- Reference >
- Ops Manager Configuration Files
Ops Manager Configuration Files¶
On this page
Overview¶
The Ops Manager Application and the Backup Daemon use the conf-mms.properties and conf-daemon.properties configuration files respectively. This document describes all available settings between the two files. Each configuration file uses a subset of the settings described here.
This document includes some configurable settings that Ops Manager does not include in the configuration files but that you can add. These properties are marked as such.
conf-mms.properties¶
The Ops Manager Application uses the conf-mms.properties
configuration file.
If you installed Ops Manager using an rpm
or deb
package, the
file’s location is:
/opt/mongodb/mms/conf/
If you installed using a tar.gz
file, the configuration file’s
location is:
<install-directory>/conf/
If you installed on Windows, the file’s location is:
<install-folder>\Server\Config
By default, this is C:\MMSData\Server\Config
.
conf-daemon.properties¶
The Backup Daemon uses the conf-daemon.properties
configuration
file. If you installed Ops Manager using an rpm
or deb
package, the
file’s location is:
/opt/mongodb/mms-backup-daemon/conf/
If you installed using a tar.gz
file, the configuration file’s
location is:
<install-directory>/conf/
If you installed on Windows, the configuration file’s location is:
<install-folder>\BackupDaemon\Config
Mandatory Settings¶
To start the Ops Manager Application, you must configure the
Ops Manager Application URL Settings and Email Address Settings
in the conf-mms.properties
file.
Security¶
For configuration settings that store credentials, you can either store the
credentials in plain text or use the Ops Manager credentialstool
to encrypt
the credentials, as described in Encrypt MongoDB User Credentials.
If you choose to store credentials in plain text, reduce the permissions on the configuration file. For example:
Settings¶
Ops Manager Application URL Settings¶
The following two settings are mandatory for the Ops Manager Application.
-
mms.
centralUrl
¶ Type: string
Required. Fully qualified URL, including the port number, of the Ops Manager Application. For example,
If you wish to use a port other than
8080
, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.
-
mms.
backupCentralUrl
¶ Type: string
Required. The hostname and port of the Backup HTTP Service. For example,
You must set
mms.backupCentralUrl
, even if you are only using Ops Manager Monitoring and not Ops Manager Backup.If you wish to use a port other than
8081
, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.
Load Balancer¶
Set the following when using a load balancer with the Ops Manager Application.
-
mms.remoteIp.
header
¶ Type: string
Specify the name of the header that the load balancer will use to specify the original client’s IP address to the application server.
See Configure a Highly Available Ops Manager Application for more information.
When you specify
mms.remoteIp.header
, do not allow clients to connect directly to any application server.
HTTP/HTTPS Proxy¶
Ops Manager can pass all outgoing HTTP and HTTPS requests through an HTTP or HTTPS proxy.
-
http.proxy.
host
¶ Type: string
Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect. For example:
-
http.proxy.
port
¶ Type: integer
Specify the port on which you wish to connect to the host. You must specify both
http.proxy.port
andhttp.proxy.host
to use a proxy.
-
http.proxy.
username
¶ Type: string
If the proxy requires authentication, use
http.proxy.username
to specify the username with which to connect to the proxy.
-
http.proxy.
password
¶ Type: string
If the proxy requires authentication, use
http.proxy.password
to specify the password with which to connect to the proxy.
Ops Manager Application HTTPS Settings¶
You can configure the Ops Manager Application’s application servers to use HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.
The default port for HTTPS access to the Ops Manager Application is 8443
, as set in
<install_dir>/conf/mms.conf
file. If you change this default, change the
ports specified in the mms.centralUrl
and
mms.backupCentralUrl
settings.
-
mms.https.
PEMKeyFile
¶ Type: string
Specify the PEM file that contains the application’s valid certificate and private key.
-
mms.https.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager
credentialstool
. See Encrypt MongoDB User Credentials.
Email Settings¶
Email Address Settings¶
The following email address settings are mandatory. You must define them before Ops Manager will start.
-
mms.
fromEmailAddr
¶ Type: string
Required. The email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address. For example:
-
mms.
replyToEmailAddr
¶ Type: string
Required. The email address to send replies to general emails. For example:
-
mms.
adminFromEmailAddr
¶ Type: string
Required. The email address to send messages from the Ops Manager admin. You can include an alias with the email address. For example:
-
mms.
adminEmailAddr
¶ Type: string
Required. The email address to send messages or replies to the Ops Manager admin. You can include an alias with the email address. For example:
-
mms.
bounceEmailAddr
¶ Type: string
Required. The email address to send bounce messages, i.e. messages of non-delivery of alerts or messages from Ops Manager admin. For example:
Email Service Settings¶
-
mms.
emailDaoClass
¶ Type: string
The email interface to use. For AWS Simple Email Service, specify
com.xgen.svc.core.dao.email.AwsEmailDao
, as in:For AWS Simple Email Service, see also
aws.ses.endpoint
,aws.accesskey
andaws.secretkey
.For JavaEmailDao, specify
com.xgen.svc.core.dao.email.JavaEmailDao
, as in:
-
mms.mail.
transport
¶ Type: string
Default: smtp
Transfer protocol
smtp
orsmtps
as specified by your email provider. For example:
-
mms.mail.
hostname
¶ Type: string
Default: localhost
Email hostname as specified by your email provider. For example:
-
mms.mail.
port
¶ Type: number
Default: 25
Port number for the transfer protocol as specified by your email provider. For example:
-
mms.mail.
tls
¶ Type: boolean
Default: false
Indicator of whether the transfer protocol runs on top of TLS. For example:
-
mms.mail.
username
¶ Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
-
mms.mail.
password
¶ Type: string
Password for the email account. If unset, defaults to disabled SMTP authentication.
-
aws.ses.
endpoint
¶ Type: string
Default:
https://email.us-east-1.amazonaws.com
Sets the HTTPS endpoint URL for the AWS Simple Email Service. For example:
-
aws.
accesskey
¶ Type: string
Required if using AWS Simple Email Service. The access key ID for AWS.
-
aws.
secretkey
¶ Type: string
Required if using AWS Simple Email Service. The secret access key for AWS.
Twilio SMS Alert Settings¶
To receive alert notifications via SMS, you must have a Twilio account and specify your Twilio account information in the configuration file.
-
twilio.account.
sid
¶ Type: string
Twilio account ID.
-
twilio.auth.
token
¶ Type: string
Twilio API token.
-
twilio.from.
num
¶ Type: string
Twilio phone number.
MongoDB Settings¶
The following settings configure the Ops Manager connections to the backing MongoDB instances that host the Ops Manager Application Database and Backup Database.
Connection String¶
-
mongo.
mongoUri
¶ Type: string
Required. The connection string used to access the Ops Manager Application Database.
If you use a replica set for the database’s backing instance, specify all members of the replica set:
If you omit the port number, Ops Manager uses the default
27017
port for all hosts.For a backing MongoDB instance with access control, the connection string must include authentication credentials. The connecting user must possess the
readWriteAnyDatabase
,dbAdminAnyDatabase
, andclusterMonitor
user roles. If the database is a sharded cluster, theclusterAdmin
role is required instead ofclusterMonitor
.The following examples show the formats to use for the different
authentication mechanisms
.For a MongoDB instance using the default
MONGODB-CR
/SCRAM-SHA-1
challenge-response mechanism, prefix the hostname with the MongoDB username and password in the form<username>:<password>@
For a MongoDB instance using
MONGODB-X509
authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in themongodb.ssl.PEMKeyFile
setting. Once you have created the user, prefix the host specified inmongo.mongoUri
with the name of the new user and appendauthMechanism=MONGODB-X509
after the specified port:For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append theauthMechanism=PLAIN&authSource=$external
options after the port:For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism,
authMechanism=GSSAPI
, after the port.Kerberos user principal names have the form
<username>@<KERBEROS REALM>
. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal ofusername@REALM.EXAMPLE.COM
would therefore becomeusername%40REALM.EXAMPLE.COM
.The following is an example of Kerberos authentication:
To enable Kerberos authentication between the Ops Manager Application and the Backup Database, see Kerberos Settings. See also
authMechanism
andauthSource
in the MongoDB manual.
MongoDB SSL Settings¶
The following settings in conf-mms.properties
and
conf-daemon.propeties
configure Ops Manager to use SSL to encrypt connections
to the backing MongoDB instances that host the
Ops Manager Application Database
and Backup Database.
-
mongo.
ssl
¶ Type: boolean
Enables SSL connection to the Ops Manager Application Database when set to
true
.
-
mongodb.ssl.
CAFile
¶ Type: string
The name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.
-
mongodb.ssl.
PEMKeyFile
¶ Type: string
The name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the
--sslCAFile
option ornet.ssl.CAFile
setting.If you authenticate using the
MONGODB-X509
authentication mechanism, you also enter this as the name of the user in themongoUri
connection string.
-
mongodb.ssl.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager
credentialstool
. See Encrypt MongoDB User Credentials.
Encrypted Credentials¶
-
mongo.
encryptedCredentials
¶ Type: boolean
Add this property and set it to
true
ifmongo.mongoUri
contains the encrypted username and password:You must encrypt the username and password in
mongo.mongoUri
using the Ops Managercredentialstool
. See Encrypt MongoDB User Credentials.Important
The
conf-mms.properties
file can contain multiplemongo.mongoUri
settings. Ifmongo.encryptedCredentials
istrue
, you must encrypt all user credentials found in the variousmongo.mongoUri
settings.
Automation Versions Settings¶
The following settings in the conf-mms.properties
file determine
how Ops Manager knows what MongoDB releases exist and from what servers the
Automation Agent downloads the binaries for a MongoDB release.
-
automation.versions.
source
¶ Type: string
Default: mongodb
Selects whether the Automation Agents retrieve MongoDB binaries over the internet from MongoDB Inc. or locally from the Ops Manager Application server. Set this to
mongodb
if the Automation Agents have internet access to retrieve the binaries from MongoDB Inc. Set this tolocal
if your Automation Agents cannot reach the internet. If you specifylocal
, you must set theautomation.versions.directory
and place.tgz
archive files for the MongoDB binaries in the specified directory. You must also provide the MongoDB version manifest. For details, see Configure “Local Mode” if Servers Have No Internet Access.
-
automation.versions.
directory
¶ Type: string
When
automation.versions.source
is set tolocal
, this specifies the directory on the Ops Manager Application server from which the Automation Agents accesses MongoDB binaries when installing a new deployment or changing the MongoDB version of an existing deployment. You must download the desired MongoDB binaries as.tgz
archive files and place the.tgz
files in the specified directory.
Backup Daemon Settings¶
These settings are found only in the conf-daemon.properties
file and are
necessary only if you are using Ops Manager Backup.
-
rootDirectory
¶ Type: string
The disk partition used by the Backup Daemon to dynamically create and maintain the head database directories. For more information, see the Backup functional overview.
This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.
Important
Data in this directory is dynamically created, maintained and destroyed by the Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Database.
-
numWorkers
¶ Type: number
The number of replica sets that should be processed at a time.
-
mongodb.release.
autoDownload
¶ Type: boolean
If you set
mongodb.release.autoDownload
totrue
, Backup automatically downloads the MongoDB releases from mongodb.org (Community Edition) and mongodb.com (Enterprise Edition) and stores them in the directory specified by themongodb.release.directory
setting. Backup’smongodb-fetch
utility, located in the/opt/mongodb/backup-daemon/bin
directory, runs once an hour to perform the downloads.If you set
mongodb.release.autoDownload
tofalse
, you must manually download and install the needed MongoDB releases to the directory specified in themongodb.release.directory
setting. Downloads must adhere to the rules described in themongodb.release.directory
entry.
-
mongodb.release.
directory
¶ Type: string
Specifies the full path to the directory that contains every MongoDB release needed by the Backup Daemon. When backing up a replica set, The Backup Daemon must use a mongod that matches the version of the replica set being backed up.
Warning
If you will run MongoDB Enterprise and use Linux servers, then you must manually install a set of dependencies to each server before installing MongoDB. The MongoDB manual provides the appropriate command to install the dependencies. See the link for the server’s operating system:
If you set
mongodb.release.autoDownload
tofalse
, you must download the MongoDB releases manually. For each version needed, you must download the archive for that version and extract it into this directory. The extracted archive creates a subdirectory that uses the following naming convention:mongodb-<platform>-<architecture>-<version>
.Adhere to the following rules for populating the release directory:
- The release directory can contain versions from either the MongoDB Community edition or the MongoDB Enterprise but not from both.
- Ops Manager 1.8 supports platform-specific MongoDB Community Edition
builds for MongoDB 3.0. Use the MongoDB 3.0 Community Edition build
for your operating system, available from
http://www.mongodb.org/downloads. You can also use the generic
Linux 64-bit legacy
version if you wish or if there is no platform-specific build for your operating system.
Important
If you are backing up MongoDB custom builds, you must manually place a matching binary distribution for each custom build in this directory.
Beginning in Ops Manager version 1.5, the Backup Daemon uses the following rules to match the MongoDB version of the replica set being backed up:
- If the MongoDB version uses the MongoDB standard
A.B.C
version format, the daemon looks for a folder namedmongodb-<platform>-<architecture>-A.B.x
, wherex
is greater than or equal toC
. - If the MongoDB version does not use the standard format, the daemon
looks for a folder named
mongodb-<platform>-<architecture>-<version>
, where<version>
ends with the MongoDB instance’s version. For example, if the source version is2.4.10-abc
, the daemon would match onmongodb-linux-x86_64-production-2.4.10-abc
.
-
mms.alerts.LowHeadFreeSpace.
minimumHeadFreeSpaceGB
¶ Type: integer
Default: 10
Specifies the minimum amount of free disk space in GB required on the partition where the Backup Daemon stores the head databases that back up your data. You can view a daemon’s available head space on the Ops Manager Daemons Page. If the amount of free space drops below this minimum, Ops Manager triggers the following system alert:
System detects backup daemon has low free head space
This setting does not appear by default in either of the .``properties`` configuration files. You can add it to the conf-mms.properties file.
Backup Agent Settings¶
-
mms.alerts.BackupAgentConfCallFailure.
maximumFailedConfCalls
¶ Type: integer
Default: 10
If the Backup Agent experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert:
Backup Agent has too many conf call failures
This property does not appear by default in either of the .``properties`` configuration files. You can add it to the conf-mms.properties file.
Advanced Backup Restore Settings¶
These settings in the conf-daemon.properties
file affect Ops Manager
Backup restore behaviors.
-
mms.backup.restore.
linkExpirationHours
¶ Type: number
Default: 1
The amount of time in hours that a restore link is available.
-
mms.backup.restore.
linkUnlimitedUses
¶ Type: boolean
Default: false
Sets whether the link to a restored point-in-time snapshot can be used more than once. By default, when you create a point-in-time snapshot, the link to download the snapshot can be used just once. To allow multiple downloads of the snapshot, set this value to
true
.
-
mms.backup.restore.
snapshotPITExpirationHours
¶ Type: number
Default: 24
The length of time in hours that a link to a restored point-in-time snapshot is available. By default, the link is available for 24 hours after creation of the point-in-time snapshot.
Session Management Setting¶
-
mms.session.
maxHours
¶ Type: number
The number of hours before a session on the Ops Manager website expires.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: number
Default: 300000
Minimum: 90000
The Monitoring Agent failover time, in milliseconds. If Ops Manager does not receive a deployment status from the primary Monitoring Agent in the time specified, Ops Manager will make a standby Monitoring Agent the new primary. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.
Password Policy Settings¶
You can configure the password policy for Ops Manager user accounts with the following settings:
-
mms.password.
minChangesBeforeReuse
¶ Type: number
The number of previous passwords to remember. You cannot reuse a remembered password as a new password.
-
mms.password.
maxFailedAttemptsBeforeAccountLock
¶ Type: number
The number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.
-
mms.password.
maxDaysInactiveBeforeAccountLock
¶ Type: number
The maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.
-
mms.password.
maxDaysBeforeChangeRequired
¶ Type: number
The number of days a password is valid before the password expires.
-
mms.multiFactorAuth.
require
¶ Deprecated since version 1.8:
mms.multiFactorAuth.level
replacesmms.multiFactorAuth.require
in Ops Manager 1.8 and later.Type: boolean
Default: false
When
true
, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
-
mms.multiFactorAuth.
level
¶ New in version 1.8.
Type: string
Default: OFF
Configures the two-factor authentication “level”:
OFF
: Disables two-factor authentication. Whenmms.multiFactorAuth.level
= 'OFF'
, Ops Manager does not use two-factor authentication.OPTIONAL
: Users can choose to set up two-factor authentication for their Ops Manager account.REQUIRED_FOR_GLOBAL_ROLES
: Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users.REQUIRED
: All users must set up two-factor authentication for their Ops Manager account.
Two-factor authentication is recommended for the security of your Ops Manager deployment.
-
mms.multiFactorAuth.
allowReset
¶ Type: boolean
Default: false
When
true
, Ops Manager will allow users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
- be able to receive email at the address associated with the user account
- know the user account’s password
- know the Agent API key for any Ops Manager Group of which the user is a member
-
mms.multiFactorAuth.
issuer
¶ Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the Ops Manager installation.
Public API¶
You can modify certain default behaviors of the Public API.
-
mms.publicApi.
ignoreEnabledForGlobalRoles
¶ Type: boolean
By default, a user with a global role can access any Ops Manager group through the Public API, whether or not the Public API is enabled for that group.
To prevent access when a group’s Public API is disabled, add
mms.publicApi.ignoreEnabledForGlobalRoles
toconf-mms.properties
and set its value tofalse
:
-
mms.publicApi.
whitelistEnabled
¶ Type: boolean
Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add
mms.publicApi.whitelistEnabled
toconf-mms.properties
and set its value tofalse
:
Monitoring Agent Session Failover¶
If you have multiple monitoring agents for a group, only one Monitoring Agent is the primary agent. The primary agent reports the cluster’s status to Ops Manager. The remaining agents are completely idle, except to log their status as standby agents and to periodically ask Ops Manager whether they should become the primary.
The following settings tune the frequency with which the standby agents poll Ops Manager to determine if they have become the primary agent, and the interval that Ops Manager uses to determine if the primary agent is unaccessible.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: integer
Default:
90000
The interval that Ops Manager uses to determine if a secondary agent should be promoted to primary. If Ops Manager does not hear from the primary agent for the duration specifies in
mms.monitoring.agent.session.timeoutMillis
, Ops Manager promotes a secondary agent to primary. The minimum supported value is90000
.
-
mms.monitoring.agent.
standbyCollectionFactor
¶ Type: Integer
Default:
4
Specifies how frequently standby agents check in with Ops Manager to see if they have become the primary agent. The following values are permitted:
1
: the standby agents check every 55 seconds.2
: the standby agents check in at twice the rate as1
, or approximately every 27 seconds.3
: the standby agents check approximately every 18 seconds4
: the standby agents check approximately every 14 seconds.
SNMP Heartbeat Settings¶
Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.
To configure the Ops Manager Application to send trap notifications, download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt and configure the following settings:
-
snmp.default.
hosts
¶ Type: string
Default: blank
Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set
snmp.default.hosts
to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.
-
snmp.listen.
port
¶ Type: number
Default: 11611
Listening UDP port for SNMP. Setting to a number less than 1024 will require running the Ops Manager Application with root privileges.
-
snmp.default.heartbeat.
interval
¶ Type: number
Default: 300
Number of seconds between heartbeat notifications.
reCaptcha Settings¶
To enable reCaptcha anti-spam test on new user registration, you must have a reCaptcha account and specify the API information in the configuration file.
-
reCaptcha.
enabled
¶ Type: boolean
Set to
true
to require reCaptcha validation when a new user registers.
-
reCaptcha.public.
key
¶ Type: string
The reCaptcha public key associated with your account.
-
reCaptcha.private.
key
¶ Type: string
The reCaptcha private key associated with your account.
LDAP Settings¶
To configure Ops Manager for LDAP, you must start with a new installation or reset your installation to a clean state. Your Ops Manager installation cannot have existing users, groups, or hosts. For assistance, contact your MongoDB account manager.
LDAP Server Setting¶
-
mms.
userSvcClass
¶ Type: string
The LDAP service class
com.xgen.svc.mms.svc.user.UserSvcLdap
; i.e.
LDAP User Settings¶
These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.
-
mms.ldap.
url
¶ Type: string
The URI for the LDAP or SSL LDAP server. For example:
-
mms.ldap.ssl.
CAFile
¶ Type: string
A file containing one or more trusted certificates in PEM format. Use
mms.ldap.ssl.CAFile
if you are using LDAPS and the server is using a certificate that is not from a well-known CA. For example:
-
mms.ldap.ssl.
PEMKeyFile
¶ Type: string
A file containing a client certificate and private key. Use
mms.ldap.ssl.PEMKeyFile
when your SSL LDAP server requires client certificates.
-
mms.ldap.ssl.
PEMKeyFilePassword
¶ Type: string
The password for
mms.ldap.ssl.PEMKeyFile
. Usemms.ldap.ssl.PEMKeyFilePassword
if thePEMKeyFile
is encrypted.
-
mms.ldap.
bindDn
¶ Type: string
The LDAP user used to execute searches for other users. For example:
-
mms.ldap.
bindPassword
¶ Type: string
The credentials for the search user. For example:
-
mms.ldap.user.
baseDn
¶ Type: string
The base Distinguished Name (DN) that Ops Manager uses to search for users. Escape the
=
sign with\
. For example:
-
mms.ldap.user.
searchAttribute
¶ Type: string
The LDAP field used for the LDAP search. This is typically a username or email address.
The value of this field is also used as the Ops Manager username.
Example:
-
mms.ldap.user.
group
¶ Type: string
The LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the groups, including Common Name (
cn
) or Distinguished Name (dn
). All Ops Manager settings in this configuration file that specify groups must match the chosen format.Example:
-
mms.ldap.global.role.
owner
¶ Type: string
The LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager groups and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the group using the format that is used by the LDAP attribute specified in the
mms.ldap.user.group
setting.Example:
-
mms.ldap.user.
firstName
¶ Type: string
The LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.
For example:
-
mms.ldap.user.
lastName
¶ Type: string
The LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.
For example:
-
mms.ldap.user.
email
¶ Type: string
The LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.
For example:
LDAP Global Role Settings¶
These settings assign Ops Manager global roles to the members of
the specified LDAP groups. Specify groups using the format used by the LDAP
attribute specified in the mms.ldap.user.group
setting. You can
specify multiple groups using the ;;
delimiter. To change the default
delimiter, use the mms.ldap.group.separator
setting.
Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.
-
mms.ldap.global.role.
automationAdmin
¶ Type: string
The LDAP group whose members have the global automation admin role in Ops Manager. For example:
-
mms.ldap.global.role.
backupAdmin
¶ Type: string
The LDAP group whose members have the global backup admin role in Ops Manager. For example:
-
mms.ldap.global.role.
monitoringAdmin
¶ Type: string
The LDAP group whose members have the global monitoring admin role in Ops Manager. For example:
-
mms.ldap.global.role.
userAdmin
¶ Type: string
The LDAP group whose members have the global user admin role in Ops Manager. For example:
-
mms.ldap.global.role.
readOnly
¶ Type: string
The LDAP group whose members have the global read-only role in Ops Manager. For example:
-
mms.ldap.group.
separator
¶ Type: string
Each of the global role values can take a delimited list of groups: for example
"dbas,sysadmins"
.If a group value contains the delimiter, the delimiter must be set to another value. For example, if you have the group value
"CN\=foo,DN\=bar"
and the delimiter is,
then Ops Manager parses"CN\=foo,DN\=bar"
as two elements rather than as the description for a single group. Change the delimiter by adding themms.ldap.group.separator
setting to the configuration file and specifying a different delimiter.Starting with Ops Manager 1.5, the default delimiter is
;;
.
Kerberos Settings¶
To enable Kerberos authentication between the Ops Manager Application and the Ops Manager Application Database, configure the following settings. You must configure all required Kerberos settings to enable Kerberos authentication.
-
jvm.java.security.krb5.
kdc
¶ Type: string
Required if using Kerberos. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.
-
jvm.java.security.krb5.
realm
¶ Type: string
Required if using Kerberos. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.
-
mms.kerberos.
principal
¶ Type: string
Required if using Kerberos. The principal used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
above.
-
mms.kerberos.
keyTab
¶ Type: string
Required if using Kerberos. The absolute path to the keytab file for the principal.
-
mms.kerberos.
debug
¶ Type: boolean
The debug flag to output more information on Kerberos authentication process.
Encrypt MongoDB User Credentials¶
If you do not want to store credentials in plain text, Ops Manager provides a tool to encrypt the MongoDB credentials. To encrypt authentication credentials:
Issue the following command to create an encrypted credential pair, replacing
<username>
with your username:This will prompt you to enter the password and will output the encrypted credential pair.
credentialstool
requires root privileges, (i.e.sudo
) when installed withrpm
ordeb
packages, because it modifies the/etc/mongodb-mms/gen.key
file. Ops Manager uses thegen.key
to encrypt sensitive data in the database and configuration files.Use the encrypted credential pair in the
mongo.mongoUri
settings where needed, and add themongo.encryptedCredentials = true
setting. For example:
Important
The conf-mms.properties
file can contain multiple
mongo.mongoUri
settings. If
mongo.encryptedCredentials
is true
, you must encrypt
all user credentials found in the various mongo.mongoUri
settings.
Required Roles for MongoDB User Connecting to Backing Databases¶
The MongoDB user used to connect to Ops Manager’s backing databases must
possess the readWriteAnyDatabase
, clusterAdmin
,
and dbAdminAnyDatabase
MongoDB user roles.