• Reference >
• Ops Manager Configuration Files

Ops Manager Configuration Files

Overview

The Ops Manager Application and the Backup Daemon use the conf-mms.properties and conf-daemon.properties configuration files respectively. This document describes all available settings between the two files. Each configuration file uses a subset of the settings described here.

conf-mms.properties

The Ops Manager Application uses the conf-mms.properties configuration file. If you installed Ops Manager using an rpm or deb package, the file’s location is:

/opt/mongodb/mms/conf/

If you installed using a tar.gz file, the configuration file’s location is:

<install-directory>/conf/

If you installed on Windows, the file’s location is:

<install-folder>\Server\Config

By default, this is C:\MMSData\Server\Config.

conf-daemon.properties

The Backup Daemon uses the conf-daemon.properties configuration file. If you installed Ops Manager using an rpm or deb package, the file’s location is:

/opt/mongodb/mms-backup-daemon/conf/

If you installed using a tar.gz file, the configuration file’s location is:

<install-directory>/conf/

If you installed on Windows, the configuration file’s location is:

<install-folder>\BackupDaemon\Config

Mandatory Settings

To start the Ops Manager Application, you must configure the Ops Manager Application URL Settings and Email Address Settings in the conf-mms.properties file.

Security

For configuration settings that store credentials, you can either store the credentials in plain text or use the Ops Manager credentialstool to encrypt the credentials, as described in Encrypt MongoDB User Credentials.

If you choose to store credentials in plain text, reduce the permissions on the configuration file. For example:

copy

sudo chmod 600 <install_dir>/conf/conf-mms.properties

Settings

Ops Manager Application URL Settings

The following two settings are mandatory for the Ops Manager Application.

mms.centralUrl

Type: string

Required. Fully qualified URL, including the port number, of the Ops Manager Application. For example,

copy

mms.centralUrl=http://mms.example.com:8080

If you wish to use a port other than 8080, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.

mms.backupCentralUrl

Type: string

Required. The hostname and port of the Backup HTTP Service. For example,

copy

mms.backupCentralUrl=http://mms.example.com:8081

You must set mms.backupCentralUrl, even if you are only using Ops Manager Monitoring and not Ops Manager Backup.

If you wish to use a port other than 8081, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.

Load Balancer

Set the following when using a load balancer with the Ops Manager Application.

mms.remoteIp.header

Type: string

Specify the name of the header that the load balancer will use to specify the original client’s IP address to the application server.

See Configure a Highly Available Ops Manager Application for more information.

When you specify mms.remoteIp.header, do not allow clients to connect directly to any application server.

Ops Manager Application HTTPS Settings

You can configure the Ops Manager Application’s application servers to use HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.

The default port for HTTPS access to the Ops Manager Application is 8443, as set in <install_dir>/conf/mms.conf file. If you change this default, change the ports specified in the mms.centralUrl and mms.backupCentralUrl settings.

mms.https.PEMKeyFile

Type: string

Specify the PEM file that contains the application’s valid certificate and private key.

mms.https.PEMKeyFilePassword

Type: string

Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager credentialstool. See Encrypt MongoDB User Credentials.

Email Settings

Email Address Settings

The following email address settings are mandatory. You must define them before the Monitoring instance will start.

mms.fromEmailAddr

Type: string

Required. The email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address. For example:

copy

mms.fromEmailAddr=|mms| Alerts <mms-alerts@example.com>

mms.replyToEmailAddr

Type: string

Required. The email address to send replies to general emails. For example:

copy

mms.replyToEmailAddr=mms-no-reply@example.com

mms.adminFromEmailAddr

Type: string

Required. The email address to send messages from the Ops Manager admin. You can include an alias with the email address. For example:

copy

mms.adminFromEmailAddr=|mms| Admin <mms-admin@example.com>

mms.adminEmailAddr

Type: string

Required. The email address to send messages or replies to the Ops Manager admin. You can include an alias with the email address. For example:

copy

mms.adminEmailAddr=mms-admin@example.com

mms.bounceEmailAddr

Type: string

Required. The email address to send bounce messages, i.e. messages of non-delivery of alerts or messages from Ops Manager admin. For example:

copy

mms.bounceEmailAddr=bounce@example.com

Email Service Settings

mms.emailDaoClass

Type: string

The email interface to use. For AWS Simple Email Service, specify com.xgen.svc.core.dao.email.AwsEmailDao, as in:

copy

mms.emailDaoClass=com.xgen.svc.core.dao.email.AwsEmailDao

For AWS Simple Email Service, see also aws.accesskey and aws.secretkey.

For JavaEmailDao, specify com.xgen.svc.core.dao.email.JavaEmailDao, as in:

copy

mms.emailDaoClass=com.xgen.svc.core.dao.email.JavaEmailDao

mms.mail.transport

Type: string

Default: smtp

Transfer protocol smtp or smtps as specified by your email provider. For example:

copy

mms.mail.transport=smtp

mms.mail.hostname

Type: string

Default: localhost

Email hostname as specified by your email provider. For example:

copy

mms.mail.hostname=mail.example.com

mms.mail.port

Type: number

Default: 25

Port number for the transfer protocol as specified by your email provider. For example:

copy

mms.mail.port=25

mms.mail.tls

Type: boolean

Default: false

Indicator of whether the transfer protocol runs on top of TLS. For example:

copy

mms.mail.tls=false

mms.mail.username

Type: string

User name of the email account. If unset, defaults to disabled SMTP authentication.

copy

mms.mail.username=

mms.mail.password

Type: string

Password for the email account. If unset, defaults to disabled SMTP authentication.

copy

mms.mail.password=emailPassword

aws.accesskey

Type: string

Required if using AWS Simple Email Service. The access key ID for AWS.

copy

aws.accesskey=EXAMPLEAccessKeyID

aws.secretkey

Type: string

Required if using AWS Simple Email Service. The secret access key for AWS.

copy

aws.secretkey=eXampLe/aCcESs/KEY

Twilio SMS Alert Settings

To receive alert notifications via SMS, you must have a Twilio account and specify your Twilio account information in the configuration file.

twilio.account.sid

Type: string

Twilio account ID.

twilio.auth.token

Type: string

Twilio API token.

twilio.from.num

Type: string

Twilio phone number.

MongoDB Settings

The following settings configure the Ops Manager connections to the Ops Manager Application Database.

Connection String

mongo.mongoUri

Type: string

Required. The connection string used to access the backing MongoDB instance. The conf-mms.properties file can contain multiple mongo.mongoUri settings. The following example specifies connection to a replica set:

copy

mongo.mongoUri=mongodb://db1.example.net:40000,db2.example.net:40000,db3.example.net:40000

If you omit the port number, Ops Manager uses the default 27017 port for all hosts.

For a backing MongoDB instance with access control, the connection string must include authentication credentials. The connecting user must possess the readWriteAnyDatabase, dbAdminAnyDatabase, and clusterMonitor user roles. If the database is a sharded cluster, the clusterAdmin role is required instead of clusterMonitor.

The following examples show the formats to use for the different authentication mechanisms.

For a MongoDB instance using the default MONGODB-CR / SCRAM-SHA-1 challenge-response mechanism, prefix the hostname with the MongoDB username and password in the form <username>:<password>@

copy

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.net:40000

For a MongoDB instance using MONGODB-X509 authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in the mongodb.ssl.PEMKeyFile setting. Once you have created the user, prefix the host specified in mongo.mongoUri with the name of the new user and append authMechanism=MONGODB-X509 after the specified port:

copy

mongo.mongoUri=mongodb://<new_mongodb_user>@mydb1.example.net:40000/?authMechanism=MONGODB-X509

For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form <username>:<password>@, and append the authMechanism=PLAIN&authSource=$external options after the port:

copy

mongo.mongoUri=mongodb://mongodbuser1:password@mydb1.example.net:40000/?authMechanism=PLAIN&authSource=$external

For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism, authMechanism=GSSAPI, after the port.

Kerberos user principal names have the form <username>@<KERBEROS REALM>. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

The following is an example of Kerberos authentication:

copy

mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mydb1.example.net:40000/?authMechanism=GSSAPI

To enable Kerberos authentication between the Ops Manager Application and the backup-database, see Kerberos Settings. See also authMechanism and authSource in the MongoDB manual.

MongoDB SSL Settings

The following settings in conf-mms.properties and conf-daemon.propeties configure Ops Manager to use SSL to encrypt connections to the backing MongoDB instances that host the Ops Manager Application Database and Backup Blockstore Database.

mongo.ssl

Type: boolean

Enables SSL connection to the Ops Manager Application Database when set to true.

mongodb.ssl.CAFile

Type: string

The name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.

mongodb.ssl.PEMKeyFile

Type: string

The name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the --sslCAFile option. For more information on the option, see net.ssl.CAFile in the MongoDB manual.

If you authenticate using the MONGODB-X509 authentication mechanism, you also enter this as the name of the user in the mongoUri connection string.

mongodb.ssl.PEMKeyFilePassword

Type: string

Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager credentialstool. See Encrypt MongoDB User Credentials.

Encrypted Credentials

mongo.encryptedCredentials

Type: boolean

Add this property and set it to true if mongo.mongoUri contains the encrypted username and password:

copy

mongo.encryptedCredentials=true

You must encrypt the username and password in mongo.mongoUri using the Monitoring credentialstool. See Encrypt MongoDB User Credentials.

Important

The conf-mms.properties file can contain multiple mongo.mongoUri settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.mongoUri settings.

Automation Versions Settings

The following settings in the conf-mms.properties file determine how Ops Manager knows what MongoDB releases exist and from what servers the Automation Agent downloads the binaries for a MongoDB release.

automation.versions.source

Type: string

Default: mongodb

Selects whether the Automation Agents retrieve MongoDB binaries over the internet from MongoDB Inc. or locally from the Ops Manager Application server. Set this to mongodb if the Automation Agents have internet access to retrieve the binaries from MongoDB Inc. Set this to local if your Automation Agents cannot reach the internet. If you specify local, you must set the automation.versions.directory and place .tgz archive files for the MongoDB binaries in the specified directory. You must also provide the MongoDB version manifest. For details, see Configure Local Mode if Ops Manager has No Internet Access.

automation.versions.directory

Type: string

Default:

When automation.versions.source is set to local, this specifies the directory on the Ops Manager Application server from which the Automation Agents accesses MongoDB binaries when installing a new deployment or changing the MongoDB version of an existing deployment. You must download the desired MongoDB binaries as .tgz archive files and place the .tgz files in the specified directory.

Ops Manager Backup Daemon Settings

These settings are found only in the conf-daemon.properties file and are necessary only if you are using Ops Manager Backup.

rootDirectory

Type: string

The disk partition used by the Backup Daemon to dynamically create and maintain the replica set HEAD directories. For more information on HEADs, see the Backup functional overview.

This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.

Important

Data in this directory is dynamically created, maintained and destroyed by the Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Blockstore database.

numWorkers

Type: number

The number of replica sets that should be processed at a time.

mongodb.release.directory

Type: string

Specifies the full path to the directory that contains every MongoDB release needed by the Backup Daemon. When backing up a replica set, The Backup Daemon must use a mongod that matches the version of the replica set being backed up.

Warning

If you use MongoDB Enterprise, you must pre-install the MongoDB Enterprise dependencies to all servers that run MongoDB Enterprise.

If you set mongodb.release.autoDownload to false, you must download the MongoDB releases manually. For each version needed, you must download the archive for that version and extract it into this directory. The extracted archive creates a subdirectory that uses the following naming convention: mongodb-<platform>-<architecture>-<version>.

Adhere to the following rules for populating the release directory:

• The release directory can contain versions from either the MongoDB Community edition or the MongoDB Enterprise but not from both.
• For the MongoDB 3.0 Community edition, do not use platform-specific archives. Instead, for all platforms that run MongoDB 3.0 Community, use the Linux 64-bit legacy archive from http://www.mongodb.org/downloads.

Important

If you are backing up MongoDB custom builds, you must manually place a matching binary distribution for each custom build in this directory.

Beginning in Ops Manager version 1.5, the Backup Daemon uses the following rules to match the MongoDB version of the replica set being backed up:

• If the MongoDB version uses the MongoDB standard A.B.C version format, the daemon looks for a folder named mongodb-<platform>-<architecture>-A.B.x, where x is greater than or equal to C.
• If the MongoDB version does not use the standard format, the daemon looks for a folder named mongodb-<platform>-<architecture>-<version>, where <version> ends with the MongoDB instance’s version. For example, if the source version is 2.4.10-abc, the daemon would match on mongodb-linux-x86_64-production-2.4.10-abc.

mongodb.release.autoDownload

Type: boolean

If you set this to true, Backup automatically downloads the latest release of MongoDB from mongodb.org/downloads and stores it in the directory specified by the mongodb.release.directory setting. Backup’s mongodb-fetch utility, located in the /opt/mongodb/backup-daemon/bin directory, runs once an hour to perform the downloads.

If you set this to false, you must manually download and install the needed MongoDB releases to the directory specified in the mongodb.release.directory setting. Downloads must adhere to the rules described in the mongodb.release.directory entry above.

Advanced Backup Restore Settings

These settings affect Ops Manager Backup restore behaviors. They are are found only in the conf-daemon.properties file.

mms.backup.restore.linkExpirationHours

Type: number

Default: 1

The amount of time in hours that a restore link is available.

mms.backup.restore.linkUnlimitedUses

Type: boolean

Default: false

Sets whether the link to a restored point-in-time snapshot can be used more than once. By default, when you create a point-in-time snapshot, the link to download the snapshot can be used just once. To allow multiple downloads of the snapshot, set this value to true.

mms.backup.restore.snapshotPITExpirationHours

Type: number

Default: 24

The length of time in hours that a link to a restored point-in-time snapshot is available. By default, the link is available for 24 hours after creation of the point-in-time snapshot.

Session Management Setting

mms.session.maxHours

Type: number

The number of hours before a session on the Ops Manager website expires.

mms.monitoring.agent.session.timeoutMillis

Type: number

Default: 300000

Minimum: 90000

The Monitoring Agent failover time, in milliseconds. If Ops Manager does not receive a deployment status from the primary Monitoring Agent in the time specified, Ops Manager will make a standby Monitoring Agent the new primary. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.

Password Policy Settings

You can configure the password policy for Ops Manager user accounts with the following settings:

mms.password.minChangesBeforeReuse

Type: number

The number of previous passwords to remember. You cannot reuse a remembered password as a new password.

mms.password.maxFailedAttemptsBeforeAccountLock

Type: number

The number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.

mms.password.maxDaysInactiveBeforeAccountLock

Type: number

The maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.

mms.password.maxDaysBeforeChangeRequired

Type: number

The number of days a password is valid before the password expires.

mms.multiFactorAuth.require

Type: boolean

Default: false

When true, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.

If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.

mms.multiFactorAuth.allowReset

Type: boolean

Default: false

When true, Ops Manager will allow users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.

To reset two-factor authentication, a user must:

• be able to receive email at the address associated with the user account
• know the user account’s password
• know the Agent API key for any Ops Manager Group of which the user is a member

mms.multiFactorAuth.issuer

Type: string

If Google Authenticator provides two-factor authentication, this string is the issuer in the Google Authenticator app. If left blank, the issuer is the domain name of the Ops Manager installation.

Public API

You can modify certain default behaviors of the Public API.

mms.publicApi.ignoreEnabledForGlobalRoles

Type: boolean

By default, a user with a global role can access any Ops Manager group through the Public API, whether or not the Public API is enabled for that group.

To prevent access when a group’s Public API is disabled, add mms.publicApi.ignoreEnabledForGlobalRoles to conf-mms.properties and set its value to false:

copy

mms.publicApi.ignoreEnabledForGlobalRoles=false

mms.publicApi.whitelistEnabled

Type: boolean

Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add mms.publicApi.whitelistEnabled to conf-mms.properties and set its value to false:

copy

mms.publicApi.whitelistEnabled=false

SNMP Heartbeat Settings

Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.

To configure the Ops Manager Application to send trap notifications, download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt and configure the following settings:

snmp.default.hosts

Type: string

Default: blank

Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set snmp.default.hosts to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.

snmp.listen.port

Type: number

Default: 11611

Listening UDP port for SNMP. Setting to a number less than 1024 will require running the Ops Manager Application with root privileges.

snmp.default.heartbeat.interval

Type: number

Default: 300

Number of seconds between heartbeat notifications.

reCaptcha Settings

To enable reCaptcha anti-spam test on new user registration, you must have a reCaptcha account and specify the API information in the configuration file.

reCaptcha.enabled

Type: boolean

Set to true to require reCaptcha validation when a new user registers.

reCaptcha.public.key

Type: string

The reCaptcha public key associated with your account.

reCaptcha.private.key

Type: string

The reCaptcha private key associated with your account.

LDAP Settings

To configure Ops Manager for LDAP, you must start with a new installation or reset your installation to a clean state. Your Ops Manager installation cannot have existing users, groups, or hosts. For assistance, contact your MongoDB account manager.

LDAP Server Setting

mms.userSvcClass

Type: string

The LDAP service class com.xgen.svc.mms.svc.user.UserSvcLdap; i.e.

copy

mms.userSvcClass=com.xgen.svc.mms.svc.user.UserSvcLdap

LDAP User Settings

These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.

mms.ldap.url

Type: string

The URI for the LDAP server. For example:

copy

mms.ldap.url=ldap://acme-dc1.acme.example.net:3890

mms.ldap.bindDn

Type: string

The LDAP user used to execute searches for other users. For example:

copy

mms.ldap.bindDn=authUser@acme.example.net

mms.ldap.bindPassword

Type: string

The credentials for the search user. For example:

copy

mms.ldap.bindPassword=<user-password>

mms.ldap.user.baseDn

Type: string

The base Distinguished Name (DN) that Ops Manager uses to search for users. Escape the = sign with \. For example:

copy

mms.ldap.user.baseDn=DC\=acme,DC\=example,DC\=net

mms.ldap.user.searchAttribute

Type: string

The LDAP field used for the LDAP search. This is typically a username or email address.

The value of this field is also used as the Ops Manager username.

Example:

copy

mms.ldap.user.searchAttribute=mail

mms.ldap.user.group

Type: string

The LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the groups, including Common Name (cn) or Distinguished Name (dn). All Ops Manager settings in this configuration file that specify groups must match the chosen format.

Example:

copy

mms.ldap.user.group=memberOf

mms.ldap.global.role.owner

Type: string

The LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager groups and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the group using the format that is used by the LDAP attribute specified in the mms.ldap.user.group setting.

Example:

copy

mms.ldap.global.role.owner=CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.user.firstName

Type: string

The LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.

For example:

copy

mms.ldap.user.firstName=givenName

mms.ldap.user.lastName

Type: string

The LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.

For example:

copy

mms.ldap.user.lastName=sn

mms.ldap.user.email

Type: string

The LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.

For example:

copy

mms.ldap.user.email=mail

LDAP Global Role Settings

These settings assign Ops Manager global roles to the members of the specified LDAP groups. Specify groups using the format used by the LDAP attribute specified in the mms.ldap.user.group setting. You can specify multiple groups using the ;; delimiter. To change the default delimiter, use the mms.ldap.group.separator setting.

Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.

mms.ldap.global.role.automationAdmin

Type: string

The LDAP group whose members have the global automation admin role in Ops Manager. For example:

copy

mms.ldap.global.role.automationAdmin=CN\=MMS-AutomationAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.global.role.backupAdmin

Type: string

The LDAP group whose members have the global backup admin role in Ops Manager. For example:

copy

mms.ldap.global.role.backupAdmin=CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.global.role.monitoringAdmin

Type: string

The LDAP group whose members have the global monitoring admin role in Ops Manager. For example:

copy

mms.ldap.global.role.monitoringAdmin=CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.global.role.userAdmin

Type: string

The LDAP group whose members have the global user admin role in Ops Manager. For example:

copy

mms.ldap.global.role.userAdmin=CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.global.role.readOnly

Type: string

The LDAP group whose members have the global read-only role in Ops Manager. For example:

copy

mms.ldap.global.role.readOnly=CN\=MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net

mms.ldap.group.separator

Type: string

Each of the global role values can take a delimited list of groups: for example "dbas,sysadmins".

If a group value contains the delimiter, the delimiter must be set to another value. For example, if you have the group value "CN\=foo,DN\=bar" and the delimiter is , then Ops Manager parses "CN\=foo,DN\=bar" as two elements rather than as the description for a single group. Change the delimiter by adding the mms.ldap.group.separator setting to the configuration file and specifying a different delimiter.

Starting with Ops Manager 1.5, the default delimiter is ;;.

Kerberos Settings

To enable Kerberos authentication between the Ops Manager Application and the Ops Manager Application Database, configure the following settings. You must configure all required Kerberos settings to enable Kerberos authentication.

jvm.java.security.krb5.kdc

Type: string

Required if using Kerberos. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.

copy

jvm.java.security.krb5.kdc=kdc.example.com

jvm.java.security.krb5.realm

Type: string

Required if using Kerberos. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.

copy

jvm.java.security.krb5.realm=EXAMPLE.COM

mms.kerberos.principal

Type: string

Required if using Kerberos. The principal used to authenticate with MongoDB. This should be the exact same user on the mongo.mongoUri above.

copy

mms.kerberos.principal=mms/mmsweb.example.com@EXAMPLE.COM

mms.kerberos.keyTab

Type: string

Required if using Kerberos. The absolute path to the keytab file for the principal.

copy

mms.kerberos.keyTab=/path/to/mms.keytab

mms.kerberos.debug

Type: boolean

The debug flag to output more information on Kerberos authentication process.

copy

mms.kerberos.debug=false

Encrypt MongoDB User Credentials

If you do not want to store credentials in plain text, Monitoring provides a tool to encrypt the MongoDB credentials. To encrypt authentication credentials:

1. Issue the following command to create an encrypted credential pair, replacing <username> with your username:

   copy

   sudo <install_dir>/bin/credentialstool --username <username> --password
   

   This will prompt you to enter the password and will output the encrypted credential pair.

   credentialstool requires root privileges, (i.e. sudo) when installed with rpm or deb packages, because it modifies the /etc/mongodb-mms/gen.key file.

2. Use the encrypted credential pair in the mongo.mongoUri settings where needed, and add the mongo.encryptedCredentials = true setting. For example:

   copy

   mongo.mongoUri=mongodb://da83ex3s:a4fbcf3a1@mydb1.example.net:40000/admin
   mongo.encryptedCredentials=true
   

Important

The conf-mms.properties file can contain multiple mongo.mongoUri settings. If mongo.encryptedCredentials is true, you must encrypt all user credentials found in the various mongo.mongoUri settings.

MongoDB User Access

The MongoDB user must have the following roles: readWriteAnyDatabase, clusterAdmin, and dbAdminAnyDatabase. For an overview of user roles used with Ops Manager, see: Ops Manager Roles.

←   Reference Automation Agent  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.