- Reference >
- Ops Manager Configuration Files
Ops Manager Configuration Files¶
Overview¶
The Ops Manager Application and the Backup Daemon use the conf-mms.properties and conf-daemon.properties configuration files respectively. This document describes all available settings between the two files. Each configuration file uses a subset of the settings described here.
conf-mms.properties¶
The Ops Manager Application uses the conf-mms.properties
configuration file.
If you installed Ops Manager using an rpm
or deb
package, the
file’s location is:
/opt/mongodb/mms/conf/
If you installed using a tar.gz
file, the configuration file’s
location is:
<install-directory>/conf/
If you installed on Windows, the file’s location is:
<install-folder>\Server\Config
By default, this is C:\MMSData\Server\Config
.
conf-daemon.properties¶
The Backup Daemon uses the conf-daemon.properties
configuration
file. If you installed Ops Manager using an rpm
or deb
package, the
file’s location is:
/opt/mongodb/mms-backup-daemon/conf/
If you installed using a tar.gz
file, the configuration file’s
location is:
<install-directory>/conf/
If you installed on Windows, the configuration file’s location is:
<install-folder>\BackupDaemon\Config
Mandatory Settings¶
To start the Ops Manager Application, you must configure the
Ops Manager Application URL Settings and Email Address Settings
in the conf-mms.properties
file.
Security¶
For configuration settings that store credentials, you can either store the
credentials in plain text or use the Ops Manager credentialstool
to encrypt
the credentials, as described in Encrypt MongoDB User Credentials.
If you choose to store credentials in plain text, reduce the permissions on the configuration file. For example:
Settings¶
Ops Manager Application URL Settings¶
The following two settings are mandatory for the Ops Manager Application.
-
mms.
centralUrl
¶ Type: string
Required. Fully qualified URL, including the port number, of the Ops Manager Application. For example,
If you wish to use a port other than
8080
, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.
-
mms.
backupCentralUrl
¶ Type: string
Required. The hostname and port of the Backup HTTP Service. For example,
You must set
mms.backupCentralUrl
, even if you are only using Ops Manager Monitoring and not Ops Manager Backup.If you wish to use a port other than
8081
, Change the Ops Manager Ports describes how to change the ports that Ops Manager uses.
Load Balancer¶
Set the following when using a load balancer with the Ops Manager Application.
-
mms.remoteIp.
header
¶ Type: string
Specify the name of the header that the load balancer will use to specify the original client’s IP address to the application server.
See Configure a Highly Available Ops Manager Application for more information.
When you specify
mms.remoteIp.header
, do not allow clients to connect directly to any application server.
Ops Manager Application HTTPS Settings¶
You can configure the Ops Manager Application’s application servers to use HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.
The default port for HTTPS access to the Ops Manager Application is 8443
, as set in
<install_dir>/conf/mms.conf
file. If you change this default, change the
ports specified in the mms.centralUrl
and
mms.backupCentralUrl
settings.
-
mms.https.
PEMKeyFile
¶ Type: string
Specify the PEM file that contains the application’s valid certificate and private key.
-
mms.https.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager
credentialstool
. See Encrypt MongoDB User Credentials.
Email Settings¶
Email Address Settings¶
The following email address settings are mandatory. You must define them before the Monitoring instance will start.
-
mms.
fromEmailAddr
¶ Type: string
Required. The email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address. For example:
-
mms.
replyToEmailAddr
¶ Type: string
Required. The email address to send replies to general emails. For example:
-
mms.
adminFromEmailAddr
¶ Type: string
Required. The email address to send messages from the Ops Manager admin. You can include an alias with the email address. For example:
-
mms.
adminEmailAddr
¶ Type: string
Required. The email address to send messages or replies to the Ops Manager admin. You can include an alias with the email address. For example:
-
mms.
bounceEmailAddr
¶ Type: string
Required. The email address to send bounce messages, i.e. messages of non-delivery of alerts or messages from Ops Manager admin. For example:
Email Service Settings¶
-
mms.
emailDaoClass
¶ Type: string
The email interface to use. For AWS Simple Email Service, specify
com.xgen.svc.core.dao.email.AwsEmailDao
, as in:For AWS Simple Email Service, see also
aws.accesskey
andaws.secretkey
.For JavaEmailDao, specify
com.xgen.svc.core.dao.email.JavaEmailDao
, as in:
-
mms.mail.
transport
¶ Type: string
Default: smtp
Transfer protocol
smtp
orsmtps
as specified by your email provider. For example:
-
mms.mail.
hostname
¶ Type: string
Default: localhost
Email hostname as specified by your email provider. For example:
-
mms.mail.
port
¶ Type: number
Default: 25
Port number for the transfer protocol as specified by your email provider. For example:
-
mms.mail.
tls
¶ Type: boolean
Default: false
Indicator of whether the transfer protocol runs on top of TLS. For example:
-
mms.mail.
username
¶ Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
-
mms.mail.
password
¶ Type: string
Password for the email account. If unset, defaults to disabled SMTP authentication.
-
aws.
accesskey
¶ Type: string
Required if using AWS Simple Email Service. The access key ID for AWS.
-
aws.
secretkey
¶ Type: string
Required if using AWS Simple Email Service. The secret access key for AWS.
Twilio SMS Alert Settings¶
To receive alert notifications via SMS, you must have a Twilio account and specify your Twilio account information in the configuration file.
-
twilio.account.
sid
¶ Type: string
Twilio account ID.
-
twilio.auth.
token
¶ Type: string
Twilio API token.
-
twilio.from.
num
¶ Type: string
Twilio phone number.
MongoDB Settings¶
The following settings configure the Ops Manager connections to the Ops Manager Application Database.
Connection String¶
-
mongo.
mongoUri
¶ Type: string
Required. The connection string used to access the backing MongoDB instance. The
conf-mms.properties
file can contain multiplemongo.mongoUri
settings. The following example specifies connection to a replica set:If you omit the port number, Ops Manager uses the default
27017
port for all hosts.For a backing MongoDB instance with access control, the connection string must include authentication credentials. The connecting user must possess the
readWriteAnyDatabase
,dbAdminAnyDatabase
, andclusterMonitor
user roles. If the database is a sharded cluster, theclusterAdmin
role is required instead ofclusterMonitor
.The following examples show the formats to use for the different
authentication mechanisms
.For a MongoDB instance using the default
MONGODB-CR
/SCRAM-SHA-1
challenge-response mechanism, prefix the hostname with the MongoDB username and password in the form<username>:<password>@
For a MongoDB instance using
MONGODB-X509
authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in themongodb.ssl.PEMKeyFile
setting. Once you have created the user, prefix the host specified inmongo.mongoUri
with the name of the new user and appendauthMechanism=MONGODB-X509
after the specified port:For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append theauthMechanism=PLAIN&authSource=$external
options after the port:For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism,
authMechanism=GSSAPI
, after the port.Kerberos user principal names have the form
<username>@<KERBEROS REALM>
. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal ofusername@REALM.EXAMPLE.COM
would therefore becomeusername%40REALM.EXAMPLE.COM
.The following is an example of Kerberos authentication:
To enable Kerberos authentication between the Ops Manager Application and the backup-database, see Kerberos Settings. See also
authMechanism
andauthSource
in the MongoDB manual.
MongoDB SSL Settings¶
The following settings in conf-mms.properties
and
conf-daemon.propeties
configure Ops Manager to use SSL to encrypt connections
to the backing MongoDB instances that host the
Ops Manager Application Database
and Backup Blockstore Database.
-
mongo.
ssl
¶ Type: boolean
Enables SSL connection to the Ops Manager Application Database when set to
true
.
-
mongodb.ssl.
CAFile
¶ Type: string
The name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.
-
mongodb.ssl.
PEMKeyFile
¶ Type: string
The name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the
--sslCAFile
option. For more information on the option, seenet.ssl.CAFile
in the MongoDB manual.If you authenticate using the
MONGODB-X509
authentication mechanism, you also enter this as the name of the user in themongoUri
connection string.
-
mongodb.ssl.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the specified password using the Ops Manager
credentialstool
. See Encrypt MongoDB User Credentials.
Encrypted Credentials¶
-
mongo.
encryptedCredentials
¶ Type: boolean
Add this property and set it to
true
ifmongo.mongoUri
contains the encrypted username and password:You must encrypt the username and password in
mongo.mongoUri
using the Monitoringcredentialstool
. See Encrypt MongoDB User Credentials.Important
The
conf-mms.properties
file can contain multiplemongo.mongoUri
settings. Ifmongo.encryptedCredentials
istrue
, you must encrypt all user credentials found in the variousmongo.mongoUri
settings.
Automation Versions Settings¶
The following settings in the conf-mms.properties
file determine
how Ops Manager knows what MongoDB releases exist and from what servers the
Automation Agent downloads the binaries for a MongoDB release.
-
automation.versions.
source
¶ Type: string
Default: mongodb
Selects whether the Automation Agents retrieve MongoDB binaries over the internet from MongoDB Inc. or locally from the Ops Manager Application server. Set this to
mongodb
if the Automation Agents have internet access to retrieve the binaries from MongoDB Inc. Set this tolocal
if your Automation Agents cannot reach the internet. If you specifylocal
, you must set theautomation.versions.directory
and place.tgz
archive files for the MongoDB binaries in the specified directory. You must also provide the MongoDB version manifest. For details, see Configure Local Mode if Ops Manager has No Internet Access.
-
automation.versions.
directory
¶ Type: string
Default:
When
automation.versions.source
is set tolocal
, this specifies the directory on the Ops Manager Application server from which the Automation Agents accesses MongoDB binaries when installing a new deployment or changing the MongoDB version of an existing deployment. You must download the desired MongoDB binaries as.tgz
archive files and place the.tgz
files in the specified directory.
Ops Manager Backup Daemon Settings¶
These settings are found only in the conf-daemon.properties
file and are
necessary only if you are using Ops Manager Backup.
-
rootDirectory
¶ Type: string
The disk partition used by the Backup Daemon to dynamically create and maintain the replica set HEAD directories. For more information on HEADs, see the Backup functional overview.
This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.
Important
Data in this directory is dynamically created, maintained and destroyed by the Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Blockstore database.
-
numWorkers
¶ Type: number
The number of replica sets that should be processed at a time.
-
mongodb.release.
directory
¶ Type: string
Specifies the full path to the directory that contains every MongoDB release needed by the Backup Daemon. When backing up a replica set, The Backup Daemon must use a mongod that matches the version of the replica set being backed up.
Warning
If you use MongoDB Enterprise, you must pre-install the MongoDB Enterprise dependencies to all servers that run MongoDB Enterprise.
If you set
mongodb.release.autoDownload
tofalse
, you must download the MongoDB releases manually. For each version needed, you must download the archive for that version and extract it into this directory. The extracted archive creates a subdirectory that uses the following naming convention:mongodb-<platform>-<architecture>-<version>
.Adhere to the following rules for populating the release directory:
- The release directory can contain versions from either the MongoDB Community edition or the MongoDB Enterprise but not from both.
- For the MongoDB 3.0 Community edition, do not use platform-specific
archives. Instead, for all platforms that run MongoDB 3.0 Community,
use the
Linux 64-bit legacy
archive from http://www.mongodb.org/downloads.
Important
If you are backing up MongoDB custom builds, you must manually place a matching binary distribution for each custom build in this directory.
Beginning in Ops Manager version 1.5, the Backup Daemon uses the following rules to match the MongoDB version of the replica set being backed up:
- If the MongoDB version uses the MongoDB standard
A.B.C
version format, the daemon looks for a folder namedmongodb-<platform>-<architecture>-A.B.x
, wherex
is greater than or equal toC
. - If the MongoDB version does not use the standard format, the daemon
looks for a folder named
mongodb-<platform>-<architecture>-<version>
, where<version>
ends with the MongoDB instance’s version. For example, if the source version is2.4.10-abc
, the daemon would match onmongodb-linux-x86_64-production-2.4.10-abc
.
-
mongodb.release.
autoDownload
¶ Type: boolean
If you set this to
true
, Backup automatically downloads the latest release of MongoDB from mongodb.org/downloads and stores it in the directory specified by themongodb.release.directory
setting. Backup’smongodb-fetch
utility, located in the/opt/mongodb/backup-daemon/bin
directory, runs once an hour to perform the downloads.If you set this to
false
, you must manually download and install the needed MongoDB releases to the directory specified in themongodb.release.directory
setting. Downloads must adhere to the rules described in themongodb.release.directory
entry above.
Advanced Backup Restore Settings¶
These settings affect Ops Manager Backup restore behaviors. They are are found
only in the conf-daemon.properties
file.
-
mms.backup.restore.
linkExpirationHours
¶ Type: number
Default: 1
The amount of time in hours that a restore link is available.
-
mms.backup.restore.
linkUnlimitedUses
¶ Type: boolean
Default: false
Sets whether the link to a restored point-in-time snapshot can be used more than once. By default, when you create a point-in-time snapshot, the link to download the snapshot can be used just once. To allow multiple downloads of the snapshot, set this value to
true
.
-
mms.backup.restore.
snapshotPITExpirationHours
¶ Type: number
Default: 24
The length of time in hours that a link to a restored point-in-time snapshot is available. By default, the link is available for 24 hours after creation of the point-in-time snapshot.
Session Management Setting¶
-
mms.session.
maxHours
¶ Type: number
The number of hours before a session on the Ops Manager website expires.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: number
Default: 300000
Minimum: 90000
The Monitoring Agent failover time, in milliseconds. If Ops Manager does not receive a deployment status from the primary Monitoring Agent in the time specified, Ops Manager will make a standby Monitoring Agent the new primary. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.
Password Policy Settings¶
You can configure the password policy for Ops Manager user accounts with the following settings:
-
mms.password.
minChangesBeforeReuse
¶ Type: number
The number of previous passwords to remember. You cannot reuse a remembered password as a new password.
-
mms.password.
maxFailedAttemptsBeforeAccountLock
¶ Type: number
The number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.
-
mms.password.
maxDaysInactiveBeforeAccountLock
¶ Type: number
The maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.
-
mms.password.
maxDaysBeforeChangeRequired
¶ Type: number
The number of days a password is valid before the password expires.
-
mms.multiFactorAuth.
require
¶ Type: boolean
Default: false
When
true
, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
-
mms.multiFactorAuth.
allowReset
¶ Type: boolean
Default: false
When
true
, Ops Manager will allow users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
- be able to receive email at the address associated with the user account
- know the user account’s password
- know the Agent API key for any Ops Manager Group of which the user is a member
-
mms.multiFactorAuth.
issuer
¶ Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the Ops Manager installation.
Public API¶
You can modify certain default behaviors of the Public API.
-
mms.publicApi.
ignoreEnabledForGlobalRoles
¶ Type: boolean
By default, a user with a global role can access any Ops Manager group through the Public API, whether or not the Public API is enabled for that group.
To prevent access when a group’s Public API is disabled, add
mms.publicApi.ignoreEnabledForGlobalRoles
toconf-mms.properties
and set its value tofalse
:
-
mms.publicApi.
whitelistEnabled
¶ Type: boolean
Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add
mms.publicApi.whitelistEnabled
toconf-mms.properties
and set its value tofalse
:
SNMP Heartbeat Settings¶
Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.
To configure the Ops Manager Application to send trap notifications, download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt and configure the following settings:
-
snmp.default.
hosts
¶ Type: string
Default: blank
Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set
snmp.default.hosts
to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.
-
snmp.listen.
port
¶ Type: number
Default: 11611
Listening UDP port for SNMP. Setting to a number less than 1024 will require running the Ops Manager Application with root privileges.
-
snmp.default.heartbeat.
interval
¶ Type: number
Default: 300
Number of seconds between heartbeat notifications.
reCaptcha Settings¶
To enable reCaptcha anti-spam test on new user registration, you must have a reCaptcha account and specify the API information in the configuration file.
-
reCaptcha.
enabled
¶ Type: boolean
Set to
true
to require reCaptcha validation when a new user registers.
-
reCaptcha.public.
key
¶ Type: string
The reCaptcha public key associated with your account.
-
reCaptcha.private.
key
¶ Type: string
The reCaptcha private key associated with your account.
LDAP Settings¶
To configure Ops Manager for LDAP, you must start with a new installation or reset your installation to a clean state. Your Ops Manager installation cannot have existing users, groups, or hosts. For assistance, contact your MongoDB account manager.
LDAP Server Setting¶
-
mms.
userSvcClass
¶ Type: string
The LDAP service class
com.xgen.svc.mms.svc.user.UserSvcLdap
; i.e.
LDAP User Settings¶
These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.
-
mms.ldap.
url
¶ Type: string
The URI for the LDAP server. For example:
-
mms.ldap.
bindDn
¶ Type: string
The LDAP user used to execute searches for other users. For example:
-
mms.ldap.
bindPassword
¶ Type: string
The credentials for the search user. For example:
-
mms.ldap.user.
baseDn
¶ Type: string
The base Distinguished Name (DN) that Ops Manager uses to search for users. Escape the
=
sign with\
. For example:
-
mms.ldap.user.
searchAttribute
¶ Type: string
The LDAP field used for the LDAP search. This is typically a username or email address.
The value of this field is also used as the Ops Manager username.
Example:
-
mms.ldap.user.
group
¶ Type: string
The LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the groups, including Common Name (
cn
) or Distinguished Name (dn
). All Ops Manager settings in this configuration file that specify groups must match the chosen format.Example:
-
mms.ldap.global.role.
owner
¶ Type: string
The LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager groups and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the group using the format that is used by the LDAP attribute specified in the
mms.ldap.user.group
setting.Example:
-
mms.ldap.user.
firstName
¶ Type: string
The LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.
For example:
-
mms.ldap.user.
lastName
¶ Type: string
The LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.
For example:
-
mms.ldap.user.
email
¶ Type: string
The LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.
For example:
LDAP Global Role Settings¶
These settings assign Ops Manager global roles to the members of
the specified LDAP groups. Specify groups using the format used by the LDAP
attribute specified in the mms.ldap.user.group
setting. You can
specify multiple groups using the ;;
delimiter. To change the default
delimiter, use the mms.ldap.group.separator
setting.
Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.
-
mms.ldap.global.role.
automationAdmin
¶ Type: string
The LDAP group whose members have the global automation admin role in Ops Manager. For example:
-
mms.ldap.global.role.
backupAdmin
¶ Type: string
The LDAP group whose members have the global backup admin role in Ops Manager. For example:
-
mms.ldap.global.role.
monitoringAdmin
¶ Type: string
The LDAP group whose members have the global monitoring admin role in Ops Manager. For example:
-
mms.ldap.global.role.
userAdmin
¶ Type: string
The LDAP group whose members have the global user admin role in Ops Manager. For example:
-
mms.ldap.global.role.
readOnly
¶ Type: string
The LDAP group whose members have the global read-only role in Ops Manager. For example:
-
mms.ldap.group.
separator
¶ Type: string
Each of the global role values can take a delimited list of groups: for example
"dbas,sysadmins"
.If a group value contains the delimiter, the delimiter must be set to another value. For example, if you have the group value
"CN\=foo,DN\=bar"
and the delimiter is,
then Ops Manager parses"CN\=foo,DN\=bar"
as two elements rather than as the description for a single group. Change the delimiter by adding themms.ldap.group.separator
setting to the configuration file and specifying a different delimiter.Starting with Ops Manager 1.5, the default delimiter is
;;
.
Kerberos Settings¶
To enable Kerberos authentication between the Ops Manager Application and the Ops Manager Application Database, configure the following settings. You must configure all required Kerberos settings to enable Kerberos authentication.
-
jvm.java.security.krb5.
kdc
¶ Type: string
Required if using Kerberos. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.
-
jvm.java.security.krb5.
realm
¶ Type: string
Required if using Kerberos. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.
-
mms.kerberos.
principal
¶ Type: string
Required if using Kerberos. The principal used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
above.
-
mms.kerberos.
keyTab
¶ Type: string
Required if using Kerberos. The absolute path to the keytab file for the principal.
-
mms.kerberos.
debug
¶ Type: boolean
The debug flag to output more information on Kerberos authentication process.
Encrypt MongoDB User Credentials¶
If you do not want to store credentials in plain text, Monitoring provides a tool to encrypt the MongoDB credentials. To encrypt authentication credentials:
Issue the following command to create an encrypted credential pair, replacing
<username>
with your username:This will prompt you to enter the password and will output the encrypted credential pair.
credentialstool
requires root privileges, (i.e.sudo
) when installed withrpm
ordeb
packages, because it modifies the/etc/mongodb-mms/gen.key
file.Use the encrypted credential pair in the
mongo.mongoUri
settings where needed, and add themongo.encryptedCredentials = true
setting. For example:
Important
The conf-mms.properties
file can contain multiple
mongo.mongoUri
settings. If
mongo.encryptedCredentials
is true
, you must encrypt
all user credentials found in the various mongo.mongoUri
settings.
MongoDB User Access¶
The MongoDB user must have the following roles: readWriteAnyDatabase
,
clusterAdmin
, and dbAdminAnyDatabase
. For an
overview of user roles used with Ops Manager, see: Ops Manager Roles.