Navigation

This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.

Reference >
Configuration

Configuration¶

On this page

Overview
Settings
MongoDB Access Control Considerations

Overview¶

The MMS Application Package and the MMS Backup Daemon Package include a conf-mms.properties file. Located in the <install_dir>/conf/ directory, the conf-mms.properties files contain configuration settings for their respective services.

To start either service, you must configure the Application URL Settings and Email Address Settings in the respective conf-mms.properties file.

Since the configuration file may contain user credentials in plain text, follow standard practice and reduce the permissions on the configuration file:

sudo chmod 600 <install_dir>/conf/conf-mms.properties

Settings¶

Application URL Settings¶

The following two settings are mandatory.

mms.centralUrl¶

Type: string

Required. Fully qualified URL, including the port number, of the MMS Monitoring server. For example,

mms.centralUrl=http://mms.example.com:8080

mms.backupCentralUrl¶

Type: string

Required. The hostname and port of MMS Backup server. For example,

mms.backupCentralUrl=http://mms.example.com:8081

You must set mms.backupCentralUrl, even if you are only using MMS Monitoring and not MMS Backup.

Email Settings¶

Email Address Settings¶

The following email address settings are mandatory. You must define them before the On Prem MMS Monitoring instance will start.

mms.fromEmailAddr¶

Type: string

Required. The email address used for sending the general emails, such as MMS alerts. You can include an alias with the email address. For example:

mms.fromEmailAddr=MMS Alerts <mms-alerts@example.com>

mms.replyToEmailAddr¶

Type: string

Required. The email address to send replies to general emails. For example:

mms.replyToEmailAddr=mms-no-reply@example.com

mms.adminFromEmailAddr¶

Type: string

Required. The email address to send messages from the MMS admin. You can include an alias with the email address. For example:

mms.adminFromEmailAddr=MMS Admin <mms-admin@example.com>

mms.adminEmailAddr¶

Type: string

Required. The email address to send messages or replies to the MMS admin. You can include an alias with the email address. For example:

mms.adminEmailAddr=mms-admin@example.com

mms.bounceEmailAddr¶

Type: string

Required. The email address to send bounce messages, i.e. messages of non-delivery of alerts or messages from MMS admin. For example:

mms.bounceEmailAddr=bounce@example.com

Email Service Settings¶

mms.emailDaoClass¶

Type: string

The email interface to use. For AWS Simple Email Service, specify com.xgen.svc.core.dao.email.AwsEmailDao, as in:

mms.emailDaoClass=com.xgen.svc.core.dao.email.AwsEmailDao

For AWS Simple Email Service, see also aws.accesskey and aws.secretkey.

For JavaEmailDao, specify com.xgen.svc.core.dao.email.JavaEmailDao, as in:

mms.emailDaoClass=com.xgen.svc.core.dao.email.JavaEmailDao

mms.mail.transport¶

Type: string

Default: smtp

Transfer protocol smtp or smtps as specified by your email provider. For example:

mms.mail.transport=smtp

mms.mail.hostname¶

Type: string

Default: localhost

Email hostname as specified by your email provider. For example:

mms.mail.hostname=mail.example.com

mms.mail.port¶

Type: number

Default: 25

Port number for the transfer protocol as specified by your email provider. For example:

mms.mail.port=25

mms.mail.tls¶

Type: boolean

Default: false

Indicator of whether the transfer protocol runs on top of TLS. For example:

mms.mail.tls=false

mms.mail.username¶

Type: string

User name of the email account. If unset, defaults to disabled SMTP authentication.

mms.mail.username=

mms.mail.password¶

Type: string

Password for the email account. If unset, defaults to disabled SMTP authentication.

mms.mail.password=emailPassword

aws.accesskey¶

Required if using AWS Simple Email Service. The access key ID for AWS.

aws.accesskey=EXAMPLEAccessKeyID

aws.secretkey¶

Required if using AWS Simple Email Service. The secret access key for AWS.

aws.secretkey=eXampLe/aCcESs/KEY

Twilio SMS Alert Settings¶

To receive alert notifications via SMS, you must have a Twilio account and specify your Twilio account information in the configuration file.

twilio.account.sid¶

Type: string

Twilio account ID.

twilio.auth.token¶

Type: string

Twilio API token.

twilio.from.num¶

Type: string

Twilio phone number.

MongoDB Settings¶

mongo.mongoUri¶

Type: string

Required. The connection string to the MongoDB server for MMS, i.e. the MMS Application Database. For example, the following specifies the URI for a replica set:

mongo.mongoUri=mongodb://db1.example.net:40000,db2.example.net:40000,db3.example.net:40000

For a MongoDB server with access control, prefix the hostname with the MongoDB username and password in the form <username>:<password>@, and append after the port the /admin database. For example:

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.net:40000/admin

For a MongoDB server using LDAP as the authentication mechanism, prefix the hostname with the MongoDB username and password in the form <username>:<password>@, and append the authMechanism=PLAIN&authSource=$external options after the port:

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.net:40000/?authMechanism=PLAIN&authSource=$external

For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism, authMechanism=GSSAPI, after the port.

Kerberos user principal names have the form <username>@<KERBEROS REALM>. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

The following is an example of Kerberos authentication:

mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mydb1.example.net:40000/?authMechanism=GSSAPI

To enable Kerberos authentication between the MMS Application and the Transfer of Data and Oplog Entries, see Kerberos Settings. See also authMechanism and authSource in the MongoDB manual.

For additional considerations when specifying user credentials, such as encrypting user credentials or authenticating with Kerberos, see MongoDB Access Control Considerations.

See Connection String URI Format for more information on the connection string.

mongo.replicaSet¶

Type: string

Required if using a replica set for mongo.mongoUri. The name of the replica set. For example:

mongo.replicaSet=mmsreplset

mongo.encryptedCredentials¶

Type: boolean

Optional. Set to true if mongo.mongoUri contains the encrypted username and password.

mongo.encryptedCredentials=true

The username and password must have been encrypted using the On Prem MMS Monitoring credentialstool. See MongoDB Access Control Considerations for more information on encrypting username and password.

Important

The conf-mms.properties file can contain multiple mongo.MongoURI settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.MongoURI settings.

MMS Backup Daemon Settings¶

These settings in the conf-daemon.properties file, are necessary only if you are using MMS Backup.

mongo.backupdb.mongoUri¶

Type: string

Required for MMS Backup. The connection string to the MMS Backup Blockstore Database. This must be a separate MongoDB Server than the MMS Application Database. For example:

mongo.backupdb.mongoUri=mongodb://db5.example.net:50000,db6.example.net:50000,db7.example.net:50000

mongo.backupdb.replicaSet¶

Type: string

Required for MMS Backup if using a replica set for mongo.backupdb.mongoUri. The name of the replica set. For example:

mongo.backupdb.replicaSet=mmsbackupreplset

rootDirectory¶

Type: string

The disk partition used by the Backup Daemon to dynamically create and maintain the replica set HEAD directories. For more information on HEADs, see the MMS Backup functional overview.

This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.

Important

Data in this directory is dynamically created, maintained and destroyed by the MMS Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Blockstore Database.

mongodb.release.directory¶

Type: string

Specifies the full path to the directory that contains every MongoDB release needed by the Backup Daemon. When backing up a replica set, The Backup Daemon must use a mongod that matches the version of the replica set being backed up.

If you update versions manually, name the folders within this full directory path using the following form:

mongodb-<platform>-<architecture>-<version>

For example:

mongodb-linux-x86_64-2.4.8
mongodb-linux-x86_64-2.4.9
mongodb-linux-x86_64-2.4.10
mongodb-linux-x86_64-2.6.0

The Backup Daemon includes the mongodb-fetch utility that will download the latest releases directly from mongodb.org/downloads. The mongodb.release.autoDownload setting automatically runs this utility every hour once the service starts. For details, including the option to download manually, see mongodb.release.autoDownload.

mongodb.release.autoDownload¶

Type: boolean

Specify true to enable automatic downloads; false to disable.

When true, Backup automatically downloads the latest release of MongoDB from mongodb.org/downloads and stores it in the directory specified by the mongodb.release.directory setting. The Backup Daemon includes the mongodb-fetch utility, located in the /opt/mongodb/backup-daemon/bin directory, which runs once an hour to perform the downloads.

If you set mongodb.release.autoDownload false, then you must manually download and install the needed MongoDB releases in the mongodb.release.directory. If you backup deployments that use different MongoDB versions, you must download and install each version.

Download MongoDB from mongodb..org/downloads and extract them. Alternately, you can use the mongodb-fetch utility manually, included in the distribution the backup component ensures that the Backup Daemon has the correct version of mongod for every backed up replica set.

Advanced Backup Restore Settings¶

These settings affect On-Prem MongoDB Management Service Backup restore behaviors. They are are found only in the conf-daemon.properties file.

mms.backup.restore.linkExpirationHours¶

Type: number

Default: 1

The amount of time in hours that a restore link is available.

mms.backup.restore.linkUnlimitedUses¶

Type: boolean

Default: false

Sets whether the link to a restored point-in-time snapshot can be used more than once. By default, when you create a point-in-time snapshot, the link to download the snapshot can be used just once. To allow multiple downloads of the snapshot, set this value to true.

mms.backup.restore.snapshotPITExpirationHours¶

Type: number

Default: 24

The length of time in hours that a link to a restored point-in-time snapshot is available. By default, the link is available for 24 hours after creation of the point-in-time snapshot.

Session Management Setting¶

mms.session.maxHours¶

Type: number

The number of hours before a session on the MMS website expires.

mms.monitoring.agent.session.timeoutMillis¶

Type: number

Default: 300000

Minimum: 90000

The Monitoring Agent failover time, in milliseconds. If On-Prem MongoDB Management Service does not receive a deployment status from the primary Monitoring Agent in the time specified, On-Prem MongoDB Management Service will make a standby Monitoring Agent the new primary. Configuring the timeout below 90000 (90 seconds) will cause On-Prem MongoDB Management Service to fail at startup with a configuration error.

Password Policy Settings¶

You can configure the password policy for MMS user accounts with the following settings:

mms.password.minChangesBeforeReuse¶

Type: number

The number of previous passwords to remember. You cannot reuse a remembered password as a new password.

mms.password.maxFailedAttemptsBeforeAccountLock¶

Type: number

The number of failed login attempts before an account becomes locked. Only an an MMS Administrator can unlock a locked account.

mms.password.maxDaysInactiveBeforeAccountLock¶

Type: number

The maximum number of days with no visits to the MMS website before MMS locks an account.

mms.password.maxDaysBeforeChangeRequired¶

Type: number

The number of days a password is valid before the password expires.

mms.multiFactorAuth.require¶

Type: boolean

Default: false

When true, MMS will require two-factor authentication for users to log in or to perform certain destructive operations within the application.

If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.

mms.multiFactorAuth.allowReset¶

Type: boolean

Default: false

When true, MMS will allow users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.

To reset two-factor authentication, a user must:

be able to receive email at the address associated with the user account
know the user account’s password
know the Agent API key for any MMS Group of which the user is a member

mms.multiFactorAuth.issuer¶

Type: string

If Google Authenticator provides two-factor authentication, this string is the issuer in the Google Authenticator app. If left blank, the issuer is the domain name of the MMS installation.

SNMP Heartbeat Settings¶

You can configure the On Prem MMS Server to send a periodic heartbeat trap notification (v2c) that contain an internal health assessment of the MMS Server. The MMS Server can send traps to one or more endpoints on the standard SNMP UDP port 162.

To configure the On Prem MMS Server to send trap notifications, download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt and configure the following settings:

snmp.default.hosts¶

Type: string

Default: blank

Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set snmp.default.hosts to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.

snmp.listen.port¶

Type: number

Default: 11611

Listening UDP port for SNMP. Setting to a number less than 1024 will require running MMS server with root privileges.

snmp.default.heartbeat.interval¶

Type: number

Default: 300

Number of seconds between heartbeat notifications.

reCaptcha Settings¶

To enable reCaptcha anti-spam test on new user registration, you must have a reCaptcha account and specify the API information in the configuration file.

reCaptcha.public.key¶

Type: string

The reCaptcha public key associated with your account.

reCaptcha.private.key¶

Type: string

The reCaptcha private key associated with your account.

LDAP Settings¶

LDAP Server Setting¶

mms.userSvcClass¶

Type: string

The LDAP service class com.xgen.svc.mms.svc.user.UserSvcLdap; i.e.

mms.userSvcClass=com.xgen.svc.mms.svc.user.UserSvcLdap

LDAP User Settings¶

Specify the LDAP directory schema properties in the following settings:

mms.ldap.url¶

Type: string

The URI for the LDAP server. For example:

mms.ldap.url=ldap://174.129.71.167:3890

mms.ldap.bindDn¶

Type: string

The LDAP user used to execute searches for other users. For example:

mms.ldap.url=_search_

mms.ldap.bindPassword¶

Type: string

The credentials for the search user. For example:

mms.ldap.bindPassword=dISDFFFnj7WMmc

mms.ldap.user.baseDn¶

Type: string

The base Directory Name (DN) used for searching for users. Escape the = sign with \. For example:

mms.ldap.user.baseDn=c\=users,d\=identity

mms.ldap.user.searchAttribute¶

Type: string

The LDAP user record attribute that MMS uses to search and authenticate users when a user types their username into the MMS login form. For example:

mms.ldap.user.searchAttribute=uid

mms.ldap.user.firstName¶

Type: string

The LDAP user attribute that contains the user’s first name. For example:

mms.ldap.user.firstName=givenName

mms.ldap.user.lastName¶

Type: string

The LDAP user attribute that contains the user’s last name. For example:

mms.ldap.user.lastName=sn

mms.ldap.user.email¶

Type: string

The LDAP user attribute that contains the user’s email address. For example:

mms.ldap.user.email=mail

mms.ldap.user.group¶

Type: string

The LDAP user attribute that contains the list of groups that the user belongs to.

mms.ldap.user.group=groups

These can be either Common Names (CN’s) or Distinguished Names (DN’s) as long as they are consistent with those provided in the MMS LDAP Global Role Settings. For example:

LDAP Global Role Settings¶

Global parameters can be in any format for an LDAP group. They can be a Common Name (i.e. cn) or a Distinguished Name (i.e. dn). The format must match the property specified by the mms.ldap.user.group setting.

mms.ldap.global.role.read_only¶

Type: string

The LDAP group attribute name for users assigned the global read-only role in MMS. This role can only view data in MMS. For example:

mms.ldap.global.role.read_only=AcmeDbas

mms.ldap.global.role.monitoring_admin¶

Type: string

The LDAP group attribute name for users assigned the global monitoring administrative role in MMS. This role can view hosts, charts, and other data, as well as monitor hosts, manage monitoring settings, download the Monitoring Agent, and other tasks. For example:

mms.ldap.global.role.monitoring_admin=AcmeDbas

mms.ldap.global.role.backup_admin¶

Type: string

The LDAP group attribute name for users assigned the global backup administrative role in MMS. This role can view backup status, snapshot lists, and modify backup settings, as well as start/stop/terminate backups, request restores, view/edit host passwords, and other tasks.

mms.ldap.global.role.backup_admin=AcmeDbas

mms.ldap.global.role.owner¶

Type: string

The LDAP group attribute name for users assigned the global owner role in MMS. This role can perform all administrative tasks in MMS.

mms.ldap.global.role.backup_admin=AcmeDbas

See also

Kerberos Settings¶

To enable Kerberos authentication between the MMS application and its backing database, configure the following settings. You must configure all required Kerberos settings to enable Kerberos authentication.

jvm.java.security.krb5.kdc¶

Required. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.

jvm.java.security.krb5.kdc=kdc.example.com

jvm.java.security.krb5.realm¶

Required. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.

jvm.java.security.krb5.realm=EXAMPLE.COM

mms.kerberos.principal¶

Required. The principal we used to authenticate with MongoDB. This should be the exact same user on the mongo.mongoUri above.

mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM

mms.kerberos.keyTab¶

Required. The absolute path to the keytab file for the principal.

mms.kerberos.keyTab=/path/to/mms.keytab

mms.kerberos.debug¶

Optional. The debug flag to output more information on Kerberos authentication process.

mms.kerberos.debug=false

MongoDB Access Control Considerations¶

For a MongoDB server with access control, the mongo.mongoUri includes the MongoDB user credentials. For example:

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.net:40000/admin

Encrypt MongoDB User Credentials¶

If you do not want to store credentials in plain text, On Prem MMS Monitoring provides a tool to encrypt the MongoDB credentials. To encrypt authentication credentials:

Issue the following command to create an encrypted credential pair, replacing <username> with your username:
copy
```
sudo <install_dir>/bin/credentialstool --username <username> --password
```
This will prompt you to enter the password and will output the encrypted credential pair.

credentialstool requires root privileges, (i.e. sudo) when installed with rpm or deb packages, because it modifies the /etc/mongodb-mms/gen.key file.
Use the encrypted credential pair in the mongo.MongoURI settings where needed, and add the mongo.encryptedCredentials = true setting. For example:
copy
```
mongo.mongoUri=mongodb://da83ex3s:a4fbcf3a1@mydb1.example.net:40000/admin
mongo.encryptedCredentials=true
```

Important

The conf-mms.properties file can contain multiple mongo.MongoURI settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.MongoURI settings.

Authentication Mechanisms and Source¶

LDAP and `mongo.mongoUri`¶

To connect to a MongoDB server using LDAP, include the authMechanism=PLAIN&authSource=$external options in the mongo.mongoUri connection string. For example:

mongo.mongoUri=mongodb://dbuser1:password@mydb1.example.net:40000/?authMechanism=PLAIN&authSource=$external

Kerberos and `mongo.mongoUri`¶

To connect to a MongoDB server using Kerberos, include the authMechanism=GSSAPI option in the mongo.mongoUri connection string. For example:

mongo.mongoUri=mongodb://dbuser1:password@mydb1.example.net:40000/?authMechanism=GSSAPI

To enable Kerberos authentication between the MMS application and its backing database, see also Kerberos Settings.

See also

authMechanism, authSource

MongoDB User Access¶

The MongoDB user must have the following roles: readWriteAnyDatabase, clusterAdmin, and dbAdminAnyDatabase.

← Reference User Roles →