Ops Manager Configuration Settings
On this page
- Bypass Initial Configuration via the User Interface
- All Clusters View
- Application Database Connection
- Automation Default Paths
- Backup
- Diagnostic Archive
- HTTP Proxy
- MongoDB Version Management
- MongoDB Usage
- Monitoring
- Ops Manager Administration API
- Push Live Migrations
- Security
- Third-Party Integrations
- User Authentication
- Web Server
- Webhook
Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all your Ops Manager servers. Local settings apply to the server on which they are configured. Any local settings on a server override the global settings.
You configure local settings through a server's conf-mms.properties
file. Each server's conf-mms.properties
must contain the connection
string and authentication settings for accessing the Ops Manager
Application Database. The conf-mms.properties
file also contains
any overrides of global settings specific to that server.
The location of the conf-mms.properties
file depends on how you
installed Ops Manager, as described in the table below.
Install method | conf-mms.properties location |
---|---|
rpm or deb package | /opt/mongodb/mms/conf/ |
tar.gz archive | <install-directory>/conf/ |
Bypass Initial Configuration via the User Interface
If you would like to skip the initial setup wizard after creating the
first account and either edit the conf-mms.properties
file or use
the API to configure Ops Manager, change the following settings. This
setting can help if you are automating the deployment of Ops Manager
instances.
mms.ignoreInitialUiSetup
Type: boolean
Set this to
true
to allow full use of Ops Manager without requiring the first user account to complete the initial setup wizard.Warning
Ops Manager performs its regular pre-flight check to verify that it has all of the required settings. If one or more of those settings are not included in
conf-mms.properties
, Ops Manager refuses to start and lists which fields are missing in the log file.Before starting Ops Manager, add the following required settings to
conf-mms.properties
to enable basic Ops Manager functionality:UI Settingconf-mms.properties
SettingNecessityRequiredNoneRequiredRequiredRequiredRequiredRequiredRequiredRequiredRequiredRequiredOptionalOptionalOptionalOptionalOptionalOptionalOptionalNote
Fields marked as Optional have default values. If you want to change them, you can provide the setting and a new value.
Example
The following values are examples. Substitute values appropriate to your Ops Manager installation. You may add any of the other settings specified in this reference.
To configure an Ops Manager installation with the minimum functionality, add the following settings to
conf-mms.properties
:mms.ignoreInitialUiSetup=true mongo.mongoUri=mongodb://db1.example.com:27017,db2.example.com:27017,db3.example.com:27017 mms.centralUrl=http://localhost:8080 mms.fromEmailAddr=example@example.com mms.replyToEmailAddr=example@example.com mms.adminEmailAddr=example@example.com mms.mail.transport=smtp mms.mail.hostname=mail.example.com mms.mail.port=465
All Clusters View
mms.allclusters.onlyMembership
Type: boolean
Default: False
Determines whether the View All Clusters displays only the deployments to which an Ops Manager administrator belongs (set the value to
true
) or the deployments to which the administrator has access (set the value tofalse
).
Application Database Connection
The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.
mongo.mongoUri
Type: string
connection string used to access the Ops Manager Application Database. If applicable, the connection string must include the authentication credentials for the
authentication mechanism
used on the Ops Manager Application database.How you format your connection string depends on:
the type of cluster you deployed for your backing databases,
the protocol you use, and
the authentication method you use.
If you use a replica set for the database's backing instance, your connection string may include either the hostnames of all replica set members or the hostname for the DNS seedlist.
If you choose a standard connection string, include all members of the replica set in the URI. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.
mongo.mongoUri=mongodb://mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000 Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@
mongo.mongoUri=mongodb://mongodbuser1:password@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000 Note
Necessary MongoDB Roles
The MongoDB user that authenticates to the backing databases must have the following roles:
clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
You should find the client certificate in the PEM file you specified in the
mongodb.ssl.PEMKeyFile
setting.Prepend the value of the subject from the client certificate as a MongoDB user to the host.
Append authMechanism=MONGODB-X509 to the specified port.
mongo.mongoUri=mongodb://<new_mongodb_user>@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=MONGODB-X509 Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.
Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external
mongo.mongoUri=mongodb://mongodbuser1:password@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=PLAIN&authSource=$external Prepend the hostname with the Kerberos user principal.
Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.
Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.
mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=GSSAPI Note
Modify Kerberos Settings
To enable Kerberos, modify the following settings:
Note
Ops Manager doesn't require the replicaSet option in the URI.
New in version Ops: Manager 4.4.0
If you choose a DNS seedlist connection string, include the DNS SRV record that describes your database's backing instance replica set. The connection string uses the mongodb+srv: protocol, not the mongodb: protocol.
mongo.mongoUri=mongodb+srv://db.example.com:40000 Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@
mongo.mongoUri=mongodb+srv:mongodbuser1:password@mongod.example.com:40000 Note
Necessary MongoDB Roles
The MongoDB user that authenticates to the backing databases must have the following roles:
clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
You should find the client certificate in the PEM file you specified in the
mongodb.ssl.PEMKeyFile
setting.Prepend the value of the subject from the client certificate as a MongoDB user to the host.
Append authMechanism=MONGODB-X509 to the specified port.
mongo.mongoUri=mongodb+srv:<new_mongodb_user>@mongod.example.com:40000/?authMechanism=MONGODB-X509 Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.
Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external
mongo.mongoUri=mongodb+srv:mongodbuser1:password@mongod.example.com:40000/?authMechanism=PLAIN&authSource=$external Prepend the hostname with the Kerberos user principal.
Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.
Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.
mongo.mongoUri=mongodb+srv:username%40REALM.EXAMPLE.COM@mongod.example.com:40000/?authMechanism=GSSAPI Note
Modify Kerberos Settings
To enable Kerberos, modify the following settings:
This option requires a DNS SRV record for the application database. The DNS entry uses the DNS seedlist string format. Make sure Ops Manager can connect to this application database.
If you use a sharded cluster for the database's backing instance, your connection string may include either the hostnames of all
mongos
routers or the hostname for the DNS seedlist.If you choose a standard connection string, include all shards in the URI. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.
mongo.mongoUri=mongodb://mongos1.example.com:40000,mongos2.example.com:40000 Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@
mongo.mongoUri=mongodb://mongodbuser1:password@mongos1.example.com:40000,mongos2.example.com:40000 Note
Necessary MongoDB Roles
The MongoDB user that authenticates to the backing databases must have the following roles:
clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
You should find the client certificate in the PEM file you specified in the
mongodb.ssl.PEMKeyFile
setting.Prepend the value of the subject from the client certificate as a MongoDB user to the host.
Append authMechanism=MONGODB-X509 to the specified port.
mongo.mongoUri=mongodb://<new_mongodb_user>@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=MONGODB-X509 Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.
Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external
mongo.mongoUri=mongodb://mongodbuser1:password@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=PLAIN&authSource=$external Prepend the hostname with the Kerberos user principal.
Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.
Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.
mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=GSSAPI Note
Modify Kerberos Settings
To enable Kerberos, modify the following settings:
Note
Ops Manager doesn't require the replicaSet option in the URI.
New in version Ops: Manager 4.4.0
If you choose a DNS seedlist connection string, include the DNS SRV record that describes your database's backing instance sharded cluster. The connection string uses the mongodb+srv: protocol, not the mongodb: protocol.
mongo.mongoUri=mongodb+srv://db.example.com:40000 Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@
mongo.mongoUri=mongodb+srv:mongodbuser1:password@mongos.example.com:40000 Note
Necessary MongoDB Roles
The MongoDB user that authenticates to the backing databases must have the following roles:
clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
You should find the client certificate in the PEM file you specified in the
mongodb.ssl.PEMKeyFile
setting.Prepend the value of the subject from the client certificate as a MongoDB user to the host.
Append authMechanism=MONGODB-X509 to the specified port.
mongo.mongoUri=mongodb+srv:<new_mongodb_user>@mongos.example.com:40000/?authMechanism=MONGODB-X509 Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.
Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external
mongo.mongoUri=mongodb+srv:mongodbuser1:password@mongos.example.com:40000/?authMechanism=PLAIN&authSource=$external Prepend the hostname with the Kerberos user principal.
Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.
Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.
mongo.mongoUri=mongodb+srv:username%40REALM.EXAMPLE.COM@mongos.example.com:40000/?authMechanism=GSSAPI Note
Modify Kerberos Settings
To enable Kerberos, modify the following settings:
This option requires a DNS SRV record for the application database. The DNS entry uses the DNS seedlist string format. Make sure Ops Manager can connect to this application database.
mongo.encryptedCredentials
Type: boolean
To use encrypted credentials in
mongo.mongoUri
, encrypt the credentials using the Ops Manager credentialstool, enter them in themongo.mongoUri
setting, and set this totrue
:mongo.encryptedCredentials=true
Kerberos Authentication to Ops Manager Application Database
mms.kerberos.debug
Type: boolean
Debug flag to output more information on Kerberos authentication process.
mms.kerberos.debug=false
mms.kerberos.keyTab
Type: string
Required if using Kerberos. The absolute path to the keytab file for the principal.
mms.kerberos.keyTab=/path/to/mms.keytab
mms.kerberos.principal
Type: string
Required if using Kerberos. Principal used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
.mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM
jvm.java.security.krb5.conf
Type: string
Optional. Path to an alternate Kerberos configuration file. The value is set to JVM's
java.security.krb5.conf
.jvm.java.security.krb5.conf=/etc/conf/krb5.conf
TLS/SSL Connection to the Application Database
mongo.ssl
Type: boolean
Enables TLS connection to the Ops Manager Application Database when set to
true
.
mongodb.ssl.CAFile
Type: string
Name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.
mongodb.ssl.PEMKeyFile
Type: string
Name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the
--tlsCAFile
option ornet.tls.CAFile
setting.The
Extended Key Usage
field of that certificate should includeTLS Web client authentication
.If you authenticate using the
MONGODB-X509
authentication mechanism, you also enter this as the name of the user in themongoUri
connection string.
Automation Default Paths
automation.default.backupAgentLogFile
Type: string
Default:
/var/log/mongodb-mms-automation/backup-agent.log
Default path for the Backup logs on Linux/macOS.
automation.default.certificateAuthorityFile
Type: string
Default path for the Certificate Authority file on Linux/macOS.
automation.default.dataRoot
Type: string
Default:
/data
Default data path for the MongoDB databases that Automation manages.
automation.default.downloadBase
Type: string
Default: /var/lib/mongodb-mms-automation
Default path for the Monitoring, Backup, and MongoDB binaries for the deployments managed by Automation on Linux/macOS.
automation.default.monitoringAgentLogFile
Type: string
Default:
/var/log/mongodb-mms-automation/monitoring-agent.log
Default path for the Monitoring logs on Linux/macOS.
mms.agentCentralUrl
Type: string
FQDN of the Ops Manager Application to which the legacy Monitoring Agents or MongoDB Agents use to push monitoring data.
Uses the value of
mms.centralUrl
if not set.Important
If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets (
[ ]
) to separate it from its port number.For example:
http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080
Backup
mms.alerts.BackupAgentConfCallFailure.maximumFailedConfCalls
Type: integer
Default: 10
If the Backup experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert:
Backup has too many conf call failures
.
mms.alerts.OutsideSpaceUsedThreshold.maximumSpaceUsedPercent
Type: integer
Default: 85
If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert:
Blockstore space used exceeds threshold
.
mms.backupCentralUrl
Type: string
FQDN of the Ops Manager Application to which the legacy Backup Agents or MongoDB Agents use to send backup data.
Uses the value of
mms.centralUrl
if not set.Important
If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets (
[ ]
) to separate it from its port number.For example:
http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080
mms.backup.journal.heads
Type: boolean
Default: False
This sets whether the HEAD database should use journaling. See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.
FCV
4.2
and later use backup cursors instead of head databases for backups.
mms.backup.minimumOplogWindowHours
Type: float
Default: 3
This sets the minimum number of hours of database operations that the oplog should record.
Your deployment's oplog needs to be large enough to hold recovery data since the last snapshot. Increase this value to have Ops Manager monitor the oplog capacity. You should set this value to meet or exceed the value in
brs.snapshotSchedule.interval
.If you set the value to less than
brs.snapshotSchedule.interval
, you may have a gap between the last snapshot and the end of the oplog. This makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores.
Backup Snapshots
backup.fileSystemSnapshotStore.gzip.compressionLevel
Type: integer
Default: 6
Determines how much Ops Manager compresses file system-based snapshots. The level ranges from
0
to9
:0
provides no compression.1
to9
increases the degree of compression at a cost of how fast the snapshot is compressed. Level1
compresses snapshots the least but at the fastest speed. Level9
compresses snapshots the most but at the slowest speed.
Note
Changing File System Store Gzip Compression Level affects new snapshots only. It does not affect the compression level of existing snapshots.
Corresponds to
File System Store Gzip Compression Level
.
brs.restore.digest.method
Type: string
Default: SHA1
Specifies whether or not to generate a SHA1 checksum for restore archive files.
Accepted values are
SHA1
orNONE
.Corresponds to
Restore Digest Method
.
brs.snapshotSchedule.interval
Type: integer
Default: 24
Specifies the time, in hours, between two consecutive snapshots.
Accepted values are:
6
,8
,12
, or24
Corresponds to
Snapshot Interval (Hours)
brs.snapshotSchedule.retention.base
Type: integer
Default: 2
Specifies how many days an interval snapshot is stored. The accepted values vary depending upon the value of
brs.snapshotSchedule.interval
:Accepted Values<24
2
,3
,4
, or5
.=24
2
,3
,4
,5
,6
,7
,8
,9
,10
,11
,12
,13
,14
,15
,16
,17
,18
,19
,20
,21
,22
,23
,24
,25
,26
,27
,28
,29
,30
.Corresponds to
.Base Retention of Snapshots
brs.snapshotSchedule.retention.daily
Type: integer
Default: 0
Specifies how many days a daily snapshot is stored.
Accepted values are:
0
,3
,4
,5
,6
,7
,15
,30
,60
,90
,120
,180
or360
Corresponds to
.Daily Retention of Snapshots
brs.snapshotSchedule.retention.monthly
Type: integer
Default: 1
Specifies how many months a monthly snapshot is stored.
Accepted values are:
0
,1
,2
,3
,4
,5
,6
,7
,8
,9
,10
,11
,12
,13
,18
,24
,36
,48
,60
,72
, and84
Corresponds to
Monthly Retention of Snapshots (in Months)
brs.snapshotSchedule.retention.weekly
Type: integer
Default: 2
Specifies how many weeks a weekly snapshot is stored.
Accepted values are:
0
,1
,2
,3
,4
,5
,6
,7
,8
,12
,16
,20
,24
, and52
Corresponds to
.Weekly Retention of Snapshots
brs.pitWindowInHours
Type: integer
Default: 24
Duration time in hours when you can restore from a specific point-in-time (PIT).
Corresponds to
.PIT Window
backup.kmip.server.host
Type: string
Default: None
Specifies the hostname of a KMIP server.
Starting in MongoDB 4.2.1 (and 4.0.14), you can specify more than one KMIP server in a comma-seperated list.
Important
In MongoDB versions earlier than 4.0.14 or 4.2.1, Ops Manager uses only the first KMIP hostname in a list of KMIP server hostnames.
Corresponds to
KMIP Server Host
.
backup.kmip.server.port
Type: integer
Default: None
Specifies the port of the KMIP server.
Corresponds to
KMIP Server Port
.
backup.kmip.server.ca.file
Type: string
Default: None
Specifies a
.PEM
-format file that contains one or more certificate authorities.Corresponds to
KMIP Server CA File
.
mms.backup.snapshot.maxSumFileForWorkersMB
Type: integer
Default: 2048
This sets the maximum cumulative size of files, in Megabytes, that are saved concurrently when taking a snapshot.
mms.backup.snapshot.maxWorkers
Type: integer
Default: 4
This sets the number of files that are saved concurrently when taking a snapshot. Increasing the value of this setting can improve backup job performance when there are a large number of small files in a high latency environment.
Queryable Snapshot Configuration
brs.queryable.connecttimeout
Type: integer
Default: 30
Number of seconds to wait for a connection to the Queryable Snapshot mongod instance before timing out.
Corresponds to
Mongo .Connection Timeout
brs.queryable.expiration
Type: integer
Default: 24
Duration time in hours for a Queryable Snapshop once initiated.
Corresponds to
Expiration (Hours)
.
brs.queryable.lruCacheCapacityMB
Type: integer
Default: 512
Size (in megabytes) that you allocate from the JVM heap for the global snapshot cache. The global snapshot cache optimizes repeated queries for the same snapshot data to the Queryable Snapshots.
Important
MongoDB does not advise changing this value unless MongoDB support directs you to change it.
Corresponds to
Read Cache Size (MB)
.
brs.queryable.mounttimeout
Type: integer
Default: 60
Number of seconds to wait for the Queryable Snapshot to prepare before timing out.
Corresponds to
.Queryable Startup Timeout
brs.queryable.pem.pwd
Type: string
Required if
Proxy Server PEM File
is encrypted.Note
After updating
Proxy Server PEM File Password
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server PEM File Password
.
brs.queryable.pem
Type: string
Required if using Queryable Snapshot. PEM file that contains the full certificate chain for one or more trusted certificates and the associated private keys.
Proxy Server PEM File
has the following restrictions:This PEM file must be different than the one used for HTTPS connections to Ops Manager (
mms.https.PEMKeyFile
).This PEM file should use a key length greater than 512-bit. Using a 2048-bit RSA key is recommended.
This PEM file should use a message digest stronger than
sha1
, such assha256
.
Note
After updating
Proxy Server PEM File
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server PEM File
.
brs.queryable.proxyPort
Type: integer
Default: 25999
Port for the queryable backup host.
Note
After updating
Proxy Server Port
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server Port
.
brs.queryable.tls.disabledProtocols
Type: string
Default: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.3
TLS protocol versions that have been disabled for queryable snapshots and restores.
brs.queryable.tls.disabledCiphers
Type: string
Default: TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
List of TLS ciphers suites that your Ops Manager instance can't accept when clients connect to the queryable backup host. Specify TLS cipher suite names as a comma-separated list with no whitespace between entries.
Diagnostic Archive
mms.admin.diagnostics.archiveDocCountLimit
Type: integer
Default: 10000
Maximum number of entries that Ops Manager should retrieve from the activity feed.
mms.admin.diagnostics.archiveDocSizeLimit
Type: integer
Default: 7
Maximum number of days of data that Ops Manager should retrieve from the activity feed.
mms.admin.diagnostics.archiveDocAgeLimit
Type: integer
Default: 7
Maximum number of days of data that Ops Manager should retrieve from the activity feed.
mms.fromEmailAddr
Type: string
Email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.
mms.fromEmailAddr=mms-alerts@example.com Corresponds to
From Email Address
.
mms.replyToEmailAddr
Type: string
Email address from which to send replies to general emails.
Corresponds to
Reply To Email Address
.
mms.adminEmailAddr
Type: string
Email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.
Corresponds to
Admin Email Address
.
mms.emailDaoClass
Type: string
Default:
SIMPLE_MAILER
Email interface to use.
This setting is labeled in different ways for the user interface and the configuration file.
Delivery MethodConfiguration Setting (mms.emailDaoClass
)AWS SESAWS_MAILER
SMTP
SIMPLE_MAILER
If you set this to SMTP Email Server, you must set:
If you set this to AWS Simple Email Service, you must set:
Corresponds to
Email Delivery Method Configuration
.
SMTP Email Server
Conditional. The following settings appear if you set
mms.emailDaoClass
to SIMPLE_MAILER
.
mms.mail.transport
Type: string
Default: smtp
Transfer protocol your email provider specifies:
smtp
(standard SMTP)
Corresponds to
Transport
.
mms.mail.hostname
Type: string
Default: localhost
Email hostname your email provider specifies.
mms.mail.hostname=mail.example.com Corresponds to
SMTP Server Hostname
.
mms.mail.port
Type: number
Default: 25
Port number for SMTP your email provider specifies.
Corresponds to
SMTP Server Port
.
mms.mail.username
Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
Corresponds to
Username
.
mms.mail.password
Type: string
Password for the email account. If left blank, this setting disables SMTP authentication.
Corresponds to
Password
.
mms.mail.tls
Type: boolean
Default: False
Set this to
true
if the transfer protocol uses TLS/SSL.Corresponds to
Use SSL
.
AWS Simple Email Service
Conditional. The following settings appear if you set
mms.emailDaoClass
to AWS_MAILER
.
aws.ses.endpoint
Type: string
Default:
https://email.us-east-1.amazonaws.com
Sets the sending API endpoint for the AWS SES.
Corresponds to
AWS Endpoint
.
aws.accesskey
Type: string
Access key ID for AWS.
Corresponds to
AWS Access Key
.
aws.secretkey
Type: string
Secret access key for AWS.
Corresponds to
AWS Secret Key
.
HTTP Proxy
http.proxy.host
Type: string
Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.
http.proxy.host=proxy.example.com Corresponds to
Proxy Host
.
http.proxy.port
Type: integer
Specify the port on which you wish to connect to the host. You must specify both the
Proxy Port
andProxy Host
to use a proxy.Corresponds to
Proxy Port
.
http.proxy.username
Type: string
If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.
Corresponds to
Proxy Username
.
http.proxy.password
Type: string
If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.
Corresponds to
Proxy Password
.
http.proxy.nonProxyHosts
Type: string
Specify a pipe-separated (
|
) list of internal hosts to bypass the outgoing proxy that you configured.*.foo.com|localhost Corresponds to
Non Proxy Hosts
.
Kubernetes Setup
kubernetes.templates.credentialsFilePath
Type: string
Path to the YAML file that contains your Programmatic API Key as a Kubernetes secret to create or update objects in your Ops Manager project. This file must be in YAML format and must be stored under the
/mongodb-ops-manager/
directory. This file corresponds toKubernetes Secret Setup
.apiVersion: v1 kind: Secret metadata: name: organization-secret namespace: mongodb stringData: user: ${publicKey} publicApiKey: ${privateKey}
kubernetes.templates.projectFilePath
Type: string
Path to the YAML file that contains the ConfigMap to use to link to your Ops Manager project. This file must be in YAML format and must be stored under the
/mongodb-ops-manager/
directory. This file corresponds toKubernetes ConfigMap Setup
.
MongoDB Version Management
automation.versions.source
Type: string
Default:
remote
Indicates the source of MongoDB installer binaries.
Accepted values for
automation.versions.source
and the conditions that must exist to set the value are:ValueConditionremote
Ops Manager and Agents have internet access.hybrid
Ops Manager has internet access, but Agents do not. Ops Manager downloads MongoDB binaries from the internet; Agents download the binaries from Ops Manager.local
Neither Ops Manager nor the Agents have internet access. An Ops Manager administrator must upload the version manifest and the MongoDB binaries to the Ops Manager host, as described in Configure Deployment to Have Limited Internet Access.Corresponds to
Installer Download Source
.
automation.versions.download.baseUrl
Type: string
Default: mongodb.com, fastdl.mongodb.org
HTTP(S) endpoint to fetch MongoDB binaries from. If the endpoint is an HTTPS endpoint, the Certificate Authority file specified by
httpsCAFile
will be used to validate the certificate. Ifautomation.versions.download.baseUrl
is unset, the remote URLs for mongodb binaries are mongodb.com and fastdl.mongodb.org.Corresponds to
Base URL
.
automation.versions.download.baseUrl.allowOnlyAvailableBuilds
Type: boolean
Default: True
When set to
true
, Ops Manager limits the MongoDB versions you can specify to those available for your deployment.This setting is applied only when
automation.versions.download.baseUrl
is set with a custom value.
automation.versions.directory
Type: string
Default:
/opt/mongodb/mms/mongodb-releases/
Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set
Version Manifest Source
to run inLocal
mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Deployment to Have Limited Internet Access for more information.Corresponds to
Versions Directory
.
mongodb.release.autoDownload
Type: boolean
Default: True
Flag indicating whether the Backup Daemons automatically install the versions of MongoDB that the Backup Daemons need.
true
The daemons retrieve the binaries from MongoDB Inc. over the internet.false
Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release that the backup daemons need. The administrator must place the extracted binaries into theVersions Directory
on the Ops Manager hosts.Warning
Set to
false
when Ops Manager is running in Local Mode.Corresponds to
Backup Versions Auto Download
.
mongodb.release.autoDownload.enterprise
Type: boolean
Flag indicating whether the Backup Daemons automatically install the Enterprise editions of the versions of MongoDB that the Backup Daemons need. Requires
mongodb.release.autoDownload
be set totrue
.Warning
If you plan on running MongoDB Enterprise on Linux hosts, then you must manually install a set of dependencies to each host before installing MongoDB. The MongoDB manual provides the appropriate command to install the dependencies.
Corresponds to
Backup Versions Auto Download Enterprise Builds
mongodb.release.modulePreference
Type: string
Specifies whether to use MongoDB Community or Enterprise binaries for backup.
Accepted values are:
enterprisePreferred
enterpriseRequired
communityRequired
When
enterpriseRequired
orcommunityRequired
is selected, Ops Manager only uses those binaries for backup. WhenenterprisePreferred
is selected, Ops Manager uses Enterprise binaries if available and Community binaries if they are not.Note
When
enterpriseRequired
is selected, you must either setmongodb.release.autoDownload.enterprise
totrue
or manually place Enterprise binaries in theautomation.versions.directory
in Local Mode.Warning
Backup fails when either
enterpriseRequired
orcommunityRequired
is selected, but theautomation.versions.directory
does not contain the required binary.Corresponds to
Required Module For Backup
.
MongoDB Usage
mms.mongoDbUsage.defaultUsageType
Type: string
Default: Production Server
Default MongoDB Enterprise server type for all Enterprise processes that this Ops Manager instance manages.
The following table shows the accepted Server Type values and the corresponding number of licenses required for each:
Server IntentionEnvironment PurposeLicense RequirementProduction ServerHosts your application to your internal or external end users.
If an end user might use an environment, it functions as a Production environment. This applies whether the environment also provides testing, quality assurance, evaluation, or development capabilities.
One license per serverTest/QA ServerThis type of environment can be used to:
TestExercises your application to verify that it works as designed and expected. The platform configuration might be a less performant version of Production in compute, network, and storage capability.Assure system qualityValidates your application against a combination of data, hardware, and software configured to simulate Production. The platform configuration should be a smaller scale of Production in compute, network, and storage capability.StageSimulates the Production environment including performance testing and release candidate approval. The platform configuration should mirror Production in compute, network, and storage capability.One license per serverDevelopment ServerHosts in progress design, code, debugging or some combination thereof for your application. Used to evaluate if the current state of your application can be promoted to another environment.NoneRAM PoolProvides any combination of servers for any environment purpose.One license for any number of servers up to the maximum of the total GB of RAM you purchased across these servers.Backing DatabaseHosts your Ops Manager backing database. Enable Application Database Monitoring to enable this option.NoneCorresponds to
Default Ops Manager MongoDB Server Type
.
mms.mongoDbUsage.ui.enabled
Type: boolean
Enables the MongoDB Usage UI in the Ops Manager Admin if set to
true
.Corresponds to
MongoDB Usage UI
.
mms.mongoDbUsage.collectData
Type: boolean
Default: False
Enables the daily collection of MongoDB Usage Data if set to
true
.Corresponds to
MongoDB Usage Data Collection
.
Monitoring
mms.agentCentralUrl
Type: string
FQDN of the Ops Manager Application to which the legacy Monitoring Agents or MongoDB Agents use to push monitoring data.
Uses the value of
mms.centralUrl
if not set.Important
If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets (
[ ]
) to separate it from its port number.For example:
http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080
Monitoring Failover
You can activate the Monitoring function on multiple MongoDB Agents to distribute monitoring assignments and provide failover. Ops Manager distributes monitoring assignments among up to 100 running MongoDB Agents. Each MongoDB Agent running active Monitoring monitors a different set of MongoDB processes. One MongoDB Agent running active Monitoring per project is the primary Monitor. The primary Monitor reports the cluster's status to Ops Manager. As MongoDB Agents have Monitoring enabled or disabled, Ops Manager redistributes assignments. If the primary Monitor fails, Ops Manager assigns another MongoDB Agent running active Monitoring to be the primary Monitor.
The following settings tune the interval Ops Manager uses to determine if a Monitoring is unaccessible and the frequency with which standby agents poll Ops Manager to determine if they should receive monitoring assignments.
mms.monitoring.agent.session.timeoutMillis
Type: integer
Default: 90000
Interval that Ops Manager uses to determine if a standby agent should start monitoring. If Ops Manager does not hear from a Monitoring for the duration specified, Ops Manager promotes a standby agent. Configuring the timeout below
90000
(90 seconds) will cause Ops Manager to fail at startup with a configuration error.
mms.monitoring.agent.standbyCollectionFactor
Type: integer
Default: 4
Specifies how frequently a standby agent checks in with Ops Manager to see if it should start monitoring. The following values are permitted:
ValueStandby Agents Check Frequency1
Every 55 seconds2
Every 27 seconds3
Every 18 seconds4
Every 14 seconds
Ops Manager Administration API
mms.publicApi.whitelistEnabled
Type: boolean
Certain API calls require that requests originate from a IP address in the access list. To turn off this requirement, add this setting and set its value to
false
.
Push Live Migrations
mms.pushLiveMigrations.mmsUi.centralUrl
Type: string
Base URL for Live Migration from Ops Manager to Atlas, such as
https://cloud.mongodb.com
.
mms.pushLiveMigrations.syncJobs.enabled
Type: boolean
If set to
true
, allows Ops Manager to request information about Live Migration processes, such as:The list of available projects and deployments that can be used as sources for Live Migrations.
The list of available configured migration hosts that can facilitate Live Migrations in their respective deployments and projects.
The current status of running Live Migrations in Atlas.
Ops Manager uses this information to facilitate Live Migration processes. The default is
true
.
mms.pushLiveMigrations.updateJob.intervalSeconds
Type: boolean
The repeat interval, in seconds, between sync refreshes. The syncs of the organization's project information between Ops Manager and Atlas occur periodically. The default interval between syncs is
60
. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between sync refreshes is longer than 43200 seconds or if the actual interval between sync refreshes is longer than 1800 seconds (30 minutes) during the validation phase, the Live Migration to Atlas might stall, time out, or fail.Note
After updating this setting, restart the Web Server for the change to take effect.
mms.pushLiveMigrations.updateJob.cooldownSeconds
Type: boolean
The interval, in seconds, between information sync refreshes for an organization's project. The default interval between sync refreshes is
10
. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between consecutive syncs is longer than 43200 seconds, the Live Migration to Atlas might stall, time out, or fail.Note
After updating this setting, restart the Web Server for the change to take effect.
mms.pushLiveMigrations.fetchJob.intervalSeconds
Type: boolean
The repeat interval, in seconds, for syncing the Live Migration plan updates from Atlas.The plan lists the steps in the Atlas migration process. Ops Manager periodically retrieves the current plan from Atlas to check progress. Without this information, Ops Manager does not move the Live Migration process to the next stage.
The default interval between syncs is
60
. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between consecutive syncs is longer than 43200 seconds, the Live Migration to Atlas might stall, time out, or fail.Note
After updating this setting, restart the Web Server for the change to take effect.
Security
mms.security.disableBrowserCaching
Type: boolean
Default: False
When
true
, Ops Manager makes all HTTP responses not cacheable.
mms.security.hstsMaxAgeSeconds
Type: integer
Default: 0 (Can use HTTP or HTTPS.)
How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer. A value of
0
means that it can use HTTP or HTTPS.Tip
See also:
To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC 6797 and hstspreload.org.
Non-Uniform Memory Access (NUMA)
mongodb.disable.numa
Type: boolean
To disable NUMA for the head databases, follow the Modify a Custom Setting procedure using the following values:
Keymongodb.disable.numa
Valuetrue
To learn more about NUMA, see MongoDB and NUMA Hardware in the MongoDB Production Notes.
Important
Each Ops Manager instance with Backup Daemons enabled must have the
numactl
service installed. Ifnumactl
is not installed and this setting is set totrue
, backup jobs fail.Ops Manager can encrypt any backup job. Use backup cursors instead of head databases to encrypt backup jobs. For more information, see Backup Daemon Service.
Third-Party Integrations
Datadog Integration
Opsgenie Integration
opsgenie.api.url
Type: string
Default:
https://api.opsgenie.com/v2/alerts
URL that Ops Manager uses to access the Ops Genie API in European countries.
Enable this custom parameter if your Ops Manager instance runs in Europe. Then, set its value to
https://api.eu.opsgenie.com/v2/alerts
.For more information, see Opsgenie Alert documentation.
Twilio Integration
To receive alert notifications via SMS or 2FA code, you must have a Twilio account.
twilio.account.sid
Type: string
Twilio account ID.
Corresponds to
Account SID
.
twilio.auth.token
Type: string
Twilio API token.
Corresponds to
Twilio Auth Token
.
twilio.from.num
Type: string
Twilio phone number.
Corresponds to
Twilio From Number
.
User Authentication
mms.email.validation
Type: string
Default: false
Determines if Ops Manager requires usernames to be email addresses.
ValueDescriptionfalse
(Default) Username is not required to be an email address.loose
Username must contain an@
symbol followed by a period.strict
Username must adhere to a strict email address validation regular expression.If set to
strict
, Ops Manager uses the following regular expression to validate that an email address adheres to the requirements described in Section 3 of RFC-3696:^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$ Example
jane.smith@example.com
is valid.jane.smith@ex@mple.com
is not.Corresponds to
Username Validation
.
mms.userSvcClass
Type: string
Default:
UserSvcDb
Select whether to store authentication credentials in the Ops Manager Application Database or in an LDAP directory.
Accepted values are:
Auth MethodAccepted ValueApplication DatabaseUserSvcDb
IMPORTANT: In Ops Manager 6.0, the accepted value is
com.xgen.svc.mms.svc.user.UserSvcDb
. If you use this old accepted value, your Ops Manager instance will not start during preflight checks.LDAP
UserSvcLdap
SAML
UserSvcSaml
Corresponds to
User Authentication Method
.
Authentication through Ops Manager Application Database
mms.password.maxDaysBeforeChangeRequired
Type: number
Number of days a password is valid before the password expires.
Corresponds to
Days Before Password Change Required
.
mms.password.maxDaysInactiveBeforeAccountLock
Type: number
Maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.
Corresponds to
Days Inactive Before Account Lock
.
mms.password.maxFailedAttemptsBeforeAccountLock
Type: number
Number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.
Corresponds to
Failed Login Attempts Before Account Lock
.
mms.password.minChangesBeforeReuse
Type: number
Number of previous passwords to remember. You cannot reuse a remembered password as a new password.
Corresponds to
Password Changes Before Reuse
.
mms.login.ratelimit.attemptsAllowed
Type: number
Number of logins a user from a specific IP address can attempt during a timeout period. You must configure this setting alongside
Login Attempts Timeout Period
.Corresponds to
Login Attempts Allowed Before Timeout
.
mms.login.ratelimit.lockedPeriodMinutes
Type: number
This setting specifies:
The time period (in minutes) used to determine if too many login attempts have been made.
The duration that accounts are locked before you can resume login attempts.
You must configure this setting alongside
Login Attempts Allowed Before Timeout
.Important
The dropdown menu lists the only possible values for this setting. Attempting to set a value in your
conf-mms.properties
file or local database that is not listed in the dropdown causes an error when restarting the Ops Manager instance.Corresponds to
Login Attempts Timeout Period
.
mms.user.invitationOnly
Type: boolean
If true, new users can register by invitation only. The invitation provides a URL that displays the registration link. If false, new users can register if they have the Ops Manager URL.
Corresponds to
Invitation Only Mode
.
mms.user.bypassInviteForExistingUsers
Type: boolean
Default: False
This checkbox appears when you set
mms.userSvcClass
toUserSvcDb
.ValueResultstrue
You can add existing users to any organization or project without an invitation.
Ops Manager deletes and invalidates any pending invitations.
New users continue to receive and must accept invitations.
false
All users continue to receive and must accept invitations.
Corresponds to
Bypass Invitation Mode
.
Authentication through LDAP
These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.
Settings that begin with mms.ldap.global.role
assign Ops Manager
global roles to the members of the specified LDAP
groups. Specify groups using the format used by the LDAP attribute
specified in the LDAP User Group
setting. You can specify
multiple groups using the ;;
delimiter. To change the default
delimiter, use the mms.ldap.group.separator
setting. Each
Ops Manager global role provides its level of access to all the Ops Manager
projects in the deployment. To
provide access to specific groups, use
group-level roles.
mms.ldap.bindDn
Type: string
LDAP user used to execute searches for other users.
mms.ldap.bindDn=authUser@acme.example.com Corresponds to
LDAP Bind Dn
.
mms.ldap.bindPassword
Type: string
Password for the search user.
mms.ldap.bindPassword=<password> Corresponds to
LDAP Bind Password
.
mms.ldap.global.role.automationAdmin
Type: string
LDAP group whose members have the global automation admin role in Ops Manager. Specify projects using the format used by the LDAP attribute specified in the
LDAP User Group
setting. You can specify multiple projects using the;;
delimiter. To change the default delimiter, use themms.ldap.project.separator
setting.mms.ldap.global.role.automationAdmin=CN\=MMS-AutomationAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Each Ops Manager global role provides its level of access to all the Ops Manager projects in the deployment. To provide access to specific projects, use group-level roles.
Corresponds to
LDAP Global Role Automation Admin
.
mms.ldap.global.role.backupAdmin
Type: string
LDAP group whose members have the global backup admin role in Ops Manager.
mms.ldap.global.role.backupAdmin=CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Corresponds to
LDAP Global Role Backup Admin
.
mms.ldap.global.role.monitoringAdmin
Type: string
LDAP group whose members have the global monitoring admin role in Ops Manager.
mms.ldap.global.role.monitoringAdmin=CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Corresponds to
LDAP Global Role Monitoring Admin
.
mms.ldap.global.role.owner
Type: string
LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager projects and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the project using the format that is used by the LDAP attribute specified in the
LDAP User Group
setting.mms.ldap.global.role.owner=CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Corresponds to
LDAP Global Role Owner
.
mms.ldap.global.role.readOnly
Type: string
LDAP group whose members have the global read-only role in Ops Manager.
mms.ldap.global.role.readOnly=CN\=MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Corresponds to
LDAP Global Role Read Only
.
mms.ldap.global.role.userAdmin
Type: string
LDAP group whose members have the global user admin role in Ops Manager.
mms.ldap.global.role.userAdmin=CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=com Corresponds to
LDAP Global Role User Admin
.
mms.ldap.group.baseDn
Type: string
Default:
LDAP User Base Dn
valueBase Distinguished Name (DN) that Ops Manager uses to search for groups. If left blank, this setting uses the default value.
mms.ldap.group.baseDn=OU\=groups,DC\=acme,DC\=com Corresponds to
LDAP Group Base Dn
.
mms.ldap.group.member
Type: string
Field on the group entry containing user Distinguished Names (DN). The groupOfNames or groupOfUniqueNames object classes are commonly used.
mms.ldap.group.member=member Corresponds to
LDAP Group Member Attribute
.
mms.ldap.group.separator
Type: string
Default:
;;
To set the LDAP separator, follow the Modify a Custom Setting procedure using the following values:
Keymms.ldap.group.separator
Value<desired-separator>
Each of the global role values takes a delimited list of projects:
"dbas,sysadmins" If a group value contains the delimiter, the delimiter must be set to another value.
Example
If you have the group value
"CN\=foo,DN\=bar"
and the delimiter is,
then Ops Manager parses"CN\=foo,DN\=bar"
as two elements rather than as the description for a single group.
mms.ldap.referral
Type: string
LDAP field used to set how to handle referrals. Accepts two values:
ignore
: Ignore referrals.follow
: Automatically follow any referrals.
Corresponds to
LDAP Referral
.
mms.ldap.ssl.CAFile
Type: string
A file containing one or more trusted certificates in PEM format. Use this setting if you are using LDAPS and the server is using a certificate that is not from a well-known Certificate Authority.
mms.ldap.ssl.CAFile=/opt/CA.pem Corresponds to
LDAP SSL CA File
.
mms.ldap.ssl.PEMKeyFile
Type: string
A file containing a client certificate and private key. Use this setting when your TLS/SSL LDAP server requires client certificates.
mms.ldap.ssl.PEMKeyFile=/opt/keyFile.pem Corresponds to
LDAP SSL PEM Key File
.
mms.ldap.ssl.PEMKeyFilePassword
Type: string
Password for
LDAP SSL PEM Key File
. Use this setting if thePEMKeyFile
is encrypted.mms.ldap.ssl.PEMKeyFilePassword=<password> Corresponds to
LDAP SSL PEM Key File Password
.
mms.ldap.url
Type: string
URI for the LDAP or LDAPS server.
mms.ldap.url=ldaps://acme-dc1.acme.example.com:3890 Corresponds to
LDAP URI
.
mms.ldap.user.baseDn
Type: string
Base Distinguished Name (DN) that Ops Manager uses to search for users.
Escape the
=
sign with\
.mms.ldap.user.baseDn=DC\=acme,DC\=example,DC\=com Corresponds to
LDAP User Base Dn
.
mms.ldap.user.email
Type: string
Default:
mail
per RFC2256LDAP user attribute that contains the user's email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.
mms.ldap.user.email=mail Corresponds to
LDAP User Email
.
mms.ldap.user.firstName
Type: string
Default:
givenName
per RFC2256LDAP user attribute that contains the user's first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.
mms.ldap.user.firstName=givenName Corresponds to
LDAP User First Name
.
mms.ldap.user.group
Type: string
LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the projects, including Common Name (
cn
) or Distinguished Name (dn
). All Ops Manager settings in this configuration file that specify projects must match the chosen format.Important
Ops Manager deprecated
mms.ldap.user.group
. Usemms.ldap.group.member
.If you provide values for:
Both
mms.ldap.user.group
andmms.ldap.group.member
, Ops Manager usesmms.ldap.group.member
and ignoresmms.ldap.user.group
.mms.ldap.user.group
only, Ops Manager doesn't recognize the user's membership in nested LDAP groups.
mms.ldap.user.group=memberOf Corresponds to
LDAP User Group
.
mms.ldap.user.lastName
Type: string
Default:
surname
per RFC2256LDAP user attribute that contains the user's last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.
mms.ldap.user.lastName=sn Corresponds to
LDAP User Last Name
.
mms.ldap.user.searchAttribute
Type: string
LDAP field used for the LDAP search. This is typically a username or an email address. The value of this field is also used as the Ops Manager username.
mms.ldap.user.searchAttribute=<myAccountName> Corresponds to
LDAP User Search Attribute
.
mms.login.newDeviceNotification.enabled
Type: boolean
Indicator as to the user should be notified that they have logged in from a new device.
Corresponds to
New Device Login Notification
.
Authentication through SAML
mms.saml.idp.uri
Type: string
URI of the Identity Provider (IdP) that you use to coordinate your Single Sign-On. This might be referred to as the EntityId or the Identity Provider Issuer.
mms.saml.sso.url
Type: string
URL of the Single Sign-On endpoint that Ops Manager calls when a user attempts to sign in.
mms.saml.slo.url
Type: string
URL of the Single Logout endpoint that Ops Manager calls when a user attempts to log out. If set, when a user attempts to log out of Ops Manager, they log out of your IdP. If left blank, logging out of Ops Manager doesn't log the user out of their IdP session.
mms.saml.x509.cert
Type: string
Certificate provided by your IdP that Ops Manager uses to verify its validity to the IdP.
mms.saml.ssl.PEMKeyFile
Type: string
Absolute path to the PEM file for the certificate that the SP uses to sign requests, containing both the private and public key. If this is left blank, Ops Manager doesn't sign SAML auth requests to the IdP and you can't encrypt SAML assertions.
mms.saml.ssl.PEMKeyFilePassword
Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file.
mms.saml.encrypted.assertions
Type: boolean
Flag that indicates whether or not the IdP encrypts the assertions it sends to Ops Manager.
mms.saml.signedAssertions
Type: boolean
Default:
true
Flag that indicates whether or not the IdP signs the assertions it sends to Ops Manager.
Important
Ensure that either the assertions or the response are signed. The configuration will fail the verification and Ops Manager returns an error if either the assertions or the response aren't signed.
Corresponds to
SAML Signed Assertions
.
mms.saml.signedMessages
Type: boolean
Default:
true
Flag that indicates whether or not the IdP signs the responses it sends to Ops Manager.
Important
Ensure that either the assertions or the response are signed. The configuration will fail the verification and Ops Manager returns an error if either the assertions or the response aren't signed.
Corresponds to
SAML Signed Messages
.
mms.saml.signature.algorithm
Type: string
Algorithm to encrypt the signature sent to and from the IdP.
In the Select an Algorithm menu, there are five choices:
rsa-sha1
dsa-sha1
rsa-sha256
rsa-sha384
rsa-sha512
mms.saml.global.role.owner
Type: string
Group in the SAML Group Member Attribute whose members have full privileges over this deployment, including full access to all groups and all administrative permissions.
mms.saml.global.role.automationAdmin
Type: string
Group in the SAML Group Member Attribute whose members have the
Global Automation Admin
role.
mms.saml.global.role.backupAdmin
Type: string
Group in the SAML Group Member Attribute whose members have the
Global Backup Admin
role.
mms.saml.global.role.monitoringAdmin
Type: string
Group in the SAML Group Member Attribute whose members have the
Global Monitoring Admin
role.
mms.saml.global.role.userAdmin
Type: string
Group in the SAML Group Member Attribute whose members have the
Global User Admin
role.
mms.saml.global.role.readOnly
Type: string
Group in the SAML Group Member Attribute whose members have the
Global Read Only
role.
mms.saml.group.member
Type: string
Default:
groups
SAML Attribute that contains the list of groups Ops Manager uses to map roles to Projects and Organizations.
Corresponds to
SAML Group Member Attribute
.
Multi-Factor Authentication (MFA)
mms.multiFactorAuth.level
Type: string
Default: OFF
Configures the two-factor authentication "level":
SettingDescriptionOFF
Disables two-factor authentication. Ops Manager does not use two-factor authentication.OPTIONAL
Users can choose to set up two-factor authentication for their Ops Manager account.REQUIRED_FOR_GLOBAL_ROLES
Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users.REQUIRED
All users must set up two-factor authentication for their Ops Manager account.Two-factor authentication is recommended for the security of your Ops Manager deployment.
Warning
If enabling
mms.multiFactorAuth.level
through the configuration file, you must create a user account first before updating the configuration file. Otherwise, you cannot login to Ops Manager.Note
If you enable Twilio integration (optional), ensure that Ops Manager servers can access the
twilio.com
domain.Corresponds to
Multi-factor Auth Level
.
mms.multiFactorAuth.allowReset
Type: boolean
Default: False
When
true
, Ops Manager allows users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
be able to receive email at the address associated with the user account.
know the user account's password.
know the agent API key for each Ops Manager project the user belongs to.
Corresponds to
Multi-factor Auth Allow Reset
.
mms.multiFactorAuth.issuer
Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the Ops Manager installation.Corresponds to
Multi-factor Auth Issuer
.
mms.multiFactorAuth.require
Type: boolean
Default: False
When
true
, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
reCaptcha and Session Length
reCaptcha.enabled.registration
Type: boolean
Default: false
Indicator as to you want a new user to validate themselves using reCaptcha validation when they register to use Ops Manager.
Set to
true
to require reCaptcha validation when a new user registers.This setting requires a reCaptcha account.
Corresponds to
ReCaptcha Enabled On Registration
.
reCaptcha.enabled
Type: boolean
Default: false
Indicator as to you want a user to validate themselves using reCaptcha validation when they log into Ops Manager.
Set to
true
to require reCaptcha validation when a user logs in.This setting requires a reCaptcha account.
Corresponds to
ReCaptcha Enabled
.
reCaptcha.private.key
Type: string
ReCaptcha private key associated with your account.
Corresponds to
ReCaptcha Private Key
.
reCaptcha.public.key
Type: string
ReCaptcha public key associated with your account.
Corresponds to
ReCaptcha Public Key
.
mms.session.maxHours
Type: number
Number of hours before a session on the Ops Manager website expires.
Note
Session Max Hours reflects the total Ops Manager session time, not just idle time. Both active and idle sessions expire when Session Max Hours elapses.
Set this value to
0
to use browser session cookies only.Corresponds to
Session Max Hours
.
Web Server
mms.centralUrl
Type: string
FQDN and port number of the Ops Manager Application.
To use a port other than
8080
, see Manage Ops Manager Hostname and Ports.mms.centralUrl=http://mms.example.com:8080 Corresponds to
URL to Access Ops Manager
.Important
If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets (
[ ]
) to separate it from its port number.For example:
http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080
mms.https.PEMKeyFile
Type: string
Absolute path to the PEM file that contains the Ops Manager Application's valid certificate and private key. The PEM file is required if the Ops Manager Application uses HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.
The default port for HTTPS access to the Ops Manager Application is
8443
, as set in<install_dir>/conf/mms.conf
file. If you change this default, you must also change the port specified in themms.centralUrl
setting.Corresponds to
HTTPS PEM Key File
.
mms.https.PEMKeyFilePassword
Type: string
Password for the HTTPS PEM key file. You must include this setting if the PEM key file contains an encrypted private key.
Corresponds to
HTTPS PEM Key File Password
.
mms.https.ClientCertificateMode
Type: string
Specifies if Ops Manager requires clients to present valid TLS/SSL client certificates when connecting to it. Accepted values are:
none
agents_only
required
Corresponds to
Client Certificate Mode
.
mms.https.CAFile
Type: string
Required if:
You are using a private certificate authority.
You set
mms.https.ClientCertificateMode
toagents_only
orrequired
.You run Ops Manager in hybrid mode with TLS enabled.
Specifies the filesystem location of a private certificate authority file containing the list of acceptable client certificates. The Ops Manager Application authenticates HTTPS requests from clients bearing a certificate described in this file.
mms.https.CAFile=/path/to/ca_file.pem Corresponds to
CA File
.
mms.https.dualConnectors
Type: boolean
Default: False
Enables connections to Ops Manager using HTTP and HTTPS concurrently.
You can use this setting temporarily while you upgrade Ops Manager and the MongoDB Agents to use TLS. To ensure zero downtime, set to
true
and provide a value formms.http.bindhostname
. After you configure Ops Manager and the MongoDB Agents, set tofalse
.Important
Ops Manager is accessible using insecure connections while
mms.https.dualConnectors
istrue
.Set
mms.https.dualConnectors
tofalse
to allow secure connections only after you have updated the MongoDB Agents to use TLS connections.
mms.http.bindhostname
Type: string
Default: 127.0.0.1
The hostname or IP at which MongoDB Agents can connect to Ops Manager using HTTP.
You can use this setting temporarily while you upgrade Ops Manager and the MongoDB Agents to use TLS. To ensure zero downtime, set a value and set
mms.https.dualConnectors
totrue
. After you configure Ops Manager and the MongoDB Agents, remove the value.
mms.remoteIp.header
Type: string
If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client's IP address to the Ops Manager host. When you specify
Load Balancer Remote IP Header
, do not allow clients to connect directly to any Ops Manager host. A load balancer placed in front of the Ops Manager hosts must not return cached content.Once
Load Balancer Remote IP Header
is set, Ops Manager enables the following HTTP headers:HTTP HeaderForwards to Ops ManagerOriginal host that the client requested in the Host HTTP request header.Protocol used to make the HTTP request.Hostname of the proxy server.HTTPS status of a request.To learn more, see Configure a Highly Available Ops Manager Application.
Corresponds to
Load Balancer Remote IP Header
.
mms.minimumTLSVersion
Type: string
Default:
TLSv1.2
Specifies the TLS version required for clients to connect to Ops Manager. This property affects all clients, such as browsers used to connect to the Ops Manager Admin interface and command-line tools, such as
curl
, used to connect to the REST API.- Ops Manager versions between 4.0.9 and 4.0.18 and earlier than 4.2.13 and 4.4.0
- Ops Manager supports
TLSv1.2
only. If you change this value to anything other thanTLSv1.2
, including a blank value, you can't connect to this Ops Manager. - Ops Manager versions 4.0.0 to 4.0.8, 4.0.18 or later, 4.2.13 or later, 4.4.0 or later
- Ops Manager supports
TLSv1.0
,TLSv1.1
andTLSv1.2
.
Note
TLSv1.2 requires connecting clients to meet the following minimum requirements:
Browser supports TLS version 1.2
curl
version 7.34.0+OpenSSL version 1.0.1+
To set
minimum.TLSVersion
, follow the Modify a Custom Setting procedure with the following values:Keyminimum.TLSVersion
Value<tls-versions>
mms.disableCiphers
Type: string
Default:
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
,SSL_DHE_DSS_WITH_DES_CBC_SHA
,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
,SSL_DHE_RSA_WITH_DES_CBC_SHA
,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
,SSL_RSA_EXPORT_WITH_RC4_40_MD5
,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
,TLS_DHE_DSS_WITH_AES_256_CBC_SHA
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA
,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
,TLS_DHE_RSA_WITH_AES_256_CBC_SHA
,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Specifies a list of TLS cipher suites which your instance of Ops Manager can't accept when clients connect to the Ops Manager Application and API. Specify TLS cipher suite names as a comma-separated list, as in the following example.
Important
Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention. For convenience, Ops Manager logs a list of all supported cipher suite names during startup. If Ops Manager does not recognize a TLS cipher suite name, it logs the following warning:
Your config lists the following as ciphers which should be disabled as the JDK does not recognize them. Please check the format of the entries and list of enabled ciphers. [unrecognized_cipher_name]
To change
mms.disableCiphers
, follow the Modify a Custom Setting procedure with the following values:Keymms.disableCiphers
Value<ciphers>
For example:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Warning
Setting
mms.disableCiphers
to a custom value could re-enable one or more of these disabled ciphers.
Webhook
mms.alerts.webhook.adminEndpoint
Type: string
Corresponds to
Webhook URL
.
mms.alerts.webhook.adminSecret
Type: string
Corresponds to
Webhook Secret
.