Navigation
  • Reference >
  • Ops Manager Configuration Settings

Ops Manager Configuration Settings

Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all your Ops Manager servers. Local settings apply to the server on which they are configured. Any local settings on a server override the global settings.

You configure local settings through a server’s conf-mms.properties file. Each server’s conf-mms.properties must contain the connection string and authentication settings for accessing the Ops Manager Application Database. The conf-mms.properties file also contains any overrides of global settings specific to that server.

The location of the conf-mms.properties file depends on how you installed Ops Manager, as described in the table below.

Install method conf-mms.properties location
rpm or deb package /opt/mongodb/mms/conf/
tar.gz archive <install-directory>/conf/
msi file (Windows)

<install-folder>\Server\Config

By default, this is: C:\MMSData\Server\Config.

Bypass Initial Configuration via the User Interface

If you would like to skip the initial setup wizard after creating the first account and either edit the conf-mms.properties file or use the API to configure Ops Manager, change the following settings. This setting can help if you are automating the deployment of Ops Manager instances.

mms.ignoreInitialUiSetup

Type: boolean

Set this to true to allow full use of Ops Manager without requiring the first user account to complete the initial setup wizard.

Warning

Ops Manager performs its regular pre-flight check to verify that it has all of the required settings. If one or more of those settings are not included in conf-mms.properties, Ops Manager refuses to start and lists which fields are missing in the log file.

Before starting Ops Manager, add the following required settings to conf-mms.properties to enable basic Ops Manager functionality:

UI Setting conf-mms.properties Setting Required
URL to Access Ops Manager mms.centralUrl Required
None mongo.mongoUri Required
Client Certificate Mode mms.https.ClientCertificateMode Required
"From" Email Address mms.fromEmailAddr Required
"Reply To" Email Address mms.replyToEmailAddr Required
Admin Email Address mms.adminEmailAddr Required
Email Delivery Method Configuration mms.emailDaoClass Required
Transport mms.mail.transport Required
SMTP Server Hostname mms.mail.hostname Required
SMTP Server Port mms.mail.port Required
User Authentication Method mms.userSvcClass Optional
Snapshot Interval brs.snapshotSchedule.interval Optional
Base Retention of Snapshots brs.snapshotSchedule.retention.base Optional
Daily Retention of Snapshots brs.snapshotSchedule.retention.daily Optional
Weekly Retention of Snapshots brs.snapshotSchedule.retention.weekly Optional
Monthly Retention of Snapshots brs.snapshotSchedule.retention.monthly Optional
Versions Directory automation.versions.directory Optional

Note

Fields marked as Optional have default values. If you want to change them, you can provide the setting and a new value.

Example

The following values are examples. Substitute values appropriate to your Ops Manager installation. You may add any of the other settings specified in this reference.

To configure an Ops Manager installation with the minimum functionality, add the following settings to conf-mms.properties:

mms.ignoreInitialUiSetup=true
mongo.mongoUri=mongodb://db1.example.com:27017,db2.example.com:27017,db3.example.com:27017
mms.centralUrl=http://localhost:8080
mms.fromEmailAddr=example@example.com
mms.replyToEmailAddr=example@example.com
mms.adminEmailAddr=example@example.com
mms.mail.transport=smtps
mms.mail.hostname=mail.example.com
mms.mail.port=465

All Clusters View

mms.allclusters.onlyMembership

Type: boolean

Default: False

Determines whether the View All Clusters displays only the deployments to which an Ops Manager administrator belongs (set the value to true) or the deployments to which the administrator has access (set the value to false).

Application Database Connection Settings

The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.

mongo.mongoUri

Type: string

connection string used to access the Ops Manager Application Database. The connection string must include the following if applicable:

  • All members of the replica set, if the Ops Manager Application database is a replica set.
  • Authentication credentials for the authentication mechanism used on the Ops Manager Application database.

See the following example connection strings:

Replica Sets

If you use a replica set for the database’s backing instance, specify all members of the replica set, as shown in the following example. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.

mongo.mongoUri=mongodb://db1.example.com:40000,db2.example.com:40000,db3.example.com:40000

Note

Ops Manager does not require the replicaSet option in the URI.

Default MongoDB Authentication

For a MongoDB instance using the MongoDB SCRAM-SHA-1 or MONGODB-CR challenge-response mechanisms, the connection string must include authentication credentials. The Ops Manager Application must authenticate as a MongoDB user with the following roles:

Prefix the hostname with the MongoDB username and password in the form <username>:<password>@

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.com:40000
x.509 Certificate Authentication

For a MongoDB instance using MONGODB-X509 authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in the mongodb.ssl.PEMKeyFile setting. Once you have created the user, prefix the host specified in mongo.mongoUri with the name of the new user and append authMechanism=MONGODB-X509 after the specified port:

mongo.mongoUri=mongodb://<new_mongodb_user>@mydb1.example.com:40000/?authMechanism=MONGODB-X509
LDAP Authentication

For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form <username>:<password>@, and append the authMechanism=PLAIN&authSource=$external options after the port:

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.com:40000/?authMechanism=PLAIN&authSource=$external
Kerberos Authentication

For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism, authMechanism=GSSAPI, after the port.

Kerberos user principal names have the form <username>@<KERBEROS REALM>. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mydb1.example.com:40000/?authMechanism=GSSAPI

To enable Kerberos authentication between the Ops Manager Application and the Snapshot Storage, review the following settings:

See also

authMechanism and authSource in the MongoDB manual.

mongo.encryptedCredentials

Type: boolean

To use encrypted credentials in mongo.mongoUri, encrypt the credentials using the Ops Manager credentialstool, enter them in the mongo.mongoUri setting, and set this to true:

mongo.encryptedCredentials=true

Kerberos Authentication to Ops Manager Application Database

mms.kerberos.debug

Type: boolean

Debug flag to output more information on Kerberos authentication process.

mms.kerberos.debug=false
mms.kerberos.keyTab

Type: string

Required if using Kerberos. The absolute path to the keytab file for the principal.

mms.kerberos.keyTab=/path/to/mms.keytab
mms.kerberos.principal

Type: string

Required if using Kerberos. Principal used to authenticate with MongoDB. This should be the exact same user on the mongo.mongoUri.

mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM
jvm.java.security.krb5.conf

Type: string

Optional. Path to an alternate Kerberos configuration file. The value is set to JVM’s java.security.krb5.conf.

jvm.java.security.krb5.conf=/etc/conf/krb5.conf
jvm.java.security.krb5.kdc

Type: string

Required if using Kerberos. IP/FQDN of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.

jvm.java.security.krb5.kdc=kdc.example.com
jvm.java.security.krb5.realm

Type: string

Required if using Kerberos. This is the default realm for Kerberos. It is being used for JVM’s java.security.krb5.realm.

jvm.java.security.krb5.realm=EXAMPLE.COM

TLS/SSL Connection to the Application Database

mongo.ssl

Type: boolean

Enables TLS/SSL connection to the Ops Manager Application Database when set to true.

mongodb.ssl.CAFile

Type: string

Name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.

mongodb.ssl.PEMKeyFile

Type: string

Name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the --sslCAFile option or net.ssl.CAFile setting.

If you authenticate using the MONGODB-X509 authentication mechanism, you also enter this as the name of the user in the mongoUri connection string.

mongodb.ssl.PEMKeyFilePassword

Type: string

Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the password using the Ops Manager credentialstool.

Automation Default Paths

automation.default.backupAgentLogFile

Type: string

Default: /var/log/mongodb-mms-automation/backup-agent.log

Default path for the Backup Agent logs on Linux/macOS.

automation.default.backupAgentLogFileWindows

Type: string

Default: %SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\backup-agent.log

Default path for the Backup Agent logs on Windows.

automation.default.certificateAuthorityFile

Type: string

Default path for the Certificate Authority file on Linux/macOS.

automation.default.certificateAuthorityFileWindows

Type: string

Default path for the Certificate Authority file on Windows.

automation.default.dataRoot

Type: string

Default: /data

Default data path for the MongoDB databases that Automation manages.

automation.default.downloadBase

Type: string

Default: /var/lib/mongodb-mms-automation

Default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Linux/macOS.

automation.default.downloadBaseWindows

Type: string

Default: %SystemDrive%\\MMSAutomation\\versions

Default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Windows.

automation.default.monitoringAgentLogFile

Type: string

Default: /var/log/mongodb-mms-automation/monitoring-agent.log

Default path for the Monitoring Agent logs on Linux/macOS.

automation.default.monitoringAgentLogFileWindows

Type: string

Default: %SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\monitoring-agent.log

Default path for the Monitoring Agent logs on Windows.

mms.agentCentralUrl

Type: string

FQDN of the Ops Manager host to which the Monitoring Agents use to push data.

Uses the value of mms.centralUrl if not set.

Backup

mms.alerts.BackupAgentConfCallFailure.maximumFailedConfCalls

Type: integer

Default: 10

If the Backup Agent experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert: Backup Agent has too many conf call failures

mms.alerts.OutsideSpaceUsedThreshold.maximumSpaceUsedPercent

Type: integer

Default: 85

If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert: Blockstore space used exceeds threshold.

mms.backupCentralUrl

Type: string

FQDN of the Ops Manager host to which the Backup Agents send backup data.

Uses the value of mms.centralUrl if not set.

mms.backup.journal.heads

Type: boolean

Default: False

This sets whether the HEAD database should use journaling. See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.

mms.backup.minimumOplogWindowHours

Type: float

Default: 3

This sets the minimum number of hours that the oplog should record.

Warning

MongoDB recommends only changing this value temporarily to permit a test backup job to execute. The minimum oplog size value should be reset to the default as soon as possible. If an oplog is set to too small of a value, it can result in a gap between a backup job and an oplog which makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores. See also Insufficient Oplog Size Error

Backup Snapshots

backup.fileSystemSnapshotStore.gzip.compressionLevel

Type: integer

Default: 6

Determines how much Ops Manager compresses file system-based snapshots. The level ranges from 0 to 9:

  • 0 provides no compression.
  • 1 to 9 increases the degree of compression at a cost of how fast the snapshot is compressed. Level 1 compresses snapshots the least but at the fastest speed. Level 9 compresses snapshots the most but at the slowest speed.

Note

Changing File System Store Gzip Compression Level affects new snapshots only. It does not affect the compression level of existing snapshots.

Corresponds to File System Store Gzip Compression Level

brs.restore.digest.method

Type: string

Default: SHA1

Specifies whether or not to generate a SHA1 checksum for restore archive files.

Accepted values are SHA1 or NONE.

Corresponds to Restore Digest Method

brs.snapshotSchedule.interval

Type: integer

Default: 24

Specifies the time, in hours, between two consecutive snapshots.

Accepted values are:

6, 8, 12, or 24

Corresponds to Snapshot Interval (Hours)

brs.snapshotSchedule.retention.base

Type: integer

Default: 2

Specifies how many days an interval snapshot is stored.

Accepted values are: 2, 3, 4, or 5.

Corresponds to Base Retention of Snapshots (in Days)

brs.snapshotSchedule.retention.daily

Type: integer

Default: 0

Specifies how many days a daily snapshot is stored.

Accepted values are:

0, 3, 4, 5, 6, 7, 15, 30, 60, 90, 120, 180 or 360

Corresponds to Daily Retention of Snapshots (in Days)

brs.snapshotSchedule.retention.monthly

Type: integer

Default: 1

Specifies how many months a monthly snapshot is stored.

Accepted values are:

0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 18, 24, and 36

Corresponds to Monthly Retention of Snapshots (in Months)

brs.snapshotSchedule.retention.weekly

Type: integer

Default: 2

Specifies how many weeks a weekly snapshot is stored.

Accepted values are:

0, 1, 2, 3, 4, 5, 6, 7, 8, 12, 16, 20, 24, and 52

Corresponds to Weekly Retention of Snapshots (in Weeks)

backup.kmip.server.host

Type: string

Default: None

Specifies the hostname of a KMIP server.

Corresponds to KMIP Server Host

backup.kmip.server.port

Type: integer

Default: None

Specifies the port of the KMIP server.

Corresponds to KMIP Server Port

backup.kmip.server.ca.file

Type: string

Default: None

Specifies a .PEM-format file that contains one or more certificate authorities.

Corresponds to KMIP Server CA File

mms.backup.snapshot.maxSumFileForWorkersMB

Type: integer

Default: 2048

This sets the maximum cumulative size of files, in Megabytes, that are saved concurrently when taking a snapshot.

mms.backup.snapshot.maxWorkers

Type: integer

Default: 4

This sets the number of files that are saved concurrently when taking a snapshot. Increasing the value of this setting can improve backup job performance when there are a large number of small files in a high latency environment.

Queryable Snapshot Configuration

brs.queryable.connecttimeout

Type: integer

Default: 30

Number of seconds to wait for a connection to the Queryable Snapshot mongod instance before timing out.

Corresponds to Mongo Connection Timeout (Seconds)

brs.queryable.expiration

Type: integer

Default: 24

Duration time in hours for a Queryable Snapshop once initiated.

Corresponds to Expiration (Hours)

brs.queryable.lruCacheCapacityMB

Type: integer

Default: 512

Size (in megabytes) that you allocate from the JVM heap for the global snapshot cache. The global snapshot cache optimizes repeated queries for the same snapshot data to the Queryable Snapshots.

Important

MongoDB does not advise changing this value unless MongoDB support directs you to change it.

Corresponds to Read Cache Size (MB)

brs.queryable.mounttimeout

Type: integer

Default: 60

Number of seconds to wait for the Queryable Snapshot to prepare before timing out.

Corresponds to Queryable Startup Timeout (Seconds)

brs.queryable.pem.pwd

Type: string

Required if Proxy Server PEM File is encrypted.

Note

After updating Proxy Server PEM File Password, restart the Web Server for the change to take effect.

Corresponds to Proxy Server PEM File Password

brs.queryable.pem

Type: string

Required if using Queryable Snapshot. The Certificate Authority PEM file that contains one or more trusted certificates and the associated private keys.

Proxy Server PEM File has the following restrictions:

  • The PEM should use a key length greater than 512-bit. Using a 2048-bit RSA key is recommended.
  • The PEM should use a message digest stronger than sha1, such as sha256.

Note

After updating Proxy Server PEM File, restart the Web Server for the change to take effect.

Corresponds to Proxy Server PEM File

brs.queryable.proxyPort

Type: integer

Default: 25999

Port for the queryable backup host.

Note

After updating Proxy Server Port, restart the Web Server for the change to take effect.

Corresponds to Proxy Server Port

Email

mms.fromEmailAddr

Type: string

Email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.

mms.fromEmailAddr=mms-alerts@example.com

Corresponds to From Email Address

mms.replyToEmailAddr

Type: string

Email address from which to send replies to general emails.

Corresponds to Reply To Email Address

mms.adminEmailAddr

Type: string

Email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.

Corresponds to Admin Email Address

mms.emailDaoClass

Type: string

Default: com.xgen.svc.core.dao.email.JavaEmailDao

Email interface to use.

This setting is labeled in different ways for the user interface and the configuration file.

Delivery Method Configuration Setting (mms.emailDaoClass)
AWS SES com.xgen.svc.core.dao.email.AwsEmailDao
SMTP com.xgen.svc.core.dao.email.JavaEmailDao

If you set this to SMTP Email Server, you must set:

If you set this to AWS Simple Email Service, you must set:

Corresponds to Email Delivery Method Configuration

SMTP Email Server Settings

Conditional. Use the following settings appear if mms.emailDaoClass is com.xgen.svc.core.dao.email.JavaEmailDao.

mms.mail.transport

Type: string

Default: smtp

Transfer protocol your email provider specifies:

  • smtp (standard SMTP)
  • smtps (secure SMTP)

Corresponds to Transport

mms.mail.hostname

Type: string

Default: localhost

Email hostname your email provider specifies.

mms.mail.hostname=mail.example.com

Corresponds to SMTP Server Hostname

mms.mail.port

Type: number

Default: 25

Port number for SMTP your email provider specifies.

Corresponds to SMTP Server Port

mms.mail.username

Type: string

User name of the email account. If unset, defaults to disabled SMTP authentication.

Corresponds to Username

mms.mail.password

Type: string

Password for the email account. If unset, defaults to disabled SMTP authentication.

Corresponds to Password

mms.mail.tls

Type: boolean

Default: False

Set this to true if the transfer protocol uses TLS/SSL.

Corresponds to Use SSL

AWS Simple Email Service Settings

Conditional. Use the following settings appear if mms.emailDaoClass is com.xgen.svc.core.dao.email.AwsEmailDao.

aws.ses.endpoint

Type: string

Default: https://email.us-east-1.amazonaws.com

Sets the sending API endpoint for the AWS SES.

Corresponds to AWS Endpoint

aws.accesskey

Type: string

Access key ID for AWS.

Corresponds to AWS Access Key

aws.secretkey

Type: string

Secret access key for AWS.

Corresponds to AWS Secret Key

HTTP/HTTPS Proxy Settings

http.proxy.host

Type: string

Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.

http.proxy.host=proxy.example.com

Corresponds to Proxy Host

http.proxy.port

Type: integer

Specify the port on which you wish to connect to the host. You must specify both the Proxy Port and Proxy Host to use a proxy.

Corresponds to Proxy Port

http.proxy.username

Type: string

If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.

Corresponds to Proxy Username

http.proxy.password

Type: string

If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.

Corresponds to Proxy Password

MongoDB Version Management

automation.versions.source

Type: string

Default: mongodb

Indicates the source of MongoDB installer binaries.

Accepted values for automation.versions.source and the conditions that must exist to set the value are:

Value Condition
mongodb Ops Manager and Agents have internet access.
hybrid Ops Manager has internet access, but Agents do not. Ops Manager downloads MongoDB binaries from the internet; Agents download the binaries from Ops Manager.
local Neither Ops Manager nor the Agents have internet access. An Ops Manager administrator must upload the version manifest and the MongoDB binaries to the Ops Manager host, as described in Configure Deployment to Have Limited Internet Access.

Corresponds to Installer Download Source

automation.versions.directory

Type: string

Default: Windows: C:\MMSData\MongoDBReleases Linux / macOS: /opt/mongodb/mms/mongodb-releases/

Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation Agent accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set Version Manifest Source to run in Local mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Deployment to Have Limited Internet Access for more information.

Corresponds to Versions Directory

mongodb.release.autoDownload

Type: boolean

Default: True

Flag indicating whether the Backup Daemons automatically install the versions of MongoDB that the Backup Daemons need.

true The daemons retrieve the binaries from MongoDB Inc. over the internet.
false Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release that the backup daemons need. The administrator must place the extracted binaries into the Versions Directory on the Ops Manager hosts.

Warning

Set to false when Ops Manager is running in Local Mode.

Corresponds to Backup Versions Auto Download

mongodb.release.autoDownload.enterprise

Type: boolean

Flag indicating whether the Backup Daemons automatically install the Enterprise editions of the versions of MongoDB that the Backup Daemons need. Requires mongodb.release.autoDownload be set to true.

Warning

If you plan on running MongoDB Enterprise on Linux hosts, then you must manually install a set of dependencies to each host before installing MongoDB. The MongoDB manual provides the appropriate command to install the dependencies.

See Configure Deployment to Have Limited Internet Access.

Corresponds to Backup Versions Auto Download Enterprise Builds

mongodb.release.modulePreference

Type: string

Specifies whether to use MongoDB Community or Enterprise binaries for backup.

Accepted values are:

  • enterprisePreferred
  • enterpriseRequired
  • communityRequired

When enterpriseRequired or communityRequired is selected, Ops Manager only uses those binaries for backup. When enterprisePreferred is selected, Ops Manager uses Enterprise binaries if available and Community binaries if they are not.

Note

When enterpriseRequired is selected, you must either set mongodb.release.autoDownload.enterprise to true or manually place Enterprise binaries in the automation.versions.directory in Local Mode.

Warning

Backup fails when either enterpriseRequired or communityRequired is selected, but the automation.versions.directory does not contain the required binary.

Corresponds to Required Module For Backup

Monitoring

mms.agentCentralUrl

Type: string

FQDN of the Ops Manager host to which the Monitoring Agents use to push data.

Uses the value of mms.centralUrl if not set.

Monitoring Agent Session Failover

Beginning with Monitoring Agent version 5.0.0, Ops Manager can distribute monitoring assignments among up to 100 running Monitoring Agents. One agent is the primary agent and the others share in monitoring responsibilities. If an agent fails, Ops Manager redistributes that agent’s monitoring assignments. If you run more than 100 Monitoring Agents, the additional agents run as standby agents that are completely idle, except to log their status as standby agents and to periodically ask Ops Manager whether they should receive monitoring assignments.

Note

Also beginning with version 5.0.0, the Monitoring Agent stores monitoring metrics at 10-second granularity.

Prior to Monitoring Agent 5.0.0, only the primary Monitoring Agent handles monitoring assignments. All additional running agents are standby agents.

The following settings tune the interval Ops Manager uses to determine if a Monitoring Agent is unaccessible and the frequency with which standby agents poll Ops Manager to determine if they should receive monitoring assignments.

mms.monitoring.agent.session.timeoutMillis

Type: integer

Default: 90000

Interval that Ops Manager uses to determine if a standby agent should start monitoring. If Ops Manager does not hear from a Monitoring Agent for the duration specified, Ops Manager promotes a standby agent. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.

mms.monitoring.agent.standbyCollectionFactor

Type: integer

Default: 4

Specifies how frequently a standby agent checks in with Ops Manager to see if it should start monitoring. The following values are permitted:

Value Standby Agents Check Frequency
1 Every 55 seconds
2 Every 27 seconds
3 Every 18 seconds
4 Every 14 seconds

Public API

mms.publicApi.whitelistEnabled

Type: boolean

Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add this setting and set its value to false.

Security Settings

mms.security.disableBrowserCaching

Type: boolean

Default: False

When true, Ops Manager makes all HTTP responses not cacheable.

mms.security.hstsMaxAgeSeconds

Type: integer

Default: 0 (Can use HTTP or HTTPS.)

How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer. A value of 0 means that it can use HTTP or HTTPS.

See also

To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC 6797 and hstspreload.org.

SNMP Heartbeat Settings

Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.

To configure the Ops Manager Application to send trap notifications, first download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt . Then add the following settings as custom settings. To do so, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.

snmp.community

Type: string

Default: public

Snmp community for SNMP traps sent by Ops Manager.

snmp.default.heartbeat.interval

Type: number

Default: 300

Number of seconds between heartbeat notifications.

snmp.default.hosts

Type: string

Default: blank

Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set snmp.default.hosts to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.

snmp.listen.port

Type: number

Default: 11611

Listening UDP port for SNMP. Setting to a number less than 1024 will require running the Ops Manager Application with root privileges.

Non-Uniform Memory Access (NUMA) Settings

mongodb.disable.numa

Type: boolean

To disable NUMA for the head databases:

  1. Click the Admin link.
  2. Click the General tab.
  3. Click the Ops Manager Config page.
  4. Click the Custom section.
  5. Add mongodb.disable.numa as a Key and set its Value to true.
  6. Click Save.

See MongoDB and NUMA Hardware in the MongoDB Production Notes to learn more about NUMA.

Important

Each Ops Manager instance with Backup Daemons enabled must have the numactl service installed. If numactl is not installed and this setting is set to true, backup jobs fail.

Twilio Integration Settings

To receive alert notifications via SMS or 2FA code, you must have a Twilio account.

twilio.account.sid

Type: string

Twilio account ID.

Corresponds to Account SID

twilio.auth.token

Type: string

Twilio API token.

Corresponds to Twilio Auth Token

twilio.from.num

Type: string

Twilio phone number.

Corresponds to Twilio From Number

User Authentication

mms.userSvcClass

Type: string

Default: com.xgen.svc.mms.svc.user.UserSvcDb

Select whether to store authentication credentials in the Ops Manager Application Database or in an LDAP directory.

Accepted values are:

Auth Method Accepted Value
Application Database com.xgen.svc.mms.svc.user.UserSvcDb
LDAP com.xgen.svc.mms.svc.user.UserSvcLdap

Corresponds to User Authentication Method

Authentication through Ops Manager Application Database

mms.password.maxDaysBeforeChangeRequired

Type: number

Number of days a password is valid before the password expires.

Corresponds to Days Before Password Change Required

mms.password.maxDaysInactiveBeforeAccountLock

Type: number

Maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.

Corresponds to Days Inactive Before Account Lock

mms.password.maxFailedAttemptsBeforeAccountLock

Type: number

Number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.

Corresponds to Failed Login Attempts Before Account Lock

mms.password.minChangesBeforeReuse

Type: number

Number of previous passwords to remember. You cannot reuse a remembered password as a new password.

Corresponds to Password Changes Before Reuse

mms.user.invitationOnly

Type: boolean

If true, new users can register by invitation only. The invitation provides a URL that displays the registration link. If false, new users can register if they have the Ops Manager URL.

Corresponds to Invitation Only Mode

mms.user.bypassInviteForExistingUsers

Type: boolean

Default: False

This checkbox appears when you set mms.userSvcClass to com.xgen.svc.mms.svc.user.UserSvcDb.

Value Results
true
  • You can add existing users to any organization or project without an invitation.
  • Ops Manager deletes and invalidates any unaccepted invitations.
  • New users continue to receive and must accept invitations.
false
  • All users continue to receive and must accept invitations.

Corresponds to Bypass Invitation Mode

Authentication through LDAP

These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.

Settings that begin with mms.ldap.global.role assign Ops Manager global roles to the members of the specified LDAP groups. Specify groups using the format used by the LDAP attribute specified in the LDAP User Group setting. You can specify multiple groups using the ;; delimiter. To change the default delimiter, use the mms.ldap.group.separator setting. Each Ops Manager global role provides its level of access to all the Ops Manager projects in the deployment. To provide access to specific groups, use group-level roles.

mms.ldap.bindDn

Type: string

LDAP user used to execute searches for other users.

mms.ldap.bindDn=authUser@acme.example.com

Corresponds to LDAP Bind Dn

mms.ldap.bindPassword

Type: string

Password for the search user.

mms.ldap.bindPassword=<password>

Corresponds to LDAP Bind Password

mms.ldap.global.role.automationAdmin

Type: string

LDAP group whose members have the global automation admin role in Ops Manager. Specify projects using the format used by the LDAP attribute specified in the LDAP User Group setting. You can specify multiple projects using the ;; delimiter. To change the default delimiter, use the mms.ldap.project.separator setting.

mms.ldap.global.role.automationAdmin=CN\=MMS-AutomationAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Each Ops Manager global role provides its level of access to all the Ops Manager projects in the deployment. To provide access to specific projects, use group-level roles.

Corresponds to LDAP Global Role Automation Admin

mms.ldap.global.role.backupAdmin

Type: string

LDAP group whose members have the global backup admin role in Ops Manager.

mms.ldap.global.role.backupAdmin=CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to LDAP Global Role Backup Admin

mms.ldap.global.role.monitoringAdmin

Type: string

LDAP group whose members have the global monitoring admin role in Ops Manager.

mms.ldap.global.role.monitoringAdmin=CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to LDAP Global Role Monitoring Admin

mms.ldap.global.role.owner

Type: string

LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager projects and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the project using the format that is used by the LDAP attribute specified in the LDAP User Group setting.

mms.ldap.global.role.owner=CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to LDAP Global Role Owner

mms.ldap.global.role.readOnly

Type: string

LDAP group whose members have the global read-only role in Ops Manager.

mms.ldap.global.role.readOnly=CN\=MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to LDAP Global Role Read Only

mms.ldap.global.role.userAdmin

Type: string

LDAP group whose members have the global user admin role in Ops Manager.

mms.ldap.global.role.userAdmin=CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to LDAP Global Role User Admin

mms.ldap.group.baseDn

Type: string

Base Distinguished Name (DN) that Ops Manager uses to search for groups. If not specified, it will default to the value specified in LDAP User Base Dn

mms.ldap.group.baseDn=OU\=groups,DC\=acme,DC\=com

Corresponds to LDAP Group Base Dn

mms.ldap.group.member

Type: string

Field on the group entry containing user Distinguished Names (DN). The groupOfNames or groupOfUniqueNames object classes are commonly used.

mms.ldap.group.member=member

Corresponds to LDAP Group Member Attribute

mms.ldap.group.separator

Type: string

To set this, click Config and then click the Custom tab.

Each of the global role values takes a delimited list of projects:

"dbas,sysadmins"

If a group value contains the delimiter, the delimiter must be set to another value.

Example

If you have the group value "CN\=foo,DN\=bar" and the delimiter is , then Ops Manager parses "CN\=foo,DN\=bar" as two elements rather than as the description for a single group.

Change the delimiter by adding the mms.ldap.group.separator setting to the configuration file and specifying a different delimiter.

The default delimiter is ;;.

mms.ldap.referral

Type: string

LDAP field used to set how to handle referrals. Accepts two values:

  • ignore: Ignore referrals.
  • follow: Automatically follow any referrals.

Corresponds to LDAP Referral

mms.ldap.ssl.CAFile

Type: string

A file containing one or more trusted certificates in PEM format. Use this setting if you are using LDAPS and the server is using a certificate that is not from a well-known Certificate Authority.

mms.ldap.ssl.CAFile=/opt/CA.pem

Corresponds to LDAP SSL CA File

mms.ldap.ssl.PEMKeyFile

Type: string

A file containing a client certificate and private key. Use this setting when your TLS/SSL LDAP server requires client certificates.

mms.ldap.ssl.PEMKeyFile=/opt/keyFile.pem

Corresponds to LDAP SSL PEM Key File

mms.ldap.ssl.PEMKeyFilePassword

Type: string

Password for LDAP SSL PEM Key File. Use this setting if the PEMKeyFile is encrypted.

mms.ldap.ssl.PEMKeyFilePassword=<password>

Corresponds to LDAP SSL PEM Key File Password

mms.ldap.url

Type: string

URI for the LDAP or LDAPS server.

mms.ldap.url=ldaps://acme-dc1.acme.example.com:3890

Corresponds to LDAP URI

mms.ldap.user.baseDn

Type: string

Base Distinguished Name (DN) that Ops Manager uses to search for users.

Escape the = sign with \.

mms.ldap.user.baseDn=DC\=acme,DC\=example,DC\=com

Corresponds to LDAP User Base Dn

mms.ldap.user.email

Type: string

LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is mail.

mms.ldap.user.email=mail

Corresponds to LDAP User Email

mms.ldap.user.firstName

Type: string

LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is givenName.

mms.ldap.user.firstName=givenName

Corresponds to LDAP User First Name

mms.ldap.user.group

Type: string

LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the projects, including Common Name (cn) or Distinguished Name (dn). All Ops Manager settings in this configuration file that specify projects must match the chosen format.

mms.ldap.user.project=memberOf

Corresponds to LDAP User Group

mms.ldap.user.lastName

Type: string

LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is sn for surname.

mms.ldap.user.lastName=sn

Corresponds to LDAP User Last Name

mms.ldap.user.searchAttribute

Type: string

LDAP field used for the LDAP search. This is typically a username or an email address. The value of this field is also used as the Ops Manager username.

mms.ldap.user.searchAttribute=<myAccountName>

Corresponds to LDAP User Search Attribute

mms.login.newDeviceNotification.enabled

Type: boolean

Flag that indicates the user should be notified that they have logged in from a new device.

Corresponds to New Device Login Notification

Multi-Factor Authentication (MFA) Setttings

mms.multiFactorAuth.level

Type: string

Default: OFF

Configures the two-factor authentication “level”:

Setting Description
OFF Disables two-factor authentication. Ops Manager does not use two-factor authentication.
OPTIONAL Users can choose to set up two-factor authentication for their Ops Manager account.
REQUIRED_FOR_GLOBAL_ROLES Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users.
REQUIRED All users must set up two-factor authentication for their Ops Manager account.

Two-factor authentication is recommended for the security of your Ops Manager deployment.

Warning

If enabling mms.multiFactorAuth.level through the configuration file, you must create a user account first before updating the configuration file. Otherwise, you cannot login to Ops Manager.

Note

If you enable Twilio integration (optional), ensure that Ops Manager servers can access the twilio.com domain.

Corresponds to Multi-factor Auth Level

mms.multiFactorAuth.allowReset

Type: boolean

Default: False

When true, Ops Manager allows users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.

To reset two-factor authentication, a user must:

  • be able to receive email at the address associated with the user account.
  • know the user account’s password.
  • know the agent API key for each Ops Manager project the user belongs to.

Corresponds to Multi-factor Auth Allow Reset

mms.multiFactorAuth.issuer

Type: string

If Google Authenticator provides two-factor authentication, this string is the issuer in the Google Authenticator app. If left blank, the issuer is the domain name of the Ops Manager installation.

Corresponds to Multi-factor Auth Issuer

mms.multiFactorAuth.require

Type: boolean

Default: False

When true, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.

If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.

Other Authentication Settings

reCaptcha.enabled.registration

Type: boolean

Default: false

Flag that indicates you want a new user to validate themselves using reCaptcha validation when they register to use Ops Manager.

Set to true to require reCaptcha validation when a new user registers.

This setting requires a reCaptcha account.

Corresponds to ReCaptcha Enabled on Registration

reCaptcha.enabled

Type: boolean

Default: false

Flag that indicates you want a user to validate themselves using reCaptcha validation when they log into Ops Manager.

Set to true to require reCaptcha validation when a user logs in.

This setting requires a reCaptcha account.

Corresponds to ReCaptcha Enabled

reCaptcha.private.key

Type: string

ReCaptcha private key associated with your account.

Corresponds to ReCaptcha Private Key

reCaptcha.public.key

Type: string

ReCaptcha public key associated with your account.

Corresponds to ReCaptcha Public Key

mms.session.maxHours

Type: number

Number of hours before a session on the Ops Manager website expires.

Set this value to 0 to use browser session cookies only.

Corresponds to Session Max Hours

Web Server

mms.centralUrl

Type: string

FQDN and port number of the Ops Manager Application.

To use a port other than 8080, see Manage Ops Manager Ports.

mms.centralUrl=http://mms.example.com:8080

Corresponds to URL to Access Ops Manager

mms.https.PEMKeyFile

Type: string

Absolute path to the PEM file that contains the Ops Manager Application’s valid certificate and private key. The PEM file is required if the Ops Manager Application uses HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.

The default port for HTTPS access to the Ops Manager Application is 8443, as set in <install_dir>/conf/mms.conf file. If you change this default, you must also change the port specified in the mms.centralUrl setting.

Corresponds to HTTPS PEM Key File

mms.https.PEMKeyFilePassword

Type: string

Password for the HTTPS PEM key file. This is required if the PEM file contains an encrypted private key. If storing this in the conf-mms.properties file, you can encrypt the password using the Ops Manager credentialstool.

Corresponds to HTTPS PEM Key File Password

mms.https.ClientCertificateMode

Type: string

Specifies if Ops Manager requires clients to present valid TLS/SSL client certificates when connecting to it. Accepted values are:

  • none
  • agents_only
  • required

Corresponds to Client Certificate Mode

mms.https.CAFile

Type: string

Specifies the filesystem location of a certificate authority file containing the list of acceptable client certificates.

mms.https.CAFile=/path/to/ca_file.pem

If you want to use a private certificate authority, you must also include the mms.https.CAFile setting.

Corresponds to CA File

mms.remoteIp.header

Type: string

If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client’s IP address to the Ops Manager host. When you specify Load Balancer Remote IP Header, do not allow clients to connect directly to any Ops Manager host. A load balancer placed in front of the Ops Manager hosts must not return cached content.

Once Load Balancer Remote IP Header is set, Ops Manager enables the following HTTP headers:

HTTP Header Forwards to Ops Manager
X-Forwarded-Host Original host that the client requested in the Host HTTP request header.
X-Forwarded-Proto Protocol used to make the HTTP request.
X-Forwarded-Server Hostname of the proxy server.
X-Proxied-Https HTTPS status of a request.

To learn more, see Configure a Highly Available Ops Manager Application.

Corresponds to Load Balancer Remote IP Header

mms.minimumTLSVersion

Type: string

Specifies the TLS version required for clients to connect to Ops Manager. This property affects all clients, such as browsers used to connect to the Ops Manager Admin interface and command-line tools, such as curl, used to connect to the REST API. The following values are accepted:

  • TLSv1
  • TLSv1.1
  • TLSv1.2 (default)

Note

TLSv1.2 requires connecting clients to meet the following minimum requirements:

  • Browser supports TLS version 1.2
  • curl version 7.34.0+
  • OpenSSL version 1.0.1+

To set minimum.TLSVersion, click Config and then click the Custom tab.

mms.disableCiphers

Type: string

Specifies a list of TLS cipher suites which your instance of Ops Manager will not accept when clients connect to the Ops Manager Application and API. Specify TLS cipher suite names as a comma-separated list, as in the following example.

Important

Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention. For convenience, Ops Manager logs a list of all supported cipher suite names during startup. If Ops Manager does not recognize a TLS cipher suite name, it logs the following warning:

Your config lists the following as ciphers which should be disabled as the JDK does not recognize them. Please check the format of the entries and list of enabled ciphers. [unrecognized_cipher_name]

To set mms.disableCiphers, click Config and then click the Custom tab.

mms.disableCiphers = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Webhook

mms.alerts.webhook.adminEndpoint

Type: string

Corresponds to Webhook URL

mms.alerts.webhook.adminSecret

Type: string

Corresponds to Webhook Secret