- Reference >
- Ops Manager Configuration
Ops Manager Configuration¶
On this page
- Overview
- Web Server Settings
- Email Settings
- User Authentication Method
- Authentication through Ops Manager Application Database
- Authentication through LDAP
- Multi-Factor Authentication (MFA) Settings
- Other Authentication Options
- Security Settings
- HTTP/HTTPS Proxy Settings
- Twilio Integration Settings
- MongoDB Version Management
- Backup Snapshots
- Ops Manager Data Migration
- Default Monitoring Data Retention
- Public API
- Monitoring Agent Session Failover
- SNMP Heartbeat Settings
- Backup Settings
- Backup Daemon
- Ops Manager Application Database Connection String
- SSL Connection to the Application Database
- Kerberos Authentication to the Application Database
- Encrypt User Credentials
- Default Paths for Automation
Overview¶
Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all your Ops Manager servers. Local settings apply to the server on which they are configured. Any local settings on a server override the global settings.
You configure global settings through the Ops Manager interface during installation. You can edit global settings at any time through the Admin interface by clicking the General tab and then clicking Ops Manager Config.
You configure local settings through a server’s conf-mms.properties
file. Each server’s conf-mms.properties
must contain the connection
string and authentication settings for accessing the Ops Manager
Application Database. The conf-mms.properties
file also contains
any overrides of global settings specific to that server.
The location of the conf-mms.properties
file depends on how you
installed Ops Manager, as described in the table below.
Install method | conf-mms.properties location |
---|---|
rpm or deb package |
/opt/mongodb/mms/conf/ |
tar.gz archive |
<install-directory>/conf/ |
msi file (Windows) |
By default, this is: |
Web Server Settings¶
Configure global settings through the Admin interface. Ops Manager stores global settings in the Ops Manager Application database.
-
URL to Access Ops Manager
¶ Type: string
The fully qualified URL and port number of the Ops Manager Application. For example:
To use a port other than
8080
, see Manage Ops Manager Ports.Corresponds to configuration file setting:
mms.centralUrl
-
HTTPS PEM Key File
¶ Type: string
Absolute path to the PEM file that contains the Ops Manager Application’s valid certificate and private key. The PEM file is required if the Ops Manager Application will use HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.
The default port for HTTPS access to the Ops Manager Application is
8443
, as set in<install_dir>/conf/mms.conf
file. If you change this default, you must also change the port specified in theURL to Access Ops Manager
setting.Corresponds to configuration file setting:
mms.https.PEMKeyFile
-
HTTPS PEM Key File Password
¶ Type: string
The password for the HTTPS PEM key file. This is required if the PEM file contains an encrypted private key. If storing this in the conf-mms.properties file, you can encrypt the password using the Ops Manager
credentialstool
. See Encrypt User Credentials.Corresponds to configuration file setting:
mms.https.PEMKeyFilePassword
-
Client Certificate Mode
¶ Type: string
Specifies the how many SSL certificates are required for transactions between Ops Manager and clients:
None
,Required for Agents Only
,Required for All Requests
.Corresponds to configuration file setting:
mms.https.ClientCertificateMode
-
CA File
¶ Type: string
Specifies the filesystem location of a certificate authority file containing the list of acceptable client certificates.
Corresponds to configuration file setting:
mms.https.CAFile
Note
If you want to use a private certificate authority, you must add
mms.https.CAFile
as a custom property on the CUSTOM tab of the Ops Manager Config page in the Admin interface.
-
Load Balancer Remote IP Header
¶ Type: string
If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client’s IP address to the application server. When you specify
Load Balancer Remote IP Header
, do not allow clients to connect directly to any application server. A load balancer placed in front of the Ops Manager Application servers must not return cached content.See Configure a Highly Available Ops Manager Application for more information.
Corresponds to configuration file setting:
mms.remoteIp.header
Email Settings¶
The following email address settings are mandatory. You must define these settings before you can use the Ops Manager Application.
-
From Email Address
¶ Type: string
The email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.
Corresponds to configuration file setting:
mms.fromEmailAddr
-
Reply To Email Address
¶ Type: string
The email address from which to send replies to general emails.
Corresponds to configuration file setting:
mms.replyToEmailAddr
-
Admin Email Address
¶ Type: string
The email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.
Corresponds to configuration file setting:
mms.adminEmailAddr
-
Email Delivery Method Configuration
¶ Type: string
The email interface to use.
This setting is labeled in different ways for the user interface and the configuration file.
Delivery Method UI Setting Configuration Setting ( mms.emailDaoClass
)AWS SES AWS Simple Email Service com.xgen.svc.core.dao.email.AwsEmailDao
.SMTP SMTP Email Server com.xgen.svc.core.dao.email.JavaEmailDao
Corresponds to configuration file setting:
mms.emailDaoClass
If you set this to AWS Simple Email Service, you must set:
UI Setting Configuration File Setting AWS Endpoint
aws.ses.endpoint
AWS Access Key
aws.accesskey
AWS Secret Key
aws.accesskey
If you set this to SMTP Email Server, you must set:
UI Setting Configuration File Setting Transport
mms.mail.transport
SMTP Server Hostname
mms.mail.hostname
SMTP Server Port
mms.mail.port
Username
mms.mail.username
Password
mms.mail.password
Use SSL
mms.mail.tls
SMTP Email Server Settings¶
Conditional. These settings appear if *
:setting:`Email Delivery Method Configuration`
*is SMTP Email Server
.
-
Transport
¶ Type: string
Default: smtp
The transfer protocol your email provider specifies:
smtp
(standard SMTP)smtps
(secure SMTP)
Corresponds to configuration file setting:
mms.mail.transport
-
SMTP Server Hostname
¶ Type: string
Default: localhost
Email hostname your email provider specifies.
Corresponds to configuration file setting:
mms.mail.hostname
-
SMTP Server Port
¶ Type: number
Default: 25
Port number for SMTP your email provider specifies.
Corresponds to configuration file setting:
mms.mail.port
-
Username
¶ Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
Corresponds to configuration file setting:
mms.mail.username
-
Password
¶ Type: string
Password for the email account. If unset, defaults to disabled SMTP authentication.
Corresponds to configuration file setting:
mms.mail.password
-
Use SSL
¶ Type: boolean
Default: false
Set this to
true
if the transfer protocol uses TLS/SSL.Corresponds to configuration file setting:
mms.mail.tls
AWS Simple Email Service Settings¶
Conditional. These settings appear if
Email Delivery Method Configuration
is AWS Simple Email Service
.
-
AWS Endpoint
¶ Type: string
Default: https://email.us-east-1.amazonaws.com
Sets the sending API endpoint for the AWS SES.
Corresponds to configuration file setting:
aws.ses.endpoint
-
AWS Access Key
¶ Type: string
The access key ID for AWS.
Corresponds to configuration file setting:
aws.accesskey
-
AWS Secret Key
¶ Type: string
The secret access key for AWS.
Corresponds to configuration file setting:
aws.secretkey
User Authentication Method¶
-
User Authentication Method
¶ Type: string
Select whether to store authentication credentials in the Ops Manager Application Database or in an external authentication source.
Corresponds to configuration file setting:
mms.userSvcClass
Authentication through Ops Manager Application Database¶
-
Password Changes Before Reuse
¶ Type: number
The number of previous passwords to remember. You cannot reuse a remembered password as a new password.
Corresponds to configuration file setting:
mms.password.minChangesBeforeReuse
-
Failed Login Attempts Before Account Lock
¶ Configuration file setting:
mms.password.maxFailedAttemptsBeforeAccountLock
Type: number
The number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.
Corresponds to configuration file setting:
mms.password.maxFailedAttemptsBeforeAccountLock
-
Days Inactive Before Account Lock
¶ Configuration file setting:
mms.password.maxDaysInactiveBeforeAccountLock
Type: number
The maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.
Corresponds to configuration file setting:
mms.password.maxDaysInactiveBeforeAccountLock
-
Days Before Password Change Required
¶ Type: number
The number of days a password is valid before the password expires.
Corresponds to configuration file setting:
mms.password.maxDaysBeforeChangeRequired
-
Invitation Only Mode
¶ Type: boolean
If true, new users can register by invitation only. The invitation provides a URL that displays the registration link.
If false, new users can register if they have the Ops Manager URL.
Corresponds to configuration file setting:
mms.user.invitationOnly
Authentication through LDAP¶
These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.
Settings that begin with “mms.ldap.global.role” assign Ops Manager
global roles to the members of the specified LDAP
groups. Specify groups using the format used by the LDAP attribute
specified in the LDAP User Group
setting. You can specify
multiple groups using the ;;
delimiter. To change the default
delimiter, use the mms.ldap.group.separator
setting. Each
Ops Manager global role provides its level of access to all the Ops Manager
groups in the deployment. To provide
access to specific groups, use group-level roles.
-
LDAP URI
¶ Type: string
The URI for the LDAP or SSL LDAP server.
Corresponds to configuration file setting:
mms.ldap.url
-
LDAP SSL CA File
¶ Type: string
A file containing one or more trusted certificates in PEM format. Use this setting if you are using LDAPS and the server is using a certificate that is not from a well-known CA.
Corresponds to configuration file setting:
mms.ldap.ssl.CAFile
-
LDAP SSL PEM Key File
¶ Type: string
A file containing a client certificate and private key. Use this setting when your SSL LDAP server requires client certificates.
Corresponds to configuration file setting:
mms.ldap.ssl.PEMKeyFile
-
LDAP SSL PEM Key File Password
¶ Type: string
The password for
LDAP SSL PEM Key File
. Use this setting if thePEMKeyFile
is encrypted.Corresponds to configuration file setting:
mms.ldap.ssl.PEMKeyFilePassword
-
LDAP Bind Dn
¶ Type: string
The LDAP user used to execute searches for other users.
Corresponds to configuration file setting:
mms.ldap.bindDn
-
LDAP Bind Password
¶ Type: string
The password for the search user.
Corresponds to configuration file setting:
mms.ldap.bindPassword
-
LDAP User Base Dn
¶ Type: string
The base Distinguished Name (DN) that Ops Manager uses to search for users. Escape the
=
sign with\
.Corresponds to configuration file setting:
mms.ldap.user.baseDn
-
LDAP User Search Attribute
¶ Type: string
The LDAP field used for the LDAP search. This is typically a username or an email address. The value of this field is also used as the Ops Manager username.
Corresponds to configuration file setting:
mms.ldap.user.searchAttribute
-
LDAP User Group
¶ Type: string
The LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the groups, including Common Name (
cn
) or Distinguished Name (dn
). All Ops Manager settings in this configuration file that specify groups must match the chosen format.Corresponds to configuration file setting:
mms.ldap.user.group
-
LDAP Global Role Owner
¶ Type: string
The LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager groups and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the group using the format that is used by the LDAP attribute specified in the
LDAP User Group
setting.Corresponds to configuration file setting:
mms.ldap.global.role.owner
-
LDAP User First Name
¶ Type: string
The LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
givenName
.Corresponds to configuration file setting:
mms.ldap.user.firstName
-
LDAP User Last Name
¶ Type: string
The LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
sn
for surname.Corresponds to configuration file setting:
mms.ldap.user.lastName
-
LDAP User Email
¶ Type: string
The LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
mail
.Corresponds to configuration file setting:
mms.ldap.user.email
-
LDAP Global Role Automation Admin
¶ Type: string
The LDAP group whose members have the global automation admin role in Ops Manager. Specify groups using the format used by the LDAP attribute specified in the
LDAP User Group
setting. You can specify multiple groups using the;;
delimiter. To change the default delimiter, use themms.ldap.group.separator
setting.Each Ops Manager global role provides its level of access to all the Ops Manager groups in the deployment. To provide access to specific groups, use group-level roles.
Corresponds to configuration file setting:
mms.ldap.global.role.automationAdmin
-
LDAP Global Role Backup Admin
¶ Type: string
The LDAP group whose members have the global backup admin role in Ops Manager.
Corresponds to configuration file setting:
mms.ldap.global.role.backupAdmin
-
LDAP Global Role Monitoring Admin
¶ Type: string
The LDAP group whose members have the global monitoring admin role in Ops Manager.
Corresponds to configuration file setting:
mms.ldap.global.role.monitoringAdmin
-
LDAP Global Role User Admin
¶ Type: string
The LDAP group whose members have the global user admin role in Ops Manager.
Corresponds to configuration file setting:
mms.ldap.global.role.userAdmin
-
LDAP Global Role Read Only
¶ Type: string
The LDAP group whose members have the global read-only role in Ops Manager.
Corresponds to configuration file setting:
mms.ldap.global.role.readOnly
-
mms.ldap.group.
separator
¶ To set this, click Config and then click the Custom tab.
Type: string
Each of the global role values takes a delimited list of groups:
If a group value contains the delimiter, the delimiter must be set to another value.
Example
If you have the group value
"CN\=foo,DN\=bar"
and the delimiter is,
then Ops Manager parses"CN\=foo,DN\=bar"
as two elements rather than as the description for a single group.Change the delimiter by adding the
mms.ldap.group.separator
setting to the configuration file and specifying a different delimiter.Starting with Ops Manager 1.5, the default delimiter is
;;
.
Multi-Factor Authentication (MFA) Settings¶
-
Multi-factor Auth Level
¶ Type: string
Default: OFF
Configures the two-factor authentication “level”:
OFF
: Disables two-factor authentication. Ops Manager does not use two-factor authentication.OPTIONAL
: Users can choose to set up two-factor authentication for their Ops Manager account.REQUIRED_FOR_GLOBAL_ROLES
: Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users.REQUIRED
: All users must set up two-factor authentication for their Ops Manager account.
Two-factor authentication is recommended for the security of your Ops Manager deployment.
Corresponds to configuration file setting:
mms.multiFactorAuth.level
.Warning
If enabling
mms.multiFactorAuth.level
through the configuration file, you must create a user account first before updating the configuration file. Otherwise, you will not be able to login to Ops Manager.Note
If you enable Twilio integration (optional), ensure that Ops Manager servers can access the
twilio.com
domain.
-
mms.multiFactorAuth.
require
¶ In Ops Manager 1.8 and later,
mms.multiFactorAuth.level
replacesmms.multiFactorAuth.require
.Type: boolean
Default: false
When
true
, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
-
Multi-factor Auth Allow Reset
¶ Type: boolean
Default: false
When
true
, Ops Manager allows users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
- be able to receive email at the address associated with the user account.
- know the user account’s password.
- know the agent API key for each Ops Manager group the user belongs to.
Corresponds to configuration file setting:
mms.multiFactorAuth.allowReset
-
Multi-factor Auth Issuer
¶ Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the Ops Manager installation.Corresponds to configuration file setting:
mms.multiFactorAuth.issuer
Other Authentication Options¶
-
ReCaptcha Enabled
¶ Type: boolean
Set to
true
to require reCaptcha validation when a new user registers. You must have a reCaptcha account.Corresponds to configuration file setting:
reCaptcha.enabled
-
ReCaptcha Public Key
¶ Type: string
The reCaptcha public key associated with your account.
Corresponds to configuration file setting:
reCaptcha.public.key
-
ReCaptcha Private Key
¶ Type: string
The reCaptcha private key associated with your account.
Corresponds to configuration file setting:
reCaptcha.private.key
-
Session Max Hours
¶ Type: number
The number of hours before a session on the Ops Manager website expires.
Set this value to
0
to use browser session cookies only.Corresponds to configuration file setting:
mms.session.maxHours
Security Settings¶
-
mms.security.
hstsMaxAgeSeconds
¶ Type: integer
Default:
0
(Can use HTTP or HTTPS.)How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer.
See also
To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC6797 and hstspreload.org.
Corresponds to configuration page setting: HSTS Preload Maximum Age.
-
mms.security.
disableBrowserCaching
¶ Type: boolean
Default:
false
When
true
, Ops Manager makes all HTTP responses not cacheable.Corresponds to configuration page setting: Disable Browser Caching.
HTTP/HTTPS Proxy Settings¶
Ops Manager can pass all outgoing HTTP and HTTPS requests through an HTTP or HTTPS proxy.
-
Proxy Host
¶ Type: string
Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.
Corresponds to configuration file setting:
http.proxy.host
-
Proxy Port
¶ Type: integer
Specify the port on which you wish to connect to the host. You must specify both the
Proxy Port
andProxy Host
to use a proxy.Corresponds to configuration file setting:
http.proxy.port
-
Proxy Username
¶ Type: string
If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.
Corresponds to configuration file setting:
http.proxy.username
-
Proxy Password
¶ Type: string
If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.
Corresponds to configuration file setting:
http.proxy.password
Twilio Integration Settings¶
To receive alert notifications via SMS or two-factor verification code, you must have a Twilio account.
-
Account SID
¶ Type: string
Twilio account ID.
Corresponds to configuration file setting:
twilio.account.sid
-
Twilio Auth Token
¶ Type: string
Twilio API token.
Corresponds to configuration file setting:
twilio.auth.token
-
Twilio From Number
¶ Type: string
Twilio phone number.
Corresponds to configuration file setting:
twilio.from.num
MongoDB Version Management¶
The following settings determine how Ops Manager knows what MongoDB releases exist and how the MongoDB binaries are supplied to the Ops Manager server. The Automation Agents and Backup Daemons use these binaries when deploying MongoDB.
-
Version Manifest Source
¶ Type: string
Default: mongodb
Set this to
Local
if your Automation Agents and Backup Daemons will not have internet access to download MongoDB binaries. If you set this toLocal
, an Ops Manager admin must manually provide the version manifest and the MongoDB binaries, as described in Configure Local Mode for Ops Manager Servers without Internet Access.Corresponds to configuration file setting:
automation.versions.source
-
Versions Directory
¶ Type: string
Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation Agent accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set
Version Manifest Source
to run inLocal
mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Local Mode for Ops Manager Servers without Internet Access for more information.
-
Backup Versions Auto Download
¶ Type: boolean
Indicates whether the Backup Daemons automatically install the versions of MongoDB needed by the daemons.
- If
true
- The daemons retrieve the binaries either from MongoDB Inc. over the internet.
- If
false
Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release needed by the system’s backup daemons. The administrator must place the extracted binaries into the
Versions Directory
on the Ops Manager servers.Warning
Set to
false
when Ops Manager is running in Local Mode.
Corresponds to configuration file setting:
mongodb.release.autoDownload
- If
-
Backup Versions Auto Download Enterprise Builds
¶ Type: boolean
If
Backup Versions Auto Download
is set totrue
, specify whether the Daemon should download binaries for the Enterprise Edition.Warning
If you will run MongoDB Enterprise and provision your own Linux servers, then you must manually install a set of dependencies to each server before installing MongoDB. See Configure Local Mode for Ops Manager Servers without Internet Access.
Backup Snapshots¶
The following settings determine:
- How much Ops Manager compresses file system store snapshots.
- How frequently Ops Manager takes snapshots.
- How long Ops Manager stores snapshots.
To set these values, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Backup section.
See also
See Snapshot Frequency and Retention Policy to learn more about how often snapshots are taken and how long they can be retained.
-
File System Store Gzip Compression Level
¶ Type: integer
Default: 6
Determines how much Ops Manager compresses file system-based snapshots. The level ranges from
0
to9
:0
provides no compression.1
to9
increases the degree of compression at a cost of how fast the snapshot is compressed. Level1
compresses snapshots the least but at the fastest speed. Level9
compresses snapshots the most but at the slowest speed.
Note
Changing File System Store Gzip Compression Level affects new snapshots only. It does not affect the compression level of existing snapshots.
File System Store Gzip Compression Level corresponds to the
backup.fileSystemSnapshotStore.gzip.compressionLevel
configuration file setting.
-
Snapshot Interval
¶ Type: integer
Default: 24
Specifies the time, in hours, between two consecutive snapshots.
Snapshot Interval (Hours) corresponds to the
brs.snapshotSchedule.interval
configuration file setting.
-
Base Retention of Snapshots
¶ Type: integer
Default: 2
Specifies how many days an interval snapshot is stored.
Base Retention of Snapshots (in Days) corresponds to the
brs.snapshotSchedule.retention.base
configuration file setting.
-
Daily Retention of Snapshots
¶ Type: integer
Default: 0
Specifies how many days a daily snapshot is stored.
Daily Retention of Snapshots (in Days) corresponds to the
brs.snapshotSchedule.retention.daily
configuration file setting.
-
Weekly Retention of Snapshots
¶ Type: integer
Default: 2
Specifies how many weeks a weekly snapshot is stored.
Weekly Retention of Snapshots (in Weeks) corresponds to the
brs.snapshotSchedule.retention.weekly
configuration file setting.
-
Monthly Retention of Snapshot
¶ Type: integer
Default: 1
Specifies how many months a monthly snapshot is stored.
Monthly Retention of Snapshot (in Months) corresponds to the
brs.snapshotSchedule.retention.monthly
configuration file setting.
-
Restore Digest Method
¶ Type: string
Default:
SHA1
Specifies whether or not to generate a SHA1 checksum for restore archive files.
Acceptable values are
SHA1
orNONE
.Restore Digest Method corresponds to the
brs.restore.digest.method
configuration file setting.
-
KMIP Server Host
¶ Type: string
Default: None
Specifies the hostname of a Key Management Interoperability Protocol (KMIP) server.
KMIP Server Host corresponds to the
backup.kmip.server.host
configuration file setting.
-
KMIP Server Port
¶ Type: integer
Default: None
Specifies the port of the KMIP server.
KMIP Server Port corresponds to the
backup.kmip.server.port
configuration file setting.
-
KMIP Server CA File
¶ Type: string
Default: None
Specifies a
.PEM
-format file that contains one or more certificate authorities.KMIP Server CA File corresponds to the
backup.kmip.server.ca.file
configuration file setting.
Ops Manager Data Migration¶
Note
Available only during schema data migration
Ops Manager indicates the status of schema data migration.

Default Monitoring Data Retention¶
Ops Manager gathers metric data at a 10-second granularity. The Default Monitoring Data Retention table determines how long Ops Manager stores metric data. For each increasing granularity level, Ops Manager computes the data based on the averages from the previous granularity level.
The table determines the default settings for new groups. If you change the settings, Ops Manager prompts you whether to also apply the settings to existing groups. To change the settings for a specific group without changing the Ops Manager default settings, see Groups Page.
Increasing the retention period for a granularity requires more storage on the Ops Manager Application Database.
Note
Decreasing the retention period for existing groups does not immediately recovery available disk space on the file system and can actually use more disk space in the short term during the transition to the shorter retention period.
Public API¶
You can modify certain default behaviors of the Public API. To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
-
mms.publicApi.
whitelistEnabled
¶ Type: boolean
Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add this setting and set its value to
false
.
Monitoring Agent Session Failover¶
Beginning with Monitoring Agent version 5.0.0, Ops Manager can distribute monitoring assignments among up to 100 running Monitoring Agents. One agent is the primary agent and the others share in monitoring responsibilities. If an agent fails, Ops Manager redistributes that agent’s monitoring assignments. If you run more than 100 Monitoring Agents, the additional agents run as standby agents that are completely idle, except to log their status as standby agents and to periodically ask Ops Manager whether they should receive monitoring assignments.
Note
Also beginning with version 5.0.0, the Monitoring Agent stores monitoring metrics at 10-second granularity.
Prior to Monitoring Agent 5.0.0, only the primary Monitoring Agent handles monitoring assignments. All additional running agents are standby agents.
The following settings tune the interval Ops Manager uses to determine if a Monitoring Agent is unaccessible and the frequency with which standby agents poll Ops Manager to determine if they should receive monitoring assignments.
To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: integer
Default:
90000
The interval that Ops Manager uses to determine if a standby agent should start monitoring. If Ops Manager does not hear from a Monitoring Agent for the duration specified, Ops Manager promotes a standby agent. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.
-
mms.monitoring.agent.
standbyCollectionFactor
¶ Type: Integer
Default:
4
Specifies how frequently a standby agent checks in with Ops Manager to see if it should start monitoring. The following values are permitted:
1
: the standby agents check every 55 seconds.2
: the standby agents check in at twice the rate as1
, or approximately every 27 seconds.3
: the standby agents check approximately every 18 seconds4
: the standby agents check approximately every 14 seconds.
SNMP Heartbeat Settings¶
Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.
To configure the Ops Manager Application to send trap notifications, first download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt . Then add the following settings as custom settings. To do so, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
-
snmp.default.
hosts
¶ Type: string
Default: blank
Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set
snmp.default.hosts
to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.
-
snmp.listen.
port
¶ Type: number
Default: 11611
Listening UDP port for SNMP. Setting to a number less than
1024
will require running the Ops Manager Application with root privileges.
-
snmp.default.heartbeat.
interval
¶ Type: number
Default: 300
Number of seconds between heartbeat notifications.
-
snmp.
community
¶ Type: string
Default: public
The snmp community for snmp traps sent by Ops Manager.
Non-Uniform Memory Access (NUMA) Settings¶
-
mongodb.disable.
numa
¶ Type: boolean
To disable NUMA for the head databases:
- Click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
- Add
mongodb.disable.numa
as a Key and set its Value totrue
. - Click Save.
See MongoDB and NUMA Hardware in the MongoDB Production Notes to learn more about NUMA.
Important
Each Ops Manager instance with Backup Daemons enabled must have the numactl
service installed. If numactl
is not installed and this setting is set
to true
, backup jobs fail.
Backup Settings¶
To add the following settings, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
-
mms.alerts.BackupAgentConfCallFailure.
maximumFailedConfCalls
¶ Type: integer
Default: 10
If the Backup Agent experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert:
Backup Agent has too many conf call failures
-
mms.alerts.OutsideSpaceUsedThreshold.
maximumSpaceUsedPercent
¶ Type: integer
Default: 85
If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert:
-
mms.backup.
minimumOplogWindowHours
¶ Type: float
Default: 3
This sets the minimum number of hours that the oplog should record.
Warning
MongoDB recommends only changing this value temporarily to permit a test backup job to execute. The minimum oplog size value should be reset to the default as soon as possible. If an oplog is set to too small of a value, it can result in a gap between a backup job and an oplog which makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores. See also Insufficient Oplog Size Error
-
mms.backup.journal.
heads
¶ Type: boolean
Default: false
This sets whether the HEAD database should use journaling.
See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.
-
mms.backup.snapshot.
maxWorkers
¶ Type: integer
Default: 4
This sets the number of files that are saved concurrently when taking a snapshot. Increasing the value of this setting can improve backup job performance when there are a large number of small files in a high latency environment.
Backup Daemon¶
The following settings are specific to a Backup Daemon and are set through the Admin interface, through the Backup tab’s Daemons page. These settings are not global but are specific to the daemon being configured. For a given daemon, you can set these locally through the conf-mms.properties configuration file.
-
Head directory
¶ If the directory is already configured, the path is listed in the Server column.
Type: string
The dedicated disk partition on the Backup Daemon’s server where the daemon stores the head databases. The daemon maintains a head database for each shard or replica set it backs up. This directory must be writable by the mongodb-mms user and must end in a trailing slash. It is critical that this partition is sized appropriately.
Important
Data in this directory is dynamically created, maintained and destroyed by the Backup Daemon. This partition should not be used for any other purpose. This partition should not overlap with the partition used for the Backup Database.
Corresponds to configuration file setting:
rootDirectory
-
Number of Workers
¶ Type: number
The number of replica sets that should be processed at a time.
Corresponds to configuration file setting:
numWorkers
Ops Manager Application Database Connection String¶
The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.
-
mongo.
mongoUri
¶ Type: string
The connection string used to access the Ops Manager Application Database. The connection string must include the following if applicable:
- All members of the replica set, if the Ops Manager Application database is a replica set.
- Authentication credentials for the
authentication mechanism
used on the Ops Manager Application database.
See the following example connection strings:
Replica Sets: If you use a replica set for the database’s backing instance, specify all members of the replica set, as shown in the example below for a replica set named
appdbRS
. If you omit the port number, Ops Manager uses the default27017
port for all hosts.Default MongoDB Authentication: For a MongoDB instance using the MongoDB
SCRAM-SHA-1
orMONGODB-CR
challenge-response mechanisms, the connection string must include authentication credentials. The Ops Manager Application must authenticate as a MongoDB user with the following roles:readWriteAnyDatabase
dbAdminAnyDatabase
.clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
Prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
x.509 Certificate Authentication: For a MongoDB instance using
MONGODB-X509
authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in themongodb.ssl.PEMKeyFile
setting. Once you have created the user, prefix the host specified inmongo.mongoUri
with the name of the new user and appendauthMechanism=MONGODB-X509
after the specified port:LDAP Authentication: For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append theauthMechanism=PLAIN&authSource=$external
options after the port:Kerberos Authentication: For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism,
authMechanism=GSSAPI
, after the port.Kerberos user principal names have the form
<username>@<KERBEROS REALM>
. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal ofusername@REALM.EXAMPLE.COM
would therefore becomeusername%40REALM.EXAMPLE.COM
.This is an example of Kerberos authentication:
To enable Kerberos authentication between the Ops Manager Application and the Snapshot Storage, see Kerberos Authentication to the Application Database.
See also
authMechanism
andauthSource
in the MongoDB manual.
-
mongo.
encryptedCredentials
¶ Type: boolean
To use encrypted credentials in
mongo.mongoUri
, encrypt the credentials using the Ops Manager credentialstool, enter them in themongo.mongoUri
setting, and set this totrue
:
SSL Connection to the Application Database¶
The following settings configure Ops Manager to use SSL to encrypt connections to the dedicated MongoDB instances that host the Ops Manager Application Database and Snapshot Storage. You must configure this setting in the conf-mms.properties file on each Ops Manager server.
-
mongo.
ssl
¶ Type: boolean
Enables SSL connection to the Ops Manager Application Database when set to
true
.
-
mongodb.ssl.
CAFile
¶ Type: string
The name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.
-
mongodb.ssl.
PEMKeyFile
¶ Type: string
The name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the
--sslCAFile
option ornet.ssl.CAFile
setting.If you authenticate using the
MONGODB-X509
authentication mechanism, you also enter this as the name of the user in themongoUri
connection string.
-
mongodb.ssl.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the password using the Ops Manager
credentialstool
. See Encrypt User Credentials.
Kerberos Authentication to the Application Database¶
To enable Kerberos authentication between Ops Manager and the Ops Manager Application Database, configure the following settings in the conf-mms.properties file on each Ops Manager server. You must configure all required Kerberos settings to enable Kerberos authentication.
-
jvm.java.security.krb5.
conf
¶ Type: string
Optional. The path to an alternate Kerberos configuration file. The value is set to JVM’s java.security.krb5.conf.
-
jvm.java.security.krb5.
kdc
¶ Type: string
Required if using Kerberos. The IP/FQDN (Fully Qualified Domain Name) of the KDC server. The value will be set to JVM’s java.security.krb5.kdc.
-
jvm.java.security.krb5.
realm
¶ Type: string
Required if using Kerberos. This is the default REALM for Kerberos. It is being used for JVM’s java.security.krb5.realm.
-
mms.kerberos.
principal
¶ Type: string
Required if using Kerberos. The principal used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
above.
-
mms.kerberos.
keyTab
¶ Type: string
Required if using Kerberos. The absolute path to the keytab file for the principal.
-
mms.kerberos.
debug
¶ Type: boolean
The debug flag to output more information on Kerberos authentication process.
Encrypt User Credentials¶
For configuration settings that store credentials, you can either store
the credentials in plain text or use the Ops Manager credentialstool
to encrypt the credentials. If you choose to store credentials in plain
text, reduce the permissions on the conf-mms.properties
file on each server.
Note
Protect Plain Text Passwords
If you choose to store credentials in plain text, reduce the permissions on the conf-mms.properties file on each server.
Operating System | Permission Changes |
---|---|
Linux | sudo chmod 600 <install_dir>/conf/conf-mms.properties |
Windows | Restrict access to only the users and/or groups that need to modify conf-mms.properties. |
Important
When installed with rpm
or deb
packages, the
credentialstool
tool requires root (sudo
) privileges,
because it modifies the /etc/mongodb-mms/gen.key
file. Ops Manager
uses the gen.key
to encrypt sensitive data in the database and
configuration files.
Use the credentialstool
to generate encrypted credentials for the MongoDB deployments:
Enter the password when prompted.¶
The credentialstool
then outputs the encrypted credential pair.
Add the encrypted credentials to the conf-mms.properties
file.¶
Enter the encrypted credential pair in the
mongo.mongoUri
settings where needed.Add the
mongo.encryptedCredentials
setting and set it totrue
.Example
Important
The
conf-mms.properties
file can contain multiplemongo.mongoUri
settings. Ifmongo.encryptedCredentials
istrue
, you must encrypt all user credentials found in the variousmongo.mongoUri
settings.
Default Paths for Automation¶
You can modify various default paths for Automation. To modify these paths, click the Admin link in the top right corner of Ops Manager to access the settings panels. From the General tab, go to Ops Manager Config and select the Custom tab.
-
automation.default.
dataRoot
¶ Default:
/data
The default data path for the MongoDB databases managed by Automation.
-
automation.default.
downloadBase
¶ Default:
/var/lib/mongodb-mms-automation
The default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Linux/OSX.
-
automation.default.
downloadBaseWindows
¶ Default:
%SystemDrive%\\MMSAutomation\\versions
The default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Windows.
-
automation.default.
monitoringAgentLogFile
¶ Default:
/var/log/mongodb-mms-automation/monitoring-agent.log
The default path for the Monitoring Agent logs on Linux/OSX.
-
automation.default.
monitoringAgentLogFileWindows
¶ Default:
%SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\monitoring-agent.log
The default path for the Monitoring Agent logs on Windows.
-
automation.default.
backupAgentLogFile
¶ Default:
/var/log/mongodb-mms-automation/backup-agent.log
The default path for the Backup Agent logs on Linux/OSX.
-
automation.default.
backupAgentLogFileWindows
¶ Default:
%SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\backup-agent.log
The default path for the Backup Agent logs on Windows.
-
automation.default.
certificateAuthorityFile
¶ The default path for the Certificate Authority (CA) file on Linux/OSX.
-
automation.default.
certificateAuthorityFileWindows
¶ The default path for the Certificate Authority (CA) file on Windows.