ou=dbRoles,dc=tsdocker,dc=com |
uid=mms-backup,ou=dbUsers,dc=tsdocker,dc=com | cn=backup,ou=dbRoles,dc=tsdocker,dc=com |
Ops Manager users
User | MemberOf |
---|---|
uid=owner,ou=omusers,dc=tsdocker,dc=com | cn=owners,ou=omgroups,dc=tsdocker,dc=com |
uid=reader,ou=omusers,dc=tsdocker,dc=com | cn=readers,ou=omgroups,dc=tsdocker,dc=com |
uid=admin,ou=omusers,dc=tsdocker,dc=com | cn=owners,ou=omgroups,dc=tsdocker,dc=com |
KMIP
The following relevant settings are available for configuring integration with KMIP:
- Server: kmip listens on default port, 5696
- CA PEM file: /certs/ca.pem
- kmip client certificate for n1,n2,n3,omserver: /certs/kmip_client.pem