- Reference >
- Configuration
Configuration¶
On this page
Overview¶
The MMS Application Package and the MMS Backup Daemon Package include a
conf-mms.properties
file. Located in the <install_dir>/conf/
directory, the conf-mms.properties
files contain configuration
settings for their respective services.
To start either service, you must configure the
Application URL Settings and Email Address Settings in
the respective conf-mms.properties
file.
Since the configuration file may contain user credentials in plain text, follow standard practice and reduce the permissions on the configuration file:
Settings¶
Application URL Settings¶
The following two settings are mandatory.
-
mms.
centralUrl
¶ Type: string
Required. Fully qualified URL, including the port number, of the MMS Monitoring server. For example,
-
mms.
backupCentralUrl
¶ Type: string
Required. The hostname and port of MMS Backup server. For example,
You must set
mms.backupCentralUrl
, even if you are only using MMS Monitoring and not MMS Backup.
Email Settings¶
Email Address Settings¶
The following email address settings are mandatory. You must define them before the On Prem MMS Monitoring instance will start.
-
mms.
fromEmailAddr
¶ Type: string
Required. The email address used for sending the general emails, such as MMS alerts. You can include an alias with the email address. For example:
-
mms.
replyToEmailAddr
¶ Type: string
Required. The email address to send replies to general emails. For example:
-
mms.
adminFromEmailAddr
¶ Type: string
Required. The email address to send messages from the MMS admin. You can include an alias with the email address. For example:
-
mms.
adminEmailAddr
¶ Type: string
Required. The email address to send messages or replies to the MMS admin. You can include an alias with the email address. For example:
-
mms.
bounceEmailAddr
¶ Type: string
Required. The email address to send bounce messages, i.e. messages of non-delivery of alerts or messages from MMS admin. For example:
Email Service Settings¶
-
mms.
emailDaoClass
¶ Type: string
The email interface to use. For AWS Simple Email Service, specify
com.xgen.svc.core.dao.email.AwsEmailDao
, as in:For AWS Simple Email Service, see also
aws.accesskey
andaws.secretkey
.For JavaEmailDao, specify
com.xgen.svc.core.dao.email.JavaEmailDao
, as in:
-
mms.mail.
transport
¶ Type: string
Default: smtp
Transfer protocol
smtp
orsmtps
as specified by your email provider. For example:
-
mms.mail.
hostname
¶ Type: string
Default: localhost
Email hostname as specified by your email provider. For example:
-
mms.mail.
port
¶ Type: number
Default: 25
Port number for the transfer protocol as specified by your email provider. For example:
-
mms.mail.
tls
¶ Type: boolean
Default: false
Indicator of whether the transfer protocol runs on top of TLS. For example:
-
mms.mail.
username
¶ Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
-
mms.mail.
password
¶ Type: string
Password for the email account. If unset, defaults to disabled SMTP authentication.
-
aws.
accesskey
¶ Required if using AWS Simple Email Service. The access key ID for AWS.
-
aws.
secretkey
¶ Required if using AWS Simple Email Service. The secret access key for AWS.
Twilio SMS Alert Settings¶
To receive alert notifications via SMS, you must have a Twilio account and specify your Twilio account information in the configuration file.
-
twilio.account.
sid
¶ Type: string
Twilio account ID.
-
twilio.auth.
token
¶ Type: string
Twilio API token.
-
twilio.from.
num
¶ Type: string
Twilio phone number.
MongoDB Settings¶
-
mongo.
mongoUri
¶ Type: string
Required. The connection string to the MongoDB server for MMS, i.e. the MMS Application Database. For example, the following specifies the URI for a replica set:
For a MongoDB server with access control, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append after the port the/admin
database. For example:For a MongoDB server using LDAP as the authentication mechanism, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append theauthMechanism=PLAIN&authSource=$external
options after the port:For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism,
authMechanism=GSSAPI
, after the port.Kerberos user principal names have the form
<username>@<KERBEROS REALM>
. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal ofusername@REALM.EXAMPLE.COM
would therefore becomeusername%40REALM.EXAMPLE.COM
.The following is an example of Kerberos authentication:
To enable Kerberos authentication between the MMS Application and the Transfer of Data and Oplog Entries, see Kerberos Settings. See also
authMechanism
andauthSource
in the MongoDB manual.For additional considerations when specifying user credentials, such as encrypting user credentials or authenticating with Kerberos, see MongoDB Access Control Considerations.
See Connection String URI Format for more information on the connection string.
-
mongo.
replicaSet
¶ Type: string
Required if using a replica set for
mongo.mongoUri
. The name of the replica set. For example:
-
mongo.
encryptedCredentials
¶ Type: boolean
Optional. Set to
true
ifmongo.mongoUri
contains the encrypted username and password.The username and password must have been encrypted using the On Prem MMS Monitoring
credentialstool
. See MongoDB Access Control Considerations for more information on encrypting username and password.Important
The
conf-mms.properties
file can contain multiplemongo.MongoURI
settings. Ifmongo.encryptedCredentials
istrue
, you must encrypt all user credentials found in the variousmongo.MongoURI
settings.
MMS Backup Daemon Settings¶
These settings in the conf-daemon.properties
file, are
necessary only if you are using MMS Backup.
-
mongo.backupdb.
mongoUri
¶ Type: string
Required for MMS Backup. The connection string to the MMS Backup Blockstore Database. This must be a separate MongoDB Server than the MMS Application Database. For example:
-
mongo.backupdb.
replicaSet
¶ Type: string
Required for MMS Backup if using a replica set for
mongo.backupdb.mongoUri
. The name of the replica set. For example:
-
rootDirectory
¶ Type: string
The disk partition used by the Backup Daemon to dynamically create and maintain the replica set HEAD directories. For more information on HEADs, see the MMS Backup functional overview.
This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.
Important
Data in this directory is dynamically created, maintained and destroyed by the MMS Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Blockstore Database.
-
mongodb.release.
directory
¶ Type: string
Specifies the full path to the directory that contains every MongoDB release needed by the Backup Daemon. When backing up a replica set, The Backup Daemon must use a mongod that matches the version of the replica set being backed up.
If you update versions manually, name the folders within this full directory path using the following form:
For example:
The Backup Daemon includes the
mongodb-fetch
utility that will download the latest releases directly from mongodb.org/downloads. Themongodb.release.autoDownload
setting automatically runs this utility every hour once the service starts. For details, including the option to download manually, seemongodb.release.autoDownload
.
-
mongodb.release.
autoDownload
¶ Type: boolean
Specify
true
to enable automatic downloads;false
to disable.When
true
, Backup automatically downloads the latest release of MongoDB from mongodb.org/downloads and stores it in the directory specified by themongodb.release.directory
setting. The Backup Daemon includes themongodb-fetch
utility, located in the/opt/mongodb/backup-daemon/bin
directory, which runs once an hour to perform the downloads.If you set
mongodb.release.autoDownload
false
, then you must manually download and install the needed MongoDB releases in themongodb.release.directory
. If you backup deployments that use different MongoDB versions, you must download and install each version.Download MongoDB from mongodb..org/downloads and extract them. Alternately, you can use the
mongodb-fetch
utility manually, included in the distribution the backup component ensures that the Backup Daemon has the correct version of mongod for every backed up replica set.
Advanced Backup Restore Settings¶
These settings affect On-Prem MongoDB Management Service Backup restore behaviors. They are are found
only in the conf-daemon.properties
file.
-
mms.backup.restore.
linkExpirationHours
¶ Type: number
Default: 1
The amount of time in hours that a restore link is available.
-
mms.backup.restore.
linkUnlimitedUses
¶ Type: boolean
Default: false
Sets whether the link to a restored point-in-time snapshot can be used more than once. By default, when you create a point-in-time snapshot, the link to download the snapshot can be used just once. To allow multiple downloads of the snapshot, set this value to
true
.
-
mms.backup.restore.
snapshotPITExpirationHours
¶ Type: number
Default: 24
The length of time in hours that a link to a restored point-in-time snapshot is available. By default, the link is available for 24 hours after creation of the point-in-time snapshot.
Session Management Setting¶
-
mms.session.
maxHours
¶ Type: number
The number of hours before a session on the MMS website expires.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: number
Default: 300000
Minimum: 90000
The Monitoring Agent failover time, in milliseconds. If On-Prem MongoDB Management Service does not receive a deployment status from the primary Monitoring Agent in the time specified, On-Prem MongoDB Management Service will make a standby Monitoring Agent the new primary. Configuring the timeout below 90000 (90 seconds) will cause On-Prem MongoDB Management Service to fail at startup with a configuration error.
Password Policy Settings¶
You can configure the password policy for MMS user accounts with the following settings:
-
mms.password.
minChangesBeforeReuse
¶ Type: number
The number of previous passwords to remember. You cannot reuse a remembered password as a new password.
-
mms.password.
maxFailedAttemptsBeforeAccountLock
¶ Type: number
The number of failed login attempts before an account becomes locked. Only an an MMS Administrator can unlock a locked account.
-
mms.password.
maxDaysInactiveBeforeAccountLock
¶ Type: number
The maximum number of days with no visits to the MMS website before MMS locks an account.
-
mms.password.
maxDaysBeforeChangeRequired
¶ Type: number
The number of days a password is valid before the password expires.
-
mms.multiFactorAuth.
require
¶ Type: boolean
Default: false
When
true
, MMS will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
-
mms.multiFactorAuth.
allowReset
¶ Type: boolean
Default: false
When
true
, MMS will allow users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
- be able to receive email at the address associated with the user account
- know the user account’s password
- know the Agent API key for any MMS Group of which the user is a member
-
mms.multiFactorAuth.
issuer
¶ Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the MMS installation.
SNMP Heartbeat Settings¶
You can configure the On Prem MMS Server to send a periodic heartbeat trap notification (v2c) that contain an internal health assessment of the MMS Server. The MMS Server can send traps to one or more endpoints on the standard SNMP UDP port 162.
To configure the On Prem MMS Server to send trap notifications, download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt and configure the following settings:
-
snmp.default.
hosts
¶ Type: string
Default: blank
Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set
snmp.default.hosts
to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.
-
snmp.listen.
port
¶ Type: number
Default: 11611
Listening UDP port for SNMP. Setting to a number less than 1024 will require running MMS server with root privileges.
-
snmp.default.heartbeat.
interval
¶ Type: number
Default: 300
Number of seconds between heartbeat notifications.
reCaptcha Settings¶
To enable reCaptcha anti-spam test on new user registration, you must have a reCaptcha account and specify the API information in the configuration file.
-
reCaptcha.public.
key
¶ Type: string
The reCaptcha public key associated with your account.
-
reCaptcha.private.
key
¶ Type: string
The reCaptcha private key associated with your account.
LDAP Settings¶
LDAP Server Setting¶
-
mms.
userSvcClass
¶ Type: string
The LDAP service class
com.xgen.svc.mms.svc.user.UserSvcLdap
; i.e.
LDAP User Settings¶
Specify the LDAP directory schema properties in the following settings:
-
mms.ldap.
url
¶ Type: string
The URI for the LDAP server. For example:
-
mms.ldap.
bindDn
¶ Type: string
The LDAP user used to execute searches for other users. For example:
-
mms.ldap.
bindPassword
¶ Type: string
The credentials for the search user. For example:
-
mms.ldap.user.
baseDn
¶ Type: string
The base Directory Name (DN) used for searching for users. Escape the
=
sign with\
. For example:
-
mms.ldap.user.
searchAttribute
¶ Type: string
The LDAP user record attribute that MMS uses to search and authenticate users when a user types their username into the MMS login form. For example:
-
mms.ldap.user.
firstName
¶ Type: string
The LDAP user attribute that contains the user’s first name. For example:
-
mms.ldap.user.
lastName
¶ Type: string
The LDAP user attribute that contains the user’s last name. For example:
-
mms.ldap.user.
email
¶ Type: string
The LDAP user attribute that contains the user’s email address. For example:
-
mms.ldap.user.
group
¶ Type: string
The LDAP user attribute that contains the list of groups that the user belongs to.
These can be either Common Names (CN’s) or Distinguished Names (DN’s) as long as they are consistent with those provided in the MMS LDAP Global Role Settings. For example:
LDAP Global Role Settings¶
Global parameters can be in any format for an LDAP group. They can be a
Common Name (i.e. cn
) or a Distinguished Name (i.e. dn
). The
format must match the property specified by the
mms.ldap.user.group
setting.
-
mms.ldap.global.role.
read_only
¶ Type: string
The LDAP group attribute name for users assigned the global read-only role in MMS. This role can only view data in MMS. For example:
-
mms.ldap.global.role.
monitoring_admin
¶ Type: string
The LDAP group attribute name for users assigned the global monitoring administrative role in MMS. This role can view hosts, charts, and other data, as well as monitor hosts, manage monitoring settings, download the Monitoring Agent, and other tasks. For example:
-
mms.ldap.global.role.
backup_admin
¶ Type: string
The LDAP group attribute name for users assigned the global backup administrative role in MMS. This role can view backup status, snapshot lists, and modify backup settings, as well as start/stop/terminate backups, request restores, view/edit host passwords, and other tasks.
-
mms.ldap.global.role.
owner
¶ Type: string
The LDAP group attribute name for users assigned the global owner role in MMS. This role can perform all administrative tasks in MMS.
See also
Kerberos Settings¶
To enable Kerberos authentication between the MMS application and its backing database, configure the following settings. You must configure all required Kerberos settings to enable Kerberos authentication.
-
jvm.java.security.krb5.
kdc
¶ Required. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.
-
jvm.java.security.krb5.
realm
¶ Required. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.
-
mms.kerberos.
principal
¶ Required. The principal we used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
above.
-
mms.kerberos.
keyTab
¶ Required. The absolute path to the keytab file for the principal.
-
mms.kerberos.
debug
¶ Optional. The debug flag to output more information on Kerberos authentication process.
MongoDB Access Control Considerations¶
For a MongoDB server with access control, the mongo.mongoUri
includes the MongoDB user credentials. For example:
Encrypt MongoDB User Credentials¶
If you do not want to store credentials in plain text, On Prem MMS Monitoring provides a tool to encrypt the MongoDB credentials. To encrypt authentication credentials:
Issue the following command to create an encrypted credential pair, replacing
<username>
with your username:This will prompt you to enter the password and will output the encrypted credential pair.
credentialstool
requires root privileges, (i.e.sudo
) when installed withrpm
ordeb
packages, because it modifies the/etc/mongodb-mms/gen.key
file.Use the encrypted credential pair in the
mongo.MongoURI
settings where needed, and add themongo.encryptedCredentials = true
setting. For example:
Important
The conf-mms.properties
file can contain multiple
mongo.MongoURI
settings. If
mongo.encryptedCredentials
is true
, you must encrypt
all user credentials found in the various mongo.MongoURI
settings.
Authentication Mechanisms and Source¶
LDAP and mongo.mongoUri
¶
To connect to a MongoDB server using LDAP, include the
authMechanism=PLAIN&authSource=$external
options in the
mongo.mongoUri
connection string. For example:
Kerberos and mongo.mongoUri
¶
To connect to a MongoDB server using Kerberos, include the
authMechanism=GSSAPI
option in the mongo.mongoUri
connection string. For example:
To enable Kerberos authentication between the MMS application and its backing database, see also Kerberos Settings.
See also
authMechanism
, authSource
MongoDB User Access¶
The MongoDB user must have the
following roles: readWriteAnyDatabase
,
clusterAdmin
, and dbAdminAnyDatabase
.