Title
Create new category
Edit page index title
Edit category
Edit link
MongoDB Replica Set Setup Example for MOCM Distributed Mode
This is an example setup for deploying a MongoDB 8.x Replica Set for MOCM Distributed Mode. Adapt the values (IPs, ports, paths, credentials) to match your environment. For detailed MongoDB installation, refer to the official documentation links below
1. Prerequisites
1.1 Environment Requirements
Component | Requirement |
|---|---|
MongoDB Version | 8.0.x (Community or Enterprise) |
Number of Nodes | 3 (minimum for production) |
Supported OS | RHEL 8/9, Rocky Linux 8/9, Ubuntu 22.04/24.04, Windows Server 2019/2022 |
RAM | Minimum 16 GB per node (32 GB recommended) |
Disk | Minimum 100 GB free space (SSD recommended) |
Network | All nodes must communicate on TCP port 27017 |
1.2 Hostname Planning
Role | IP (example) |
|---|---|
Primary | 10.40.160.159 |
Secondary | 10.40.160.160 |
Secondary | 10.40.160.161 |
Starting from MongoDB 5.0, nodes configured with only IP addresses fail startup validation by default. To use IP addresses without DNS hostnames, you must add the following startup parameter in mongod.conf / mongod.cfg:
setParameter:
disableSplitHorizonIPCheck: true
This parameter is included in the configuration in Section 5.
2. Install MongoDB 8.x
Follow the official MongoDB installation guide for your operating system.
Operating System | Official Installation Guide |
|---|---|
RHEL / Rocky Linux | https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/ |
Ubuntu | https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/ |
Windows | https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-windows/ |
After installation, do not start the MongoDB service yet. Proceed to configure TLS and keyfile first.
3. Generate TLS Certificate
Perform on one machine, then distribute to all nodes. If your organization already has a PKI/CA infrastructure, use your existing CA to sign the MongoDB server certificates. Skip to Step 3.2.
3.1 Create Certificate Authority (CA]
3.2 Generate Server Certificate (per node]
Repeat for each node (mongo1, mongo2, mongo3), replacing values:
Replace mongo1 with mongo2/mongo3 and update the IP value:
mongo2:
10.40.160.160mongo3:
10.40.160.161
3.3 Distribute Certificates
File | Copy to |
|---|---|
ca.crt | All 3 nodes |
mongo1.pem | mongo1 only |
mongo2.pem | mongo2 only |
mongo3.pem | mongo3 only |
Certificate directory:
Linux:
/etc/mongodb/ssl/Windows:
C:\MongoDB\ssl\
Set permissions (Linux):
4. Generate Keyfile for Internal Authentication
Copy the same keyfile to all 3 nodes:
Linux:
/etc/mongodb/ssl/mongodb-keyfile(chmod 400, owned by mongod)Windows:
C:\MongoDB\ssl\mongodb-keyfile
5. Configure MongoDB (mongod.conf / mongod.cfg)
This is the critical configuration specific to MOCM deployment. Apply on all 3 nodes.
5.1 Linux Configuration
5.2 Windows Configuration
5.3 Key Configuration Parameters
Parameter | Value | Description |
|---|---|---|
net.tls.mode | requireTLS | All connections must use TLS |
net.tls.allowConnectionsWithoutCertificates | true | Clients don't need client cert (set false for mutual TLS) |
security.keyFile | path to keyfile | Internal authentication between replica set members |
security.authorization | enabled | Enforce role-based access control |
replication.replSetName | rs0 | Must be identical on all nodes |
setParameter.disableSplitHorizonIPCheck | true | Required when using IP addresses instead of hostnames |
net.bindIp | 0.0.0.0 | Listen on all interfaces |
6. Start MongoDB and Initialize Replica Set
6.1 Start Service on All Nodes
6.2 Initialize Replica Set
Connect to 10.40.160.159 using mongosh with TLS:
Run:
6.3 Verify
Expected: 1 PRIMARY + 2 SECONDARY
7. Create Users for MOCM
Create users immediately after rs.initiate(). The localhost exception closes after the first user is created.
Connect to the PRIMARY node and run:
8. Connection String for MOCM
GUI "Database Address" Field
9. Configure MOCM Installer - Database Configuration
After MongoDB Replica Set is ready, enter the following values in the "My OPSWAT Central Management Setup" installer:
Field | Value |
|---|---|
Database Address | 10.40.160.159:27017,10.40.160.160:27017,10.40.160.161:27017 |
Connection Type | Discovery |
Database Admin Username | The admin user created in Step 7 |
Password | The admin password created in Step 7 |
9. Verification & Troubleshooting
9.1 Test Connection
9.2 Common Issues
Issue | Solution |
|---|---|
Service fails to start | Check logs: |
Keyfile permission error (Linux) |
|
TLS handshake failure | Verify SAN in cert matches hostname in rs.initiate() |
Members can't connect | Check firewall, verify hostname resolution between nodes |
"not authorized" | Ensure you created users before localhost exception closed |