Navigation
You were redirected from a different version of the documentation. Click here to go back.

Ops Manager Configuration

Overview

Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all your Ops Manager servers. Local settings apply to the server on which they are configured. Any local settings on a server override the global settings.

You configure global settings through the Ops Manager interface during installation. You can edit global settings at any time through the Admin interface by clicking the General tab and then clicking Ops Manager Config.

You configure local settings through a server’s conf-mms.properties file. Each server’s conf-mms.properties must contain the connection string and authentication settings for accessing the Ops Manager Application Database. The conf-mms.properties file also contains any overrides of global settings specific to that server.

The location of the conf-mms.properties file depends on how you installed Ops Manager, as described in the table below.

Install method conf-mms.properties location
rpm or deb package /opt/mongodb/mms/conf/
tar.gz archive <install-directory>/conf/
msi file (Windows)

<install-folder>\Server\Config

By default, this is: C:\MMSData\Server\Config.

Web Server Settings

Configure global settings through the Admin interface. Ops Manager stores global settings in the Ops Manager Application database.

URL to Access Ops Manager

Type: string

The fully qualified URL and port number of the Ops Manager Application. For example:

http://mms.example.com:8080

To use a port other than 8080, see Manage Ops Manager Ports.

Corresponds to configuration file setting: mms.centralUrl

HTTPS PEM Key File

Type: string

Absolute path to the PEM file that contains the Ops Manager Application‘s valid certificate and private key. The PEM file is required if the Ops Manager Application will use HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.

The default port for HTTPS access to the Ops Manager Application is 8443, as set in <install_dir>/conf/mms.conf file. If you change this default, you must also change the port specified in the URL to Access Ops Manager setting.

Corresponds to configuration file setting: mms.https.PEMKeyFile

HTTPS PEM Key File Password

Type: string

The password for the HTTPS PEM key file. This is required if the PEM file contains an encrypted private key. If storing this in the conf-mms.properties file, you can encrypt the password using the Ops Manager credentialstool. See Encrypt User Credentials.

Corresponds to configuration file setting: mms.https.PEMKeyFilePassword

Client Certificate Mode

Type: string

Specifies the how many SSL certificates are required for transactions between Ops Manager and clients: None, Required for Agents Only, Required for All Requests.

Corresponds to configuration file setting: mms.https.ClientCertificateMode

CA File

Type: string

Specifies the certificate authority file containing the list of acceptable client certificates.

/path/to/ca_file.pem

Corresponds to configuration file setting: mms.https.CAFile

Load Balancer Remote IP Header

Type: string

If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client’s IP address to the application server. When you specify Load Balancer Remote IP Header, do not allow clients to connect directly to any application server. A load balancer placed in front of the Ops Manager Application servers must not return cached content.

See Configure a Highly Available Ops Manager Application for more information.

Corresponds to configuration file setting: mms.remoteIp.header

Email Settings

The following email address settings are mandatory. You must define them before Ops Manager will start.

From Email Address

Type: string

The email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.

Ops Manager Alerts <mms-alerts@example.com>

Corresponds to configuration file setting: mms.fromEmailAddr

Reply To Email Address

Type: string

The email address from which to send replies to general emails.

Corresponds to configuration file setting: mms.replyToEmailAddr

Admin Email Address

Type: string

The email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.

Corresponds to configuration file setting: mms.adminEmailAddr

Email Delivery Method Configuration

Type: string

The email interface to use.

If you use the AWS Simple Email Service, set this to com.xgen.svc.core.dao.email.AwsEmailDao. See also the AWS Access Key and AWS Secret Key settings.

For JavaEmailDao, set this to com.xgen.svc.core.dao.email.JavaEmailDao.

Corresponds to configuration file setting: mms.emailDaoClass

Transport

Type: string

Default: smtp

The transfer protocol, either smtp or smtps, as specified by your email provider.

Corresponds to configuration file setting: mms.mail.transport

SMTP Server Hostname

Type: string

Default: localhost

Email hostname as specified by your email provider.

mail.example.com

Corresponds to configuration file setting: mms.mail.hostname

SMTP Server Port

Type: number

Default: 25

Port number for the transfer protocol as specified by your email provider.

Corresponds to configuration file setting: mms.mail.port

Username

Type: string

User name of the email account. If unset, defaults to disabled SMTP authentication.

Corresponds to configuration file setting: mms.mail.username

Password

Type: string

Password for the email account. If unset, defaults to disabled SMTP authentication.

Corresponds to configuration file setting: mms.mail.password

Use SSL

Type: boolean

Default: false

Set this to true if the transfer protocol runs on top of TLS.

Corresponds to configuration file setting: mms.mail.tls

AWS Endpoint

Type: string

Required if using the Amazon Simple Email Service. Sets the endpoint URL for the Amazon Simple Email Service.

Corresponds to configuration file setting: aws.ses.endpoint

AWS Access Key

Type: string

The access key ID for AWS. Required if using the Amazon Simple Email Service.

Corresponds to configuration file setting: aws.accesskey

AWS Secret Key

Type: string

The secret access key for AWS. Required if using the Amazon Simple Email Service.

Corresponds to configuration file setting: aws.secretkey

User Authentication Method

User Authentication Method

Type: string

Select whether to store authentication credentials in the Ops Manager Application Database or in an external authentication source.

Corresponds to configuration file setting: mms.userSvcClass

Authentication through Ops Manager Application Database

Password Changes Before Reuse

Type: number

The number of previous passwords to remember. You cannot reuse a remembered password as a new password.

Corresponds to configuration file setting: mms.password.minChangesBeforeReuse

Failed Login Attempts Before Account Lock

Configuration file setting: mms.password.maxFailedAttemptsBeforeAccountLock

Type: number

The number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.

Corresponds to configuration file setting: mms.password.maxFailedAttemptsBeforeAccountLock

Days Inactive Before Account Lock

Configuration file setting: mms.password.maxDaysInactiveBeforeAccountLock

Type: number

The maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.

Corresponds to configuration file setting: mms.password.maxDaysInactiveBeforeAccountLock

Days Before Password Change Required

Type: number

The number of days a password is valid before the password expires.

Corresponds to configuration file setting: mms.password.maxDaysBeforeChangeRequired

Invitation Only Mode

Type: boolean

If true, new users can register by invitation only. The invitation provides a URL that displays the registration link.

If false, new users can register if they have the Ops Manager URL.

Corresponds to configuration file setting: mms.user.invitationOnly

Authentication through LDAP

These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.

Settings that begin with “mms.ldap.global.role” assign Ops Manager global roles to the members of the specified LDAP groups. Specify groups using the format used by the LDAP attribute specified in the LDAP User Group setting. You can specify multiple groups using the ;; delimiter. To change the default delimiter, use the mms.ldap.group.separator setting. Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.

LDAP URI

Type: string

The URI for the LDAP or SSL LDAP server.

mms.ldap.url=ldaps://acme-dc1.acme.example.com:3890

Corresponds to configuration file setting: mms.ldap.url

LDAP SSL CA File

Type: string

A file containing one or more trusted certificates in PEM format. Use this setting if you are using LDAPS and the server is using a certificate that is not from a well-known CA.

mms.ldap.ssl.CAFile=/opt/CA.pem

Corresponds to configuration file setting: mms.ldap.ssl.CAFile

LDAP SSL PEM Key File

Type: string

A file containing a client certificate and private key. Use this setting when your SSL LDAP server requires client certificates.

mms.ldap.ssl.PEMKeyFile=/opt/keyFile.pem

Corresponds to configuration file setting: mms.ldap.ssl.PEMKeyFile

LDAP SSL PEM Key File Password

Type: string

The password for LDAP SSL PEM Key File. Use this setting if the PEMKeyFile is encrypted.

mms.ldap.ssl.PEMKeyFilePassword=<password>

Corresponds to configuration file setting: mms.ldap.ssl.PEMKeyFilePassword

LDAP Bind Dn

Type: string

The LDAP user used to execute searches for other users.

mms.ldap.bindDn=authUser@acme.example.com

Corresponds to configuration file setting: mms.ldap.bindDn

LDAP Bind Password

Type: string

The password for the search user.

mms.ldap.ssl.bindPassword=<password>

Corresponds to configuration file setting: mms.ldap.bindPassword

LDAP User Base Dn

Type: string

The base Distinguished Name (DN) that Ops Manager uses to search for users. Escape the = sign with \.

mms.ldap.user.baseDn=DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.user.baseDn

LDAP User Search Attribute

Type: string

The LDAP field used for the LDAP search. This is typically a username or an email address. The value of this field is also used as the Ops Manager username.

mms.ldap.user.searchAttribute=<myAccountName>

Corresponds to configuration file setting: mms.ldap.user.searchAttribute

LDAP User Group

Type: string

The LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the groups, including Common Name (cn) or Distinguished Name (dn). All Ops Manager settings in this configuration file that specify groups must match the chosen format.

mms.ldap.user.group=memberOf

Corresponds to configuration file setting: mms.ldap.user.group

LDAP Global Role Owner

Type: string

The LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager groups and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the group using the format that is used by the LDAP attribute specified in the LDAP User Group setting.

mms.ldap.global.role.owner=CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.global.role.owner

LDAP User First Name

Type: string

The LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is givenName.

mms.ldap.user.firstName=givenName

Corresponds to configuration file setting: mms.ldap.user.firstName

LDAP User Last Name

Type: string

The LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is sn for surname.

mms.ldap.user.lastName=sn

Corresponds to configuration file setting: mms.ldap.user.lastName

LDAP User Email

Type: string

The LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.

Per RFC2256, the default LDAP attribute is mail.

mms.ldap.user.email=mail

Corresponds to configuration file setting: mms.ldap.user.email

LDAP Global Role Automation Admin

Type: string

The LDAP group whose members have the global automation admin role in Ops Manager. Specify groups using the format used by the LDAP attribute specified in the LDAP User Group setting. You can specify multiple groups using the ;; delimiter. To change the default delimiter, use the mms.ldap.group.separator setting.

mms.ldap.global.role.automationAdmin=CN\=MMS-AutomationAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.

Corresponds to configuration file setting: mms.ldap.global.role.automationAdmin

LDAP Global Role Backup Admin

Type: string

The LDAP group whose members have the global backup admin role in Ops Manager.

mms.ldap.global.role.backupAdmin=CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.global.role.backupAdmin

LDAP Global Role Monitoring Admin

Type: string

The LDAP group whose members have the global monitoring admin role in Ops Manager.

mms.ldap.global.role.monitoringAdmin=CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.global.role.monitoringAdmin

LDAP Global Role User Admin

Type: string

The LDAP group whose members have the global user admin role in Ops Manager.

mms.ldap.global.role.userAdmin=CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.global.role.userAdmin

LDAP Global Role Read Only

Type: string

The LDAP group whose members have the global read-only role in Ops Manager.

mms.ldap.global.role.readOnly=CN\=MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com

Corresponds to configuration file setting: mms.ldap.global.role.readOnly

mms.ldap.group.separator

To set this, click Config and then click the Custom tab.

Type: string

Each of the global role values takes a delimited list of groups:

"dbas,sysadmins"

If a group value contains the delimiter, the delimiter must be set to another value.

Example

If you have the group value "CN\=foo,DN\=bar" and the delimiter is , then Ops Manager parses "CN\=foo,DN\=bar" as two elements rather than as the description for a single group.

Change the delimiter by adding the mms.ldap.group.separator setting to the configuration file and specifying a different delimiter.

Starting with Ops Manager 1.5, the default delimiter is ;;.

Multi-Factor Authentication (MFA) Settings

Multi-factor Auth Level

Type: string

Default: OFF

Configures the two-factor authentication “level”:

  • OFF: Disables two-factor authentication. Ops Manager does not use two-factor authentication.
  • OPTIONAL: Users can choose to set up two-factor authentication for their Ops Manager account.
  • REQUIRED_FOR_GLOBAL_ROLES: Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users.
  • REQUIRED: All users must set up two-factor authentication for their Ops Manager account.

Two-factor authentication is recommended for the security of your Ops Manager deployment.

Corresponds to configuration file setting: mms.multiFactorAuth.level

mms.multiFactorAuth.require

In Ops Manager 1.8 and later, mms.multiFactorAuth.level replaces mms.multiFactorAuth.require.

Type: boolean

Default: false

When true, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.

If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.

Multi-factor Auth Allow Reset

Type: boolean

Default: false

When true, Ops Manager allows users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.

To reset two-factor authentication, a user must:

  • be able to receive email at the address associated with the user account.
  • know the user account’s password.
  • know the agent API key for each Ops Manager group the user belongs to.

Corresponds to configuration file setting: mms.multiFactorAuth.allowReset

Multi-factor Auth Issuer

Type: string

If Google Authenticator provides two-factor authentication, this string is the issuer in the Google Authenticator app. If left blank, the issuer is the domain name of the Ops Manager installation.

Corresponds to configuration file setting: mms.multiFactorAuth.issuer

Other Authentication Options

ReCaptcha Enabled

Type: boolean

Set to true to require reCaptcha validation when a new user registers. You must have a reCaptcha account.

Corresponds to configuration file setting: reCaptcha.enabled

ReCaptcha Public Key

Type: string

The reCaptcha public key associated with your account.

Corresponds to configuration file setting: reCaptcha.public.key

ReCaptcha Private Key

Type: string

The reCaptcha private key associated with your account.

Corresponds to configuration file setting: reCaptcha.private.key

Session Max Hours

Type: number

The number of hours before a session on the Ops Manager website expires.

Set this value to 0 to use browser session cookies only.

Corresponds to configuration file setting: mms.session.maxHours

Security Settings

mms.security.hstsMaxAgeSeconds

Type: integer

Default: 0 (Can use HTTP or HTTPS.)

How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer.

See also

To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC6797 and hstspreload.org.

Corresponds to configuration page setting: HSTS Preload Maximum Age.

mms.security.disableBrowserCaching

Type: boolean

Default: false

When true, Ops Manager makes all HTTP responses not cacheable.

Corresponds to configuration page setting: Disable Browser Caching.

HTTP/HTTPS Proxy Settings

Ops Manager can pass all outgoing HTTP and HTTPS requests through an HTTP or HTTPS proxy.

Proxy Host

Type: string

Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.

proxy.example.com

Corresponds to configuration file setting: http.proxy.host

Proxy Port

Type: integer

Specify the port on which you wish to connect to the host. You must specify both the Proxy Port and Proxy Host to use a proxy.

Corresponds to configuration file setting: http.proxy.port

Proxy Username

Type: string

If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.

Corresponds to configuration file setting: http.proxy.username

Proxy Password

Type: string

If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.

Corresponds to configuration file setting: http.proxy.password

Twilio Integration Settings

To receive alert notifications via SMS, you must have a Twilio account.

Account SID

Type: string

Twilio account ID.

Corresponds to configuration file setting: twilio.account.sid

Twilio Auth Token

Type: string

Twilio API token.

Corresponds to configuration file setting: twilio.auth.token

Twilio From Number

Type: string

Twilio phone number.

Corresponds to configuration file setting: twilio.from.num

MongoDB Version Management

The following settings determine how Ops Manager knows what MongoDB releases exist and how the MongoDB binaries are supplied to the Ops Manager server. The Automation Agents and Backup Daemons use these binaries when deploying MongoDB.

Version Manifest Source

Type: string

Default: mongodb

Set this to Local if your Automation Agents and Backup Daemons will not have internet access to download MongoDB binaries. If you set this to Local, an Ops Manager admin must manually provide the version manifest and the MongoDB binaries, as described in Configure Local Mode for Ops Manager Servers without Internet Access.

Corresponds to configuration file setting: automation.versions.source

Versions Directory

Type: string

Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation Agent accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set Version Manifest Source to run in Local mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Local Mode for Ops Manager Servers without Internet Access for more information.

Backup Versions Auto Download

Type: boolean

Indicates whether the Backup Daemons automatically install the versions of MongoDB needed by the daemons.

If true
The daemons retrieve the binaries either from MongoDB Inc. over the internet.
If false

Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release needed by the system’s backup daemons. The administrator must place the extracted binaries into the Versions Directory on the Ops Manager servers.

Warning

Set to false when Ops Manager is running in Local Mode.

Corresponds to configuration file setting: mongodb.release.autoDownload

Backup Versions Auto Download Enterprise Builds

Type: boolean

If Backup Versions Auto Download is set to true, specify whether the Daemon should download binaries for the Enterprise Edition.

Warning

If you will run MongoDB Enterprise and provision your own Linux servers, then you must manually install a set of dependencies to each server before installing MongoDB. See Configure Local Mode for Ops Manager Servers without Internet Access.

Backup Snapshots

The following settings determine:

  • How much Ops Manager compresses file system store snapshots.
  • How frequently Ops Manager takes snapshots.
  • How long Ops Manager stores snapshots.

To set these values, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Backup section.

See also

See Snapshot Frequency and Retention Policy to learn more about how often snapshots are taken and how long they can be retained.

File System Store Gzip Compression Level

Type: integer

Default: 6

Determines how much Ops Manager compresses file system-based snapshots. The level ranges from 0 to 9:

  • 0 provides no compression.
  • 1 to 9 increases the degree of compression at a cost of how fast the snapshot is compressed. Level 1 compresses snapshots the least but at the fastest speed. Level 9 compresses snapshots the most but at the slowest speed.

Note

Changing File System Store Gzip Compression Level affects new snapshots only. It does not affect the compression level of existing snapshots.

File System Store Gzip Compression Level corresponds to the backup.fileSystemSnapshotStore.gzip.compressionLevel configuration file setting.

Snapshot Interval

Type: integer

Default: 24

Specifies the time, in hours, between two consecutive snapshots.

Snapshot Interval (Hours) corresponds to the brs.snapshotSchedule.interval configuration file setting.

Base Retention of Snapshots

Type: integer

Default: 2

Specifies how many days an interval snapshot is stored.

Base Retention of Snapshots (in Days) corresponds to the brs.snapshotSchedule.retention.base configuration file setting.

Daily Retention of Snapshots

Type: integer

Default: 0

Specifies how many days a daily snapshot is stored.

Daily Retention of Snapshots (in Days) corresponds to the brs.snapshotSchedule.retention.daily configuration file setting.

Weekly Retention of Snapshots

Type: integer

Default: 2

Specifies how many weeks a weekly snapshot is stored.

Weekly Retention of Snapshots (in Weeks) corresponds to the brs.snapshotSchedule.retention.weekly configuration file setting.

Monthly Retention of Snapshot

Type: integer

Default: 1

Specifies how many months a monthly snapshot is stored.

Monthly Retention of Snapshot (in Months) corresponds to the brs.snapshotSchedule.retention.monthly configuration file setting.

Restore Digest Method

Type: string

Default: SHA1

Specifies whether or not to generate a SHA1 checksum for restore archive files.

Acceptable values are SHA1 or NONE.

Restore Digest Method corresponds to the brs.restore.digest.method configuration file setting.

KMIP Server Host

Type: string

Default: None

Specifies the hostname of a Key Management Interoperability Protocol (KMIP) server.

KMIP Server Host corresponds to the backup.kmip.server.host configuration file setting.

KMIP Server Port

Type: integer

Default: None

Specifies the port of the KMIP server.

KMIP Server Port corresponds to the backup.kmip.server.port configuration file setting.

KMIP Server CA File

Type: string

Default: None

Specifies a .PEM-format file that contains one or more certificate authorities.

KMIP Server CA File corresponds to the backup.kmip.server.ca.file configuration file setting.

Default Monitoring Data Retention

Ops Manager gathers metric data at a 10-second granularity. The Default Monitoring Data Retention table determines how long Ops Manager stores metric data. For each increasing granularity level, Ops Manager computes the data based on the averages from the previous granularity level.

The table determines the default settings for new groups. If you change the settings, Ops Manager prompts you whether to also apply the settings to existing groups. To change the settings for a specific group without changing the Ops Manager default settings, see Groups Page.

Increasing the retention period for a granularity requires more storage on the Ops Manager Application Database.

Note

Decreasing the retention period for existing groups does not immediately recovery available disk space on the file system and can actually use more disk space in the short term during the transition to the shorter retention period.

Public API

You can modify certain default behaviors of the Public API. To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.

mms.publicApi.whitelistEnabled

Type: boolean

Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add this setting and set its value to false.

Monitoring Agent Session Failover

Beginning with Monitoring Agent version 5.0.0, Ops Manager can distribute monitoring assignments among up to 100 running Monitoring Agents. One agent is the primary agent and the others share in monitoring responsibilities. If an agent fails, Ops Manager redistributes that agent’s monitoring assignments. If you run more than 100 Monitoring Agents, the additional agents run as standby agents that are completely idle, except to log their status as standby agents and to periodically ask Ops Manager whether they should receive monitoring assignments.

Note

Also beginning with version 5.0.0, the Monitoring Agent stores monitoring metrics at 10-second granularity.

Prior to Monitoring Agent 5.0.0, only the primary Monitoring Agent handles monitoring assignments. All additional running agents are standby agents.

The following settings tune the interval Ops Manager uses to determine if a Monitoring Agent is unaccessible and the frequency with which standby agents poll Ops Manager to determine if they should receive monitoring assignments.

To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.

mms.monitoring.agent.session.timeoutMillis

Type: integer

Default: 90000

The interval that Ops Manager uses to determine if a standby agent should start monitoring. If Ops Manager does not hear from a Monitoring Agent for the duration specified, Ops Manager promotes a standby agent. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.

mms.monitoring.agent.standbyCollectionFactor

Type: Integer

Default: 4

Specifies how frequently a standby agent checks in with Ops Manager to see if it should start monitoring. The following values are permitted:

  • 1: the standby agents check every 55 seconds.
  • 2: the standby agents check in at twice the rate as 1, or approximately every 27 seconds.
  • 3: the standby agents check approximately every 18 seconds
  • 4: the standby agents check approximately every 14 seconds.

SNMP Heartbeat Settings

Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.

To configure the Ops Manager Application to send trap notifications, first download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt . Then add the following settings as custom settings. To do so, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.

snmp.default.hosts

Type: string

Default: blank

Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set snmp.default.hosts to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.

snmp.listen.port

Type: number

Default: 11611

Listening UDP port for SNMP. Setting to a number less than 1024 will require running the Ops Manager Application with root privileges.

snmp.default.heartbeat.interval

Type: number

Default: 300

Number of seconds between heartbeat notifications.

snmp.community

Type: string

Default: public

The snmp community for snmp traps sent by Ops Manager.

Non-Uniform Memory Access (NUMA) Settings

mongodb.disable.numa

Type: boolean

To disable NUMA for the head databases:

  1. Click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
  2. Add mongodb.disable.numa as a Key and set its Value to true.
  3. Click Save.

See MongoDB and NUMA Hardware in the MongoDB Production Notes to learn more about NUMA.

Important

Each Ops Manager instance with Backup Daemons enabled must have the numactl service installed. If numactl is not installed and this setting is set to true, backup jobs fail.

Backup Settings

To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.

mms.alerts.BackupAgentConfCallFailure.maximumFailedConfCalls

Type: integer

Default: 10

If the Backup Agent experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert:

Backup Agent has too many conf call failures

mms.alerts.OutsideSpaceUsedThreshold.maximumSpaceUsedPercent

Type: integer

Default: 85

If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert:

Blockstore space used exceeds threshold

mms.backup.minimumOplogWindowHours

Type: float

Default: 3

This sets the minimum number of hours that the oplog should record.

Warning

MongoDB recommends only changing this value temporarily to permit a test backup job to execute. The minimum oplog size value should be reset to the default as soon as possible. If an oplog is set to too small of a value, it can result in a gap between a backup job and an oplog which makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores. See also Insufficient Oplog Size Error

mms.backup.journal.heads

Type: boolean

Default: false

This sets whether the HEAD database should use journaling.

See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.

mms.backup.snapshot.maxWorkers

Type: integer

Default: 4

This sets the number of files that are saved concurrently when taking a snapshot. Increasing the value of this setting can improve backup job performance when there are a large number of small files in a high latency environment.

mms.backup.snapshot.maxSumFileForWorkersMB

Type: integer

Default: 2048

This sets the maximum cumulative size of files, in Megabytes, that are saved concurrently when taking a snapshot.

Backup Daemon

The following settings are specific to a Backup Daemon and are set through the Admin interface, through the Backup tab’s Daemons page. These settings are not global but are specific to the daemon being configured. For a given daemon, you can set these locally through the conf-mms.properties configuration file.

Head directory

If the directory is already configured, the path is listed in the Server column.

Type: string

The dedicated disk partition on the Backup Daemon’s server where the daemon stores the head databases. The daemon maintains a head database for each shard or replica set it backs up. This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.

Important

Data in this directory is dynamically created, maintained and destroyed by the Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Database.

Corresponds to configuration file setting: rootDirectory

Number of Workers

Type: number

The number of replica sets that should be processed at a time.

Corresponds to configuration file setting: numWorkers

Ops Manager Application Database Connection String

The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.

mongo.mongoUri

Type: string

The connection string used to access the Ops Manager Application Database. The connection string must include the following if applicable:

  • All members of the replica set, if the Ops Manager Application database is a replica set.
  • Authentication credentials for the authentication mechanism used on the Ops Manager Application database.

See the following example connection strings:

  • Replica Sets: If you use a replica set for the database’s backing instance, specify all members of the replica set, as shown in the example below for a replica set named appdbRS. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.

    mongo.mongoUri=mongodb://db1.example.com:40000,db2.example.com:40000,db3.example.com:40000
    
  • Default MongoDB Authentication: For a MongoDB instance using the MongoDB SCRAM-SHA-1 or MONGODB-CR challenge-response mechanisms, the connection string must include authentication credentials. The Ops Manager Application must authenticate as a MongoDB user with the following roles:

    Prefix the hostname with the MongoDB username and password in the form <username>:<password>@

    mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.com:40000
    
  • x.509 Certificate Authentication: For a MongoDB instance using MONGODB-X509 authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in the mongodb.ssl.PEMKeyFile setting. Once you have created the user, prefix the host specified in mongo.mongoUri with the name of the new user and append authMechanism=MONGODB-X509 after the specified port:

    mongo.mongoUri=mongodb://<new_mongodb_user>@mydb1.example.com:40000/?authMechanism=MONGODB-X509
    
  • LDAP Authentication: For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form <username>:<password>@, and append the authMechanism=PLAIN&authSource=$external options after the port:

    mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.com:40000/?authMechanism=PLAIN&authSource=$external
    
  • Kerberos Authentication: For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism, authMechanism=GSSAPI, after the port.

    Kerberos user principal names have the form <username>@<KERBEROS REALM>. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

    This is an example of Kerberos authentication:

    mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mydb1.example.com:40000/?authMechanism=GSSAPI
    

    To enable Kerberos authentication between the Ops Manager Application and the Backup Data Storage, see Kerberos Authentication to the Application Database.

    See also

    authMechanism and authSource in the MongoDB manual.

mongo.encryptedCredentials

Type: boolean

To use encrypted credentials in mongo.mongoUri, encrypt the credentials using the Ops Manager credentialstool, enter them in the mongo.mongoUri setting, and set this to true:

mongo.encryptedCredentials=true

SSL Connection to the Application Database

The following settings configure Ops Manager to use SSL to encrypt connections to the dedicated MongoDB instances that host the Ops Manager Application Database and Backup Data Storage. You must configure this setting in the conf-mms.properties file on each Ops Manager server.

mongo.ssl

Type: boolean

Enables SSL connection to the Ops Manager Application Database when set to true.

mongodb.ssl.CAFile

Type: string

The name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.

mongodb.ssl.PEMKeyFile

Type: string

The name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the --sslCAFile option or net.ssl.CAFile setting.

If you authenticate using the MONGODB-X509 authentication mechanism, you also enter this as the name of the user in the mongoUri connection string.

mongodb.ssl.PEMKeyFilePassword

Type: string

Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the password using the Ops Manager credentialstool. See Encrypt User Credentials.

Kerberos Authentication to the Application Database

To enable Kerberos authentication between Ops Manager and the Ops Manager Application Database, configure the following settings in the conf-mms.properties file on each Ops Manager server. You must configure all required Kerberos settings to enable Kerberos authentication.

jvm.java.security.krb5.conf

Type: string

Optional. The path to an alternate Kerberos configuration file. The value is set to JVM’s java.security.krb5.conf.

jvm.java.security.krb5.conf=/etc/conf/krb5.conf
jvm.java.security.krb5.kdc

Type: string

Required if using Kerberos. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.

jvm.java.security.krb5.kdc=kdc.example.com
jvm.java.security.krb5.realm

Type: string

Required if using Kerberos. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.

jvm.java.security.krb5.realm=EXAMPLE.COM
mms.kerberos.principal

Type: string

Required if using Kerberos. The principal used to authenticate with MongoDB. This should be the exact same user on the mongo.mongoUri above.

mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM
mms.kerberos.keyTab

Type: string

Required if using Kerberos. The absolute path to the keytab file for the principal.

mms.kerberos.keyTab=/path/to/mms.keytab
mms.kerberos.debug

Type: boolean

The debug flag to output more information on Kerberos authentication process.

mms.kerberos.debug=false

Encrypt User Credentials

For configuration settings that store credentials, you can either store the credentials in plain text or use the Ops Manager credentialstool to encrypt the credentials. If you choose to store credentials in plain text, reduce the permissions on the conf-mms.properties file on each server.

Note

Protect Plain Text Passwords

If you choose to store credentials in plain text, reduce the permissions on the conf-mms.properties file on each server.

Operating System Permission Changes
Linux sudo chmod 600 <install_dir>/conf/conf-mms.properties
Windows Restrict access to only the users and/or groups that need to modify conf-mms.properties.

Important

When installed with rpm or deb packages, the credentialstool tool requires root (sudo) privileges, because it modifies the /etc/mongodb-mms/gen.key file. Ops Manager uses the gen.key to encrypt sensitive data in the database and configuration files.

Use the credentialstool to generate encrypted credentials for the MongoDB deployments:

1

Run the shell command to create a pair of encrypted credentials.

Operating System Command
Linux / Mac OS X
sudo <install_dir>/bin/credentialstool.sh --username <username> --password
Windows
<install_dir>\bin\credentialstool.bat --username <username> --password
Substitutions
<username> Your MongoDB username
<install_dir> Path where Ops Manager was installed.
2

Enter the password when prompted.

The credentialstool then outputs the encrypted credential pair.

3

Add the encrypted credentials to the conf-mms.properties file.

  1. Enter the encrypted credential pair in the mongo.mongoUri settings where needed.

  2. Add the mongo.encryptedCredentials setting and set it to true.

    Example

    mongo.mongoUri=mongodb://da83ex3s:a4fbcf3a1@mydb1.example.net:40000/admin
    mongo.encryptedCredentials=true
    

    Important

    The conf-mms.properties file can contain multiple mongo.mongoUri settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.mongoUri settings.

Default Paths for Automation

You can modify various default paths for Automation. To modify these paths, click the Admin link in the top right corner of Ops Manager to access the settings panels. From the General tab, go to Ops Manager Config and select the Custom tab.

automation.default.dataRoot

Default: /data

The default data path for the MongoDB databases managed by Automation.

automation.default.downloadBase

Default: /var/lib/mongodb-mms-automation

The default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Linux/OSX.

automation.default.downloadBaseWindows

Default: %SystemDrive%\\MMSAutomation\\versions

The default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Windows.

automation.default.monitoringAgentLogFile

Default: /var/log/mongodb-mms-automation/monitoring-agent.log

The default path for the Monitoring Agent logs on Linux/OSX.

automation.default.monitoringAgentLogFileWindows

Default: %SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\monitoring-agent.log

The default path for the Monitoring Agent logs on Windows.

automation.default.backupAgentLogFile

Default: /var/log/mongodb-mms-automation/backup-agent.log

The default path for the Backup Agent logs on Linux/OSX.

automation.default.backupAgentLogFileWindows

Default: %SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\backup-agent.log

The default path for the Backup Agent logs on Windows.

automation.default.certificateAuthorityFile

The default path for the Certificate Authority (CA) file on Linux/OSX.

automation.default.certificateAuthorityFileWindows

The default path for the Certificate Authority (CA) file on Windows.