MongoDB Agent Settings
On this page
- Configuration File & Settings Locations
- MongoDB Agent Settings
- Logging Settings
- Connection Settings
- HTTP Proxy Settings
- Configuration Backup Settings
- Cloud Manager TLS Settings
- Push Live Migration Settings
- Externally Sourced Configuration Settings
- Transparent Huge Page (THP) Settings
- Automation Settings
- MongoDB Kerberos Settings
- Monitoring Settings
- Log Settings
- Custom Settings
- Backup Settings
- Log Settings
- Custom Settings
This page describes possible settings for the MongoDB Agent. These values are set after first launching Cloud Manager and not through manual editing of these files.
Warning
If you edit authentication or TLS settings through Settings or Deployments in the Cloud Manager interface, those changes overwrite any manual changes in this configuration file.
Configuration File & Settings Locations
The location of the MongoDB Agent configuration file is
C:\MMSData\Automation\automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/etc/mongodb-mms/automation-agent.config
.
Note
The MongoDB Agent configuration file is named
automation-agent.config
as a way to enable easier upgrades
for those using legacy agents.
The location of the MongoDB Agent configuration file is
/path/to/install/local.config
.
You can configure additional Monitoring settings and Backup settings through the Cloud Manager Console.
MongoDB Agent Settings
The following settings are required. All other settings are set to default values.
mmsGroupId
Type: string
Required.
Specifies the ID of your Cloud Manager project. To locate this value:
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Click the Agents tab for your deployment.
The Agents page displays.
Select the appropriate operating system under Downloads & Settings.
To copy this value directly, in the Install Agent Instructions box, click .
This setting is usually set when the MongoDB Agent is installed and is required to bind the server to a project.
mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey
Type: string
Required.
Specifies the Cloud Manager agent API key of your Cloud Manager project.
You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.
To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab:
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Click the Agents tab for your deployment.
The Agents page displays.
Click the Agent API Keys tab.
Important
When you generate an Agent API Key, Cloud Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Cloud Manager never displays the full key again.
This setting is usually set when the MongoDB Agent is installed and is required to bind the server to a project.
Note
To enable the MongoDB Agent to request the Agent API Key from a shell command, set the
mmsApiKeyExec
option in the configuration file rather than setting themmsApiKey
option.mmsApiKey=8zvbo2s2asigxvmpnkq5yexf
mmsBaseUrl
Type: string
Specifies the URL of the Cloud Manager.
Important
This value is set by default and should not be modified.
mmsBaseUrl=https://api-agents.mongodb.com
Logging Settings
logFile
Type: string
Specifies the path to which Cloud Manager should write the MongoDB Agent's log.
The default path depends on your platform. The MongoDB Agent uses the default filename
automation-agent.log
whether or not the deployment uses Automation.Important
Automatic rotation of your MongoDB Agent logs only occurs when an update to the log file is made. To manually rotate your MongoDB Agent logs, see Manually Rotate the MongoDB Agent Logs for more information.
PlatformDefault PathLinux/var/log/mongodb-mms-automation/automation-agent.log
WindowsC:\MMSAutomation\log\mongodb-mms-automation\automation-agent.log
logFile=/path/to/mongodb-mms-automation/automation-agent.log
logLevel
Type: string
Specifies the level of logging granularity.
Choose from the following severity levels, from most to least amount of information:
DEBUG
INFO
WARN
ERROR
FATAL
By default,
logLevel
isINFO
.logLevel=ROUTINE Each level includes the log items included in the succeeding levels.
Example
If you choose
DEBUG
, the MongoDB Agent logs all messages, includingINFO
,WARN
,ERROR
andFATAL
.If you choose
FATAL
, the MongoDB Agent only logsFATAL
messages.
maxLogFiles
Type: integer
Specifies the maximum number of rotated log files to retain.
By default, the value of
maxLogFiles
is set to10
. You can change the value to retain a different number of rotated log files.maxLogFiles=15
maxLogFileDurationHrs
Type: float
Specifies the number of hours after which the logs are rotated.
Note
Manually Rotate the MongoDB Agent Logs
On UNIX- and Linux-based systems you can manually rotate the MongoDB Agent logs. Issue a
kill
command with theSIGUSR1
signal for the Agent process:kill -SIGUSR1 <AgentID> On Windows-based systems, you can manually restart the MongoDB Agent with a Service restart:
Click the Start menu.
Search for
services
.Find the MongoDB Agent.
Right-click on the Agent and click Restart.
This rotates the MongoDB Agent logs.
maxLogFileSize
Type: integer
Specifies the maximum size, in bytes, of a log file before the logs are rotated. If unspecified, the MongoDB Agent does not rotate logs based on file size.
By default, the value of
maxLogFileSize
is set to268435456
bytes. You can change the value to assign a different maximum size for a log file.maxLogFileSize=536870912
maxUncompressedLogFiles
Type: integer
Specifies the maximum number of rotated log files to keep uncompressed. MongoDB Agent automatically compresses any additional retained log files up to the
maxLogFiles
value.By default, the value of
maxUncompressedLogFiles
is set to2
. You can change the value to compress a different number of rotated log files.maxUncompressedLogFiles=10
Connection Settings
dialTimeoutSeconds
Type: integer
Specifies the number of seconds to wait before a connection times out. By default, connections time out after 40 seconds. However, The MongoDB Agent may frequently time out of connections for one or more of the following reasons:
High network latency
High server load
Large TLS keys
Lack of TLS accelerator
Insufficient CPU speed
MongoDB recommends gradually increasing the value of the
dialTimeoutSeconds
MongoDB Agent configuration setting to prevent frequent premature connection timeouts.dialTimeoutSeconds=40 Note
Increasing this value also increases the time required to deploy configuration changes to the MongoDB Agent. Experiment with small, incremental increases until you determine the optimum value for your deployment.
HTTP Proxy Settings
Configuration Backup Settings
mmsConfigBackup
Type: string
Specifies the path to the Cloud Manager configuration backup file. This file describes the desired state of the deployment.
If you don't specify the
mmsConfigBackup
setting, the MongoDB Agent writes themongodb-mms-automation-cluster-backup.json
file to a temporary folder on the operating system.If you set
enableLocalConfigurationServer
totrue
, the MongoDB Agent doesn't write themmsConfigBackup
file.mmsConfigBackup=/path/to/mms-cluster-config-backup.json
Cloud Manager TLS Settings
Specify the settings that the MongoDB Agent uses when communicating with Cloud Manager using TLS.
httpsCAFile
Type: string
Specifies the absolute path that contains the trusted Certificate Authority certificates in
PEM
format. This certificate verifies that the MongoDB Agent is talking to the designated Cloud Manager instance.httpsCAFile=/path/to/ca.pem Note
Add the Certificate Authority for the
downloads.mongodb.com
certificate to this.pem
file if you:Need your MongoDB Agents to download their MongoDB installers from the Internet,
Use TLS to encrypt connections, and
Signed your certificates with a private Certificate Authority. (You set the
httpsCAFile
option.)
To learn how to download TLS certificates from another web site, see the OpenSSL Cookbook entry.
Important
When Cloud Manager starts, it caches the Certificate Authority you provided. If you change your Certificate Authority certificate, restart Cloud Manager.
sslRequireValidMMSServerCertificates
Type: boolean
Important
Deprecated. Use
tlsRequireValidMMSServerCertificates
instead.
tlsRequireValidMMSServerCertificates
Type: boolean
Specifies if the MongoDB Agent should validate TLS certificates presented by Cloud Manager.
Warning
Setting this option to
false
disables certificate verification and makes connections between the MongoDB Agent and Cloud Manager susceptible to man-in-the-middle attacks. Setting this option tofalse
is only recommended for testing purposes.tlsRequireValidMMSServerCertificates=true
Push Live Migration Settings
agentFeatureCloudMigrationEnabled
Type: boolean
Optional.
Specifies whether the MongoDB Agent on the migration host is configured to run the Live Migration process from a source Cloud Manager deployment to a target cluster in Atlas.
This option defaults to
false
, which prevents using the MongoDB Agent on this host for Live Migration to Atlas.To enable the Live Migration process, provision a migration host and set
agentFeatureCloudMigrationEnabled
totrue
.
Externally Sourced Configuration Settings
enableLocalConfigurationServer
Type: boolean
Specifies whether the MongoDB Agent stores MongoDB process configuration files on disk or cached in memory.
This option defaults to
false
, which stores the configuration files on disk. Setting this option totrue
caches the configuration in memory.If you set this option to
true
, the MongoDB Agent doesn't write themmsConfigBackup
file.Don't set this option to
true
if your MongoDB databases are running FCV 4.2 or earlier.Warning
Setting this option to
true
impacts the availability of your deployment.When this feature is enabled, the MongoDB Agent doesn't store the MongoDB process configuration on disk. If the Cloud Manager app server is unavailable and the MongoDB Agent attempts to restart, then the MongoDB Agent stops running because it doesn't have the necessary configuration information. If a MongoDB process crashes while the MongoDB Agent isn't running, then the MongoDB Agent can't restart the process.
enableLocalConfigurationServer=false
keepUnusedMongodbVersions
Type: boolean
Flag that indicates whether the MongoDB Agent retains unused MongoDB version binaries that it downloads. By default,
keepUnusedMongodbVersions
is false.keepUnusedMongodbVersions=false
localConfigurationServerPort
Type: integer
Specifies the port to serve the MongoDB process configuration to when using the local configuration server. To set this option,
enableLocalConfigurationServer
must betrue
.If unspecified, the MongoDB Agent chooses an available port automatically.
localConfigurationServerPort=20128
Transparent Huge Page (THP) Settings
MongoDB Agent allows you to disable Transparent Huge Pages (THP) on a per-process basis to avoid accidental performance degradation. To disable THP, perform the following steps:
Upgrade the MongoDB Agent version to 108.0.x.
Modify the automation config file to include
enableAgentManagingTHPSettings=true
.Restart the MongoDB Agent and the managed
mongod
andmongos
processes. You can now enable THP on a system-wide level.Note
This may generate a false positive start-up warning.
(Optional) Upgrade to 8.0.
enableAgentManagingTHPSettings
Type: boolean
Default: false
Specifies whether the MongoDB Agent should disable Transparent Huge Pages (THP) for
mongo
process versions before 8.0. The MongoDB Agent disables THP on a permongo
process basis regardless of the OS-level THP settings.
Automation Settings
The following configuration settings are used for authentication in automated clusters.
MongoDB Kerberos Settings
Specify these settings if Automation authenticates to hosts using Kerberos. To configure Kerberos, see Configure the MongoDB Agent for Kerberos.
krb5ConfigLocation
Type: string
Specifies an absolute path to an non-system-standard location for the Kerberos configuration file.
krb5ConfigLocation=/path/to/krb_custom.conf Note
Cloud Manager creates a Kerberos Credential (Ticket) Cache for each agent automatically when Kerberos is enabled. If you want to override the location of the Kerberos Credential Cache, you must set the
KRB5CCNAME
environment variable to the desired file name and path before running the agent.
backupAgentKrb5CCName
Type string
Specifies the
KRB5CC
environment variable that the MongoDB Agent sets for the Backup process. Used only to authenticate the Backup to your MongoDB deployment when the MongoDB Agent starts the Backup function.backupAgentKrb5CCName=/path/to/credentials_cache_file
monitoringAgentKrb5CCName
Type string
Specifies the
KRB5CC
environment variable that the MongoDB Agent sets for the Monitoring function. Used only to authenticate Monitoring to your MongoDB deployment when the MongoDB Agent starts the Monitoring function.monitoringAgentKrb5CCName=/path/to/credentials_cache_file
Monitoring Settings
Use the Cloud Manager interface to configure Monitoring settings.
Log Settings
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Agents page.
Click the Agents tab for your deployment.
The Agents page displays.
Edit the log settings.
Click Downloads & Settings.
In the Agent Log Settings section, click next to Monitoring Log Settings.
Edit the Monitoring log settings:
SettingDefault ValueConsole Suggested ValueLinux Log File Path/var/log/mongodb-mms-automation/monitoring-agent.log
Windows Log File Path%SystemDrive%\MMSAutomation\log\mongodb-mms-automation\monitoring-agent.log
Rotate LogsYESSize Threshold (MB)1000Time Threshold (Hours)24Max Uncompressed Files5Max Percent of Disk2Total Number of Log Files0Click Save.
Custom Settings
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Agents page.
Click the Agents tab for your deployment.
The Agents page displays.
You can configure the following Monitoring settings:
Connection Settings
mmsGroupId
Type: string
Specifies the ID of your Cloud Manager project. To find the project ID:
1In MongoDB Cloud Manager, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Project Settings.
The Project Settings page displays.
mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey
Type: string
Specifies the Cloud Manager agent API key of your Cloud Manager project.
You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.
To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab:
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Click the Agents tab for your deployment.
The Agents page displays.
Click the Agent API Keys tab.
Important
When you generate an Agent API Key, Cloud Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Cloud Manager never displays the full key again.
Cloud Manager configures this setting when you install the MongoDB Agent. If you need to configure Monitoring separately, include this setting.
mmsApiKey=rgdte4w7wwbnds9nceuodx9mcte2zqem
HTTP Proxy Settings
MongoDB Kerberos Settings
Specify these settings if Monitoring authenticates to hosts using Kerberos.
To configure Kerberos, see Configure the MongoDB Agent for Kerberos. The same procedures and requirements apply, only use a different UPN for Monitoring.
Note
Cloud Manager creates a Kerberos Credential (Ticket) Cache for each agent
automatically when Kerberos is enabled. If you want to override the
location of the
Kerberos Credential Cache,
you must set the KRB5CCNAME
environment variable to the desired
file name and path before running the agent.
krb5Principal
Type: string
Specifies the Kerberos principal that Monitoring uses.
krb5Principal=monitoring/myhost@EXAMPLE.COM
krb5Keytab
Type: string
Specifies the absolute path to Kerberos principal's
keytab
file.krb5Keytab=/path/to/mms-monitoring.keytab
krb5ConfigLocation
Type: string
Specifies the absolute path to an non-system-standard location for the Kerberos configuration file.
krb5ConfigLocation=/path/to/krb_custom.conf
gssapiServiceName
Type: string
Specifies the service name with the
gssapiServiceName
setting.By default, MongoDB uses
mongodb
as its service name.
MongoDB TLS Settings
Specify these settings when Monitoring connects to MongoDB deployments using TLS.
To learn more, see Configure MongoDB Agent to Use TLS.
useSslForAllConnections
Type: boolean
Specifies whether or not to encrypt all connections to MongoDB deployments using TLS.
Important
Setting this to
true
overrides any per-host TLS settings configured in the Cloud Manager interface.
sslClientCertificate
Type: string
Specifies the absolute path to the private key, client certificate, and optional intermediate certificates in PEM format. Monitoring uses the client certificate to connect to any configured MongoDB deployment that uses TLS and requires client certificates. (The deployment runs with the --tlsCAFile setting.)
Example
If you want to connect to a MongoDB deployment that uses both TLS and certificate validation using
mongosh
:mongosh --tls --tlsCertificateKeyFile /path/to/client.pem --tlsCAFile /path/to/ca.pem example.net:27017 You must set these settings in your Custom Settings:
sslTrustedServerCertificates=/path/to/ca.pem sslClientCertificate=/path/to/client.pem
sslClientCertificatePassword
Type: string
Specifies the password needed to decrypt the private key in the
sslClientCertificate
file. Include this setting if you encrypted the client certificate PEM file.sslClientCertificatePassword=password
sslTrustedServerCertificates
Type: string
Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. These certificates verify the server certificate returned from any MongoDB deployments running with TLS.
sslTrustedServerCertificates=/path/to/ca.pem
sslRequireValidServerCertificates
Type: boolean
Specifies whether Monitoring should validate the TLS certificates presented by the MongoDB databases.
sslRequireValidServerCertificates=true By default, Cloud Manager sets
sslRequireValidServerCertificates
totrue
. You need a valid trusted certificate to connect to MongoDB instances using TLS.If MongoDB Agent manages Monitoring, you can't set this option to
false
.If you configure Monitoring manually, you can set
sslRequireValidServerCertificates
tofalse
.If you set
sslRequireValidServerCertificates
tofalse
, don't setsslTrustedServerCertificates
. Cloud Manager won't verify the certificates.
Warning
Changing this setting to
false
disables certificate verification and makes connections between Monitoring and MongoDB deployments susceptible to man-in-the-middle attacks. Change this setting tofalse
only for testing purposes.
Cloud Manager Server TLS Settings
Specify the settings Monitoring uses when communicating with Cloud Manager using TLS.
httpsCAFile
Type: string
Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. Monitoring uses this certificate to verify that the agent can communicate with the designated Cloud Manager instance.
By default, Monitoring uses the trusted root Certificate Authoritys installed on the host.
If the agent cannot find the trusted root Certificate Authoritys, configure these settings manually.
httpsCAFile=/path/to/mms-certs.pem
Backup Settings
Use the Cloud Manager interface to configure Backup settings.
Log Settings
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Agents page.
Click the Agents tab for your deployment.
The Agents page displays.
Edit the log settings.
Click Downloads & Settings.
In the Agent Log Settings section, click next to Backup Log Settings.
Edit the Backup log settings:
SettingDefault ValueConsole Suggested ValueLinux Log File Path/var/log/mongodb-mms-automation/backup-agent.log
Windows Log File Path%SystemDrive%\MMSAutomation\log\mongodb-mms-automation\backup-agent.log
Rotate LogsYESSize Threshold (MB)1000Time Threshold (Hours)24Max Uncompressed Files5Max Percent of Disk2Total Number of Log Files0Click Save.
Custom Settings
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Agents page.
Click the Agents tab for your deployment.
The Agents page displays.
You can configure the following Backup settings:
Connection Settings
mmsGroupId
Type: string
Specifies the ID of your Cloud Manager project. To find the project ID:
1In MongoDB Cloud Manager, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Project Settings.
The Project Settings page displays.
mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey
Type: string
Specifies the MongoDB Agent API key of your Cloud Manager project.
You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.
To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab:
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Click the Agents tab for your deployment.
The Agents page displays.
Click the Agent API Keys tab.
Important
When you generate an Agent API Key, Cloud Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Cloud Manager never displays the full key again.
Cloud Manager configures this setting when you install the MongoDB Agent. If you need to configure Backup separately, include this setting.
mmsApiKey=rgdte4w7wwbnds9nceuodx9mcte2zqem
mothership
Type: string
Specifies the hostname and port of the Cloud Manager used by the Backup agent.
Note
Don't include the protocol (
http://
orhttps://
) in themothership
setting.mothership=example.com:8080
mothershipResponseHeaderTimeout
Type: integer
Specifies the length of time in seconds Backup waits for the Cloud Manager to respond. If the MongoDB Agent doesn't get a response, it resets and retries the connection to the Cloud Manager. This value defaults to
90
seconds.
HTTP Proxy Settings
MongoDB Kerberos Settings
To configure Kerberos, see Configure the MongoDB Agent for Kerberos. The same procedures and requirements apply, only use a different UPN for Backup.
Note
Cloud Manager creates a Kerberos Credential (Ticket) Cache for each agent
automatically when Kerberos is enabled. If you want to override the
location of the
Kerberos Credential Cache,
you must set the KRB5CCNAME
environment variable to the desired
file name and path before running the agent.
krb5Principal
Type: string
Specifies the Kerberos principal that Backup uses.
krb5Principal=backup/myhost@EXAMPLE.COM
krb5Keytab
Type: string
Specifies the absolute path to Kerberos principal's keytab file.
krb5Keytab=/path/to/mms-backup.keytab
krb5ConfigLocation
Type: string
Specifies the absolute path to an non-system-standard location for the Kerberos configuration file.
krb5ConfigLocation=/path/to/krb_custom.conf
gsapiServiceName
Type: string
Specifies the service name with the
gsapiServiceName
setting.By default, MongoDB uses
mongodb
as its service name.
MongoDB TLS Settings
Specify these settings when Backup connects to MongoDB deployments using TLS.
To learn more, see Configure MongoDB Agent to Use TLS.
sslClientCertificate
Type: string
Specifies the path to the private key, client certificate, and optional intermediate certificates in PEM format. Backup uses the client certificate when connecting to a MongoDB deployment that uses TLS and requires client certificates. (The deployment runs with the --tlsCAFile setting.)
sslClientCertificatePassword
Type: string
Specifies the password needed to decrypt the private key in the
sslClientCertificate
file. Include this setting if you encrypted the client certificate PEM file.
sslTrustedServerCertificates
Type: string
Specifies the path that contains the trusted CA certificates in PEM format. These certificates verify the server certificate returned from any MongoDB deployments running with TLS.
sslTrustedServerCertificates=/path/to/mongodb-certs.pem
sslRequireValidServerCertificates
Type: boolean
Specifies if Backup should validate TLS certificates presented by the MongoDB deployments.
Warning
Changing this setting to
false
disables certificate verification and makes connections between Backup and MongoDB deployments susceptible to man-in-the-middle attacks. Change this setting tofalse
only for testing purposes.
Cloud Manager Server TLS Settings
Specify the settings Backup use when communicating with Cloud Manager using TLS.
sslTrustedMMSBackupServerCertificate
Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. Backup uses this certificate to verify that the MongoDB Agent can communicate with the designated Cloud Manager instance.
By default, Backup uses the trusted root Certificate Authoritys installed on the system.
If Backup cannot find the trusted root Certificate Authoritys, configure these settings manually.
If Cloud Manager use a self-signed TLS certificate, provide a value for this setting.
sslTrustedMMSBackupServerCertificate=/path/to/mms-certs.pem