Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-5364

Ability to monitor SSL-enabled MongoDB by passing certificate parameters in 'pmm-admin add' command


    • 3
    • Yes
    • Yes
    • Yes


      The problem: 

      There is no ability in PMM2 to pass  SSL certificates to connect PMM. 

      Original report:


      • Mongo Community Server 4.0
      • pmm2-client-2.2.1-6.el7.x86_64
      • SSL Part in mongodb.conf:

      sslOnNormalPorts = true
      sslPEMKeyFile = /etc/mongodb/ssl/psmdb2.pem
      sslCAFile = /etc/mongodb/ssl/mongoCA.crt
      sslPEMKeyPassword = <pw>
      sslClusterFile = /etc/mongodb/ssl/psmdb2.pem
      clusterAuthMode = x509

      https://jira.percona.com/browse/PMM-4702 mentions "fixed" but does not work on my config.

      I tried to connect pmm2 client to a mongo 4.0 with SSL enabled.
      User generated in mongob like this:


      { user: "mongodb_exporter", pwd: "$PASSWORD", roles: [

      { role: "clusterMonitor", db: "admin" }

      , { role: "read", db: "local" }],
      mechanisms: [ "SCRAM-SHA-256" ]

      simple connect vi mongo is ok:

      mongo --ssl --sslCAFile /etc/mongodb/ssl/mongoCA.crt \
      --sslPEMKeyFile /etc/mongodb/ssl/psmdb2.pem \
      --host $HOST.$DOMAIN \
      --authenticationDatabase "admin" \
      -u "mongodb_exporter" -p $PASSWORD
      MongoDB shell version v4.0.14


      mentions options "pmm-admin add mongodb --help" does not show, but this does not help:

      1. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca /etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert /etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected /etc/mongodb/ssl/mongoCA.crt, try --help
      2. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      3. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      4. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt # --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        address --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt: missing port in address
      5. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls
        Connection check failed: timeout (context deadline exceeded).

      And this note in the mentioned URL makes the usage off SSL quite useless:

      "PMM does not support passing SSL/TLS related parameters to mongodb:queries."

      Without SSL enables pmm2-client runs fine.

      Please add SSL support to pmm2-client for mongo (and postgresql / mysql) and all options and correct the documentation and "--help" output to show the needed options


      Suggested implementation:

      • Add new fields to add MongoDB API in pmm-managed.
        • client certificate key file
        • client certificate key file password
        • CA Cert file
      • Add new fields in DB for Agents Table.
      • Add new flags to add mongodb CLI commands in pmm-admin
        • tlsCertificateKeyFile
        • tlsCertificateKeyFilePassword
        • tlsCAFile
      • PMM-admin should read body of tlsCertificateKeyFile and tlsCAFile and send them to the pmm-managed
      • While running mongodb action commands on pmm-agent side
      • While running mongodb_exporter
        • Pass correct flags required for SSL based on mongodb_exporter version
      • QAN should be able to get data from the secured server too


      How to test:

      • Test with these versions
        • 4.0
        • 4.2
      1. Start mongodb via docker-compose file from mongodb-ssl.tar.gz attached to the ticket
      2. Start PMM server
      3. pmm-admin add mongodb localhost:27017 --tls --tls-certificate-key-file=PATHTOCERT --tls-certificate-key-file-password=IFPASSWORDTOCERTISSET --tls-ca-file=PATHTOCACERT
        1. certificate passed in archive file doesn't have password, so it can be ignored.
      4. Check if all of agents, exporters and etc running on this node properly.
      5. Check if mongodb explain works correctly
      6. Check if Security Threat Tool can connect to db



      • update ref. manual with new flags  

      new flags added to `pmm-admin add mongo`

      • --tls-certificate-key-file=PATHTOCERT - Path to TLS certificate file
      • --tls-certificate-key-file=IFPASSWORDTOCERTISSET - Password for certificate
      • --tls-ca-file=PATHTOCACERT - Path to certificate authority file



      • Should we update new mongodb_exporter to make it support ssl?
        No, mongodb_exporter support it by passing new parameters in URI *


        Issue Links



              Unassigned Unassigned
              hubi_oediv Hubertus Krogmann
              2 Vote for this issue
              13 Start watching this issue



                Time Tracking

                  Original Estimate - Not Specified
                  Not Specified
                  Remaining Estimate - Not Specified
                  Not Specified
                  Time Spent - 1 day, 3 hours, 20 minutes
                  1d 3h 20m

                  Smart Checklist