- Reference >
- Ops Manager Configuration Settings
Ops Manager Configuration Settings¶
On this page
- Bypass Initial Configuration via the User Interface
- All Clusters View
- Application Database Connection Settings
- Automation Default Paths
- Backup
- HTTP/HTTPS Proxy Settings
- MongoDB Version Management
- MongoDB Usage
- Monitoring
- Public API
- Security Settings
- SNMP Heartbeat Settings
- Twilio Integration Settings
- User Authentication
- Web Server
- Webhook
Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all your Ops Manager servers. Local settings apply to the server on which they are configured. Any local settings on a server override the global settings.
You configure local settings through a server’s conf-mms.properties
file. Each server’s conf-mms.properties
must contain the connection
string and authentication settings for accessing the Ops Manager
Application Database. The conf-mms.properties
file also contains
any overrides of global settings specific to that server.
The location of the conf-mms.properties
file depends on how you
installed Ops Manager, as described in the table below.
Install method | conf-mms.properties location |
---|---|
rpm or deb package |
/opt/mongodb/mms/conf/ |
tar.gz archive |
<install-directory>/conf/ |
msi file (Windows) |
By default, this is: |
Bypass Initial Configuration via the User Interface¶
If you would like to skip the initial setup wizard after creating the
first account and either edit the conf-mms.properties
file or use
the API to configure Ops Manager, change the following settings. This
setting can help if you are automating the deployment of Ops Manager
instances.
-
mms.
ignoreInitialUiSetup
¶ Type: boolean
Set this to
true
to allow full use of Ops Manager without requiring the first user account to complete the initial setup wizard.Warning
Ops Manager performs its regular pre-flight check to verify that it has all of the required settings. If one or more of those settings are not included in
conf-mms.properties
, Ops Manager refuses to start and lists which fields are missing in the log file.Before starting Ops Manager, add the following required settings to
conf-mms.properties
to enable basic Ops Manager functionality:Note
Fields marked as Optional have default values. If you want to change them, you can provide the setting and a new value.
Example
The following values are examples. Substitute values appropriate to your Ops Manager installation. You may add any of the other settings specified in this reference.
To configure an Ops Manager installation with the minimum functionality, add the following settings to
conf-mms.properties
:
All Clusters View¶
-
mms.allclusters.
onlyMembership
¶ Type: boolean
Default: False
Determines whether the View All Clusters displays only the deployments to which an Ops Manager administrator belongs (set the value to
true
) or the deployments to which the administrator has access (set the value tofalse
).
Application Database Connection Settings¶
The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.
-
mongo.
mongoUri
¶ Type: string
connection string used to access the Ops Manager Application Database. The connection string must include the following if applicable:
- All members of the replica set, if the Ops Manager Application database is a replica set.
- Authentication credentials for the
authentication mechanism
used on the Ops Manager Application database.
See the following example connection strings:
- Replica Sets
If you use a replica set for the database’s backing instance, specify all members of the replica set, as shown in the following example. If you omit the port number, Ops Manager uses the default
27017
port for all hosts.Note
Ops Manager does not require the replicaSet option in the URI.
- Default MongoDB Authentication
For a MongoDB instance using the MongoDB
SCRAM-SHA-1
orMONGODB-CR
challenge-response mechanisms, the connection string must include authentication credentials. The Ops Manager Application must authenticate as a MongoDB user with the following roles:readWriteAnyDatabase
dbAdminAnyDatabase
.clusterAdmin
if the database is a sharded cluster, otherwiseclusterMonitor
Prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
- x.509 Certificate Authentication
For a MongoDB instance using
MONGODB-X509
authentication, you must first add the value of the subject from the client certificate as a MongoDB user, as described in Use x.509 Certificates to Authenticate Clients in the MongoDB manual. The client certificate is contained in the PEM file you specify in themongodb.ssl.PEMKeyFile
setting. Once you have created the user, prefix the host specified inmongo.mongoUri
with the name of the new user and appendauthMechanism=MONGODB-X509
after the specified port:- LDAP Authentication
For a MongoDB instance using LDAP, prefix the hostname with the MongoDB username and password in the form
<username>:<password>@
, and append theauthMechanism=PLAIN&authSource=$external
options after the port:- Kerberos Authentication
For a MongoDB instance using Kerberos, prefix the hostname with the Kerberos user principal and specify the authentication mechanism,
authMechanism=GSSAPI
, after the port.Kerberos user principal names have the form
<username>@<KERBEROS REALM>
. You must escape the user principal, replacing symbols with the URL encoded representation. A Kerberos user principal ofusername@REALM.EXAMPLE.COM
would therefore becomeusername%40REALM.EXAMPLE.COM
.To enable Kerberos authentication between the Ops Manager Application and the Snapshot Storage, review the following settings:
jvm.java.security.krb5.conf
jvm.java.security.krb5.kdc
jvm.java.security.krb5.realm
mms.kerberos.debug
mms.kerberos.keyTab
mms.kerberos.principal
See also
authMechanism
andauthSource
in the MongoDB manual.
-
mongo.
encryptedCredentials
¶ Type: boolean
To use encrypted credentials in
mongo.mongoUri
, encrypt the credentials using the Ops Manager credentialstool, enter them in themongo.mongoUri
setting, and set this totrue
:
Kerberos Authentication to Ops Manager Application Database¶
-
mms.kerberos.
debug
¶ Type: boolean
Debug flag to output more information on Kerberos authentication process.
-
mms.kerberos.
keyTab
¶ Type: string
Required if using Kerberos. The absolute path to the keytab file for the principal.
-
mms.kerberos.
principal
¶ Type: string
Required if using Kerberos. Principal used to authenticate with MongoDB. This should be the exact same user on the
mongo.mongoUri
.
-
jvm.java.security.krb5.
conf
¶ Type: string
Optional. Path to an alternate Kerberos configuration file. The value is set to JVM’s
java.security.krb5.conf
.
-
jvm.java.security.krb5.
kdc
¶ Type: string
Required if using Kerberos. IP/FQDN of the KDC server. The value will be set to JVM’s
java.security.krb5.kdc
.
-
jvm.java.security.krb5.
realm
¶ Type: string
Required if using Kerberos. This is the default realm for Kerberos. It is being used for JVM’s
java.security.krb5.realm
.
TLS/SSL Connection to the Application Database¶
-
mongo.
ssl
¶ Type: boolean
Enables TLS/SSL connection to the Ops Manager Application Database when set to
true
.
-
mongodb.ssl.
CAFile
¶ Type: string
Name of the PEM file that contains the root certificate chain from the Certificate Authority that signed the MongoDB server certificate.
-
mongodb.ssl.
PEMKeyFile
¶ Type: string
Name of the PEM file that contains the X509 certificate and private key. Required if the MongoDB instance is running with the
--sslCAFile
option ornet.ssl.CAFile
setting.If you authenticate using the
MONGODB-X509
authentication mechanism, you also enter this as the name of the user in themongoUri
connection string.
-
mongodb.ssl.
PEMKeyFilePassword
¶ Type: string
Required if the PEM file contains an encrypted private key. Specify the password for PEM file. You can encrypt the password using the Ops Manager credentialstool.
Automation Default Paths¶
-
automation.default.
backupAgentLogFile
¶ Type: string
Default:
/var/log/mongodb-mms-automation/backup-agent.log
Default path for the Backup Agent logs on Linux/macOS.
-
automation.default.
backupAgentLogFileWindows
¶ Type: string
Default:
%SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\backup-agent.log
Default path for the Backup Agent logs on Windows.
-
automation.default.
certificateAuthorityFile
¶ Type: string
Default path for the Certificate Authority file on Linux/macOS.
-
automation.default.
certificateAuthorityFileWindows
¶ Type: string
Default path for the Certificate Authority file on Windows.
-
automation.default.
dataRoot
¶ Type: string
Default:
/data
Default data path for the MongoDB databases that Automation manages.
-
automation.default.
downloadBase
¶ Type: string
Default: /var/lib/mongodb-mms-automation
Default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Linux/macOS.
-
automation.default.
downloadBaseWindows
¶ Type: string
Default:
%SystemDrive%\\MMSAutomation\\versions
Default path for the Monitoring Agent, Backup Agent, and MongoDB binaries for the deployments managed by Automation on Windows.
-
automation.default.
monitoringAgentLogFile
¶ Type: string
Default:
/var/log/mongodb-mms-automation/monitoring-agent.log
Default path for the Monitoring Agent logs on Linux/macOS.
-
automation.default.
monitoringAgentLogFileWindows
¶ Type: string
Default:
%SystemDrive%\\MMSAutomation\\log\\mongodb-mms-automation\\monitoring-agent.log
Default path for the Monitoring Agent logs on Windows.
-
mms.
agentCentralUrl
¶ Type: string
FQDN of the Ops Manager host to which the Monitoring Agents use to push data.
Uses the value of
mms.centralUrl
if not set.
Backup¶
-
mms.alerts.BackupAgentConfCallFailure.
maximumFailedConfCalls
¶ Type: integer
Default: 10
If the Backup Agent experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert:
Backup Agent has too many conf call failures
-
mms.alerts.OutsideSpaceUsedThreshold.
maximumSpaceUsedPercent
¶ Type: integer
Default: 85
If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert:
Blockstore space used exceeds threshold
.
-
mms.
backupCentralUrl
¶ Type: string
FQDN of the Ops Manager host to which the Backup Agents send backup data.
Uses the value of
mms.centralUrl
if not set.
-
mms.backup.journal.
heads
¶ Type: boolean
Default: False
This sets whether the HEAD database should use journaling. See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.
-
mms.backup.
minimumOplogWindowHours
¶ Type: float
Default: 3
This sets the minimum number of hours that the oplog should record.
Warning
MongoDB recommends only changing this value temporarily to permit a test backup job to execute. The minimum oplog size value should be reset to the default as soon as possible. If an oplog is set to too small of a value, it can result in a gap between a backup job and an oplog which makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores. See also Insufficient Oplog Size Error
Backup Snapshots¶
-
backup.fileSystemSnapshotStore.gzip.
compressionLevel
¶ Type: integer
Default: 6
Determines how much Ops Manager compresses file system-based snapshots. The level ranges from
0
to9
:0
provides no compression.1
to9
increases the degree of compression at a cost of how fast the snapshot is compressed. Level1
compresses snapshots the least but at the fastest speed. Level9
compresses snapshots the most but at the slowest speed.
Note
Changing File System Store Gzip Compression Level affects new snapshots only. It does not affect the compression level of existing snapshots.
Corresponds to
File System Store Gzip Compression Level
-
brs.restore.digest.
method
¶ Type: string
Default: SHA1
Specifies whether or not to generate a SHA1 checksum for restore archive files.
Accepted values are
SHA1
orNONE
.Corresponds to
Restore Digest Method
-
brs.snapshotSchedule.
interval
¶ Type: integer
Default: 24
Specifies the time, in hours, between two consecutive snapshots.
Accepted values are:
6
,8
,12
, or24
Corresponds to
Snapshot Interval (Hours)
-
brs.snapshotSchedule.retention.
base
¶ Type: integer
Default: 2
Specifies how many days an interval snapshot is stored. The accepted values vary depending upon the value of
brs.snapshotSchedule.interval
:brs.snapshotSchedule.interval
Accepted Values < 24
2
,3
,4
, or5
.= 24
2
,3
,4
,5
,6
,7
,8
,9
,10
,11
,12
,13
,14
,15
,16
,17
,18
,19
,20
,21
,22
,23
,24
,25
,26
,27
,28
,29
,30
.Corresponds to
Base Retention of Snapshots (in Days)
-
brs.snapshotSchedule.retention.
daily
¶ Type: integer
Default: 0
Specifies how many days a daily snapshot is stored.
Accepted values are:
0
,3
,4
,5
,6
,7
,15
,30
,60
,90
,120
,180
or360
Corresponds to
Daily Retention of Snapshots (in Days)
-
brs.snapshotSchedule.retention.
monthly
¶ Type: integer
Default: 1
Specifies how many months a monthly snapshot is stored.
Accepted values are:
0
,1
,2
,3
,4
,5
,6
,7
,8
,9
,10
,11
,12
,13
,18
,24
,36
,48
,60
,72
, and84
Corresponds to
Monthly Retention of Snapshots (in Months)
-
brs.snapshotSchedule.retention.
weekly
¶ Type: integer
Default: 2
Specifies how many weeks a weekly snapshot is stored.
Accepted values are:
0
,1
,2
,3
,4
,5
,6
,7
,8
,12
,16
,20
,24
, and52
Corresponds to
Weekly Retention of Snapshots (in Weeks)
-
backup.kmip.server.
host
¶ Type: string
Default: None
Specifies the hostname of a KMIP server.
Corresponds to
KMIP Server Host
-
backup.kmip.server.
port
¶ Type: integer
Default: None
Specifies the port of the KMIP server.
Corresponds to
KMIP Server Port
-
backup.kmip.server.ca.
file
¶ Type: string
Default: None
Specifies a
.PEM
-format file that contains one or more certificate authorities.Corresponds to
KMIP Server CA File
-
mms.backup.snapshot.
maxSumFileForWorkersMB
¶ Type: integer
Default: 2048
This sets the maximum cumulative size of files, in Megabytes, that are saved concurrently when taking a snapshot.
-
mms.backup.snapshot.
maxWorkers
¶ Type: integer
Default: 4
This sets the number of files that are saved concurrently when taking a snapshot. Increasing the value of this setting can improve backup job performance when there are a large number of small files in a high latency environment.
Queryable Snapshot Configuration¶
-
brs.queryable.
connecttimeout
¶ Type: integer
Default: 30
Number of seconds to wait for a connection to the Queryable Snapshot mongod instance before timing out.
Corresponds to
Mongo Connection Timeout (Seconds)
-
brs.queryable.
expiration
¶ Type: integer
Default: 24
Duration time in hours for a Queryable Snapshop once initiated.
Corresponds to
Expiration (Hours)
-
brs.queryable.
lruCacheCapacityMB
¶ Type: integer
Default: 512
Size (in megabytes) that you allocate from the JVM heap for the global snapshot cache. The global snapshot cache optimizes repeated queries for the same snapshot data to the Queryable Snapshots.
Important
MongoDB does not advise changing this value unless MongoDB support directs you to change it.
Corresponds to
Read Cache Size (MB)
-
brs.queryable.
mounttimeout
¶ Type: integer
Default: 60
Number of seconds to wait for the Queryable Snapshot to prepare before timing out.
Corresponds to
Queryable Startup Timeout (Seconds)
-
brs.queryable.pem.
pwd
¶ Type: string
Required if
Proxy Server PEM File
is encrypted.Note
After updating
Proxy Server PEM File Password
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server PEM File Password
-
brs.queryable.
pem
¶ Type: string
Required if using Queryable Snapshot. The Certificate Authority PEM file that contains one or more trusted certificates and the associated private keys.
Proxy Server PEM File
has the following restrictions:- The PEM should use a key length greater than 512-bit. Using a 2048-bit RSA key is recommended.
- The PEM should use a message digest stronger than
sha1
, such assha256
.
Note
After updating
Proxy Server PEM File
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server PEM File
-
brs.queryable.
proxyPort
¶ Type: integer
Default: 25999
Port for the queryable backup host.
Note
After updating
Proxy Server Port
, restart the Web Server for the change to take effect.Corresponds to
Proxy Server Port
Email¶
-
mms.
fromEmailAddr
¶ Type: string
Email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.
Corresponds to
From Email Address
-
mms.
replyToEmailAddr
¶ Type: string
Email address from which to send replies to general emails.
Corresponds to
Reply To Email Address
-
mms.
adminEmailAddr
¶ Type: string
Email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.
Corresponds to
Admin Email Address
-
mms.
emailDaoClass
¶ Type: string
Default:
com.xgen.svc.core.dao.email.JavaEmailDao
Email interface to use.
This setting is labeled in different ways for the user interface and the configuration file.
Delivery Method Configuration Setting ( mms.emailDaoClass
)AWS SES com.xgen.svc.core.dao.email.AwsEmailDao
SMTP com.xgen.svc.core.dao.email.JavaEmailDao
If you set this to SMTP Email Server, you must set:
If you set this to AWS Simple Email Service, you must set:
Corresponds to
Email Delivery Method Configuration
SMTP Email Server Settings¶
Conditional. Use the following settings appear if
mms.emailDaoClass
is
com.xgen.svc.core.dao.email.JavaEmailDao
.
-
mms.mail.
transport
¶ Type: string
Default: smtp
Transfer protocol your email provider specifies:
smtp
(standard SMTP)smtps
(secure SMTP)
Corresponds to
Transport
-
mms.mail.
hostname
¶ Type: string
Default: localhost
Email hostname your email provider specifies.
Corresponds to
SMTP Server Hostname
-
mms.mail.
port
¶ Type: number
Default: 25
Port number for SMTP your email provider specifies.
Corresponds to
SMTP Server Port
-
mms.mail.
username
¶ Type: string
User name of the email account. If unset, defaults to disabled SMTP authentication.
Corresponds to
Username
AWS Simple Email Service Settings¶
Conditional. Use the following settings appear if
mms.emailDaoClass
is
com.xgen.svc.core.dao.email.AwsEmailDao
.
-
aws.ses.
endpoint
¶ Type: string
Default:
https://email.us-east-1.amazonaws.com
Sets the sending API endpoint for the AWS SES.
Corresponds to
AWS Endpoint
-
aws.
accesskey
¶ Type: string
Access key ID for AWS.
Corresponds to
AWS Access Key
-
aws.
secretkey
¶ Type: string
Secret access key for AWS.
Corresponds to
AWS Secret Key
HTTP/HTTPS Proxy Settings¶
-
http.proxy.
host
¶ Type: string
Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.
Corresponds to
Proxy Host
-
http.proxy.
port
¶ Type: integer
Specify the port on which you wish to connect to the host. You must specify both the
Proxy Port
andProxy Host
to use a proxy.Corresponds to
Proxy Port
-
http.proxy.
username
¶ Type: string
If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.
Corresponds to
Proxy Username
-
http.proxy.
password
¶ Type: string
If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.
Corresponds to
Proxy Password
MongoDB Version Management¶
-
automation.versions.
source
¶ Type: string
Default:
mongodb
Indicates the source of MongoDB installer binaries.
Accepted values for
automation.versions.source
and the conditions that must exist to set the value are:Value Condition mongodb
Ops Manager and Agents have internet access. hybrid
Ops Manager has internet access, but Agents do not. Ops Manager downloads MongoDB binaries from the internet; Agents download the binaries from Ops Manager. local
Neither Ops Manager nor the Agents have internet access. An Ops Manager administrator must upload the version manifest and the MongoDB binaries to the Ops Manager host, as described in Configure Deployment to Have Limited Internet Access. Corresponds to
Installer Download Source
-
automation.versions.
directory
¶ Type: string
Default: Windows:
C:\MMSData\MongoDBReleases
Linux / macOS:/opt/mongodb/mms/mongodb-releases/
Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation Agent accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set
Version Manifest Source
to run inLocal
mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Deployment to Have Limited Internet Access for more information.Corresponds to
Versions Directory
-
mongodb.release.
autoDownload
¶ Type: boolean
Default: True
Flag indicating whether the Backup Daemons automatically install the versions of MongoDB that the Backup Daemons need.
true
The daemons retrieve the binaries from MongoDB Inc. over the internet. false
Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release that the backup daemons need. The administrator must place the extracted binaries into the Versions Directory
on the Ops Manager hosts.Warning
Set to
false
when Ops Manager is running in Local Mode.Corresponds to
Backup Versions Auto Download
-
mongodb.release.autoDownload.
enterprise
¶ Type: boolean
Flag indicating whether the Backup Daemons automatically install the Enterprise editions of the versions of MongoDB that the Backup Daemons need. Requires
mongodb.release.autoDownload
be set totrue
.Warning
If you plan on running MongoDB Enterprise on Linux hosts, then you must manually install a set of dependencies to each host before installing MongoDB. The MongoDB manual provides the appropriate command to install the dependencies.
Corresponds to
Backup Versions Auto Download Enterprise Builds
-
mongodb.release.
modulePreference
¶ Type: string
Specifies whether to use MongoDB Community or Enterprise binaries for backup.
Accepted values are:
enterprisePreferred
enterpriseRequired
communityRequired
When
enterpriseRequired
orcommunityRequired
is selected, Ops Manager only uses those binaries for backup. WhenenterprisePreferred
is selected, Ops Manager uses Enterprise binaries if available and Community binaries if they are not.Note
When
enterpriseRequired
is selected, you must either setmongodb.release.autoDownload.enterprise
totrue
or manually place Enterprise binaries in theautomation.versions.directory
in Local Mode.Warning
Backup fails when either
enterpriseRequired
orcommunityRequired
is selected, but theautomation.versions.directory
does not contain the required binary.Corresponds to
Required Module For Backup
MongoDB Usage¶
-
mms.mongoDbUsage.
defaultUsageType
¶ Type: string
Default: Production Server
Default MongoDB Enterprise server type for all Enterprise processes that this Ops Manager instance manages.
The following table shows the accepted Server Type values and the corresponding number of licenses required for each:
Server Intention Environment Purpose License Requirement Production Server Hosts your application to your internal or external end users.
Important
If an end user might use an environment, it functions as a Production environment. This applies whether the environment also provides testing, quality assurance, evaluation, or development capabilities.
One license per server Test/QA Server This type of environment can be used to:
Test Exercises your application to verify that it works as designed and expected. The platform configuration might be a less performant version of Production in compute, network, and storage capability. Assure system quality Validates your application against a combination of data, hardware, and software configured to simulate Production. The platform configuration should be a smaller scale of Production in compute, network, and storage capability. Stage Simulates the Production environment including performance testing and release candidate approval. The platform configuration should mirror Production in compute, network, and storage capability. One license per server Development Server Hosts in progress design, code, debugging or some combination thereof for your application. Used to evaluate if the current state of your application can be promoted to another environment. None RAM Pool Provides any combination of servers for any environment purpose. One license for any number of servers up to the maximum of the total GB of RAM you purchased across these servers. Corresponds to
Default Ops Manager MongoDB Server Type
.
-
mms.mongoDbUsage.ui.
enabled
¶ Type: boolean
Enables the MongoDB Usage UI in the Ops Manager Admin if set to
true
.Corresponds to
MongoDB Usage UI
.
-
mms.mongoDbUsage.
collectData
¶ Type: boolean
Default: False
Enables the daily collection of MongoDB Usage Data if set to
true
.Corresponds to
MongoDB Usage Data Collection
.
Monitoring¶
-
mms.
agentCentralUrl
¶ Type: string
FQDN of the Ops Manager host to which the Monitoring Agents use to push data.
Uses the value of
mms.centralUrl
if not set.
Monitoring Agent Session Failover¶
Beginning with Monitoring Agent version 5.0.0, Ops Manager can distribute monitoring assignments among up to 100 running Monitoring Agents. One agent is the primary agent and the others share in monitoring responsibilities. If an agent fails, Ops Manager redistributes that agent’s monitoring assignments. If you run more than 100 Monitoring Agents, the additional agents run as standby agents that are completely idle, except to log their status as standby agents and to periodically ask Ops Manager whether they should receive monitoring assignments.
Note
Also beginning with version 5.0.0, the Monitoring Agent stores monitoring metrics at 10-second granularity.
Prior to Monitoring Agent 5.0.0, only the primary Monitoring Agent handles monitoring assignments. All additional running agents are standby agents.
The following settings tune the interval Ops Manager uses to determine if a Monitoring Agent is unaccessible and the frequency with which standby agents poll Ops Manager to determine if they should receive monitoring assignments.
-
mms.monitoring.agent.session.
timeoutMillis
¶ Type: integer
Default: 90000
Interval that Ops Manager uses to determine if a standby agent should start monitoring. If Ops Manager does not hear from a Monitoring Agent for the duration specified, Ops Manager promotes a standby agent. Configuring the timeout below 90000 (90 seconds) will cause Ops Manager to fail at startup with a configuration error.
-
mms.monitoring.agent.
standbyCollectionFactor
¶ Type: integer
Default: 4
Specifies how frequently a standby agent checks in with Ops Manager to see if it should start monitoring. The following values are permitted:
Value Standby Agents Check Frequency 1
Every 55 seconds 2
Every 27 seconds 3
Every 18 seconds 4
Every 14 seconds
Public API¶
-
mms.publicApi.
whitelistEnabled
¶ Type: boolean
Certain API calls require that requests originate from a whitelisted IP address. To turn off this requirement, add this setting and set its value to
false
.
Security Settings¶
-
mms.security.
disableBrowserCaching
¶ Type: boolean
Default: False
When
true
, Ops Manager makes all HTTP responses not cacheable.
-
mms.security.
hstsMaxAgeSeconds
¶ Type: integer
Default: 0 (Can use HTTP or HTTPS.)
How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer. A value of
0
means that it can use HTTP or HTTPS.See also
To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC 6797 and hstspreload.org.
SNMP Heartbeat Settings¶
Ops Manager uses SNMP v2c. You can configure the Ops Manager Application to send a periodic heartbeat trap notification (v2c) that contains an internal health assessment of the Ops Manager Application. The Ops Manager Application can send traps to one or more endpoints on the standard SNMP UDP port 162.
To configure the Ops Manager Application to send trap notifications, first download the Management Information Base (MIB) file at http://downloads.mongodb.com/on-prem-monitoring/MMS-MONGODB-MIB.txt . Then add the following settings as custom settings. To do so, click the Admin link, then the General tab, then the Ops Manager Config page, and then the Custom section.
-
snmp.
community
¶ Type: string
Default: public
Snmp community for SNMP traps sent by Ops Manager.
-
snmp.default.heartbeat.
interval
¶ Type: number
Default: 300
Number of seconds between heartbeat notifications.
-
snmp.default.
hosts
¶ Type: string
Default: blank
Comma-separated list of hosts where ‘heartbeat’ traps will be sent on the standard UDP port 162. You must set
snmp.default.hosts
to enable the SNMP heartbeat functionality; otherwise, leaving the setting blank disables the SNMP heartbeat functionality.
-
snmp.listen.
port
¶ Type: number
Default: 11611
Listening UDP port for SNMP. Setting to a number less than
1024
will require running the Ops Manager Application with root privileges.
Non-Uniform Memory Access (NUMA) Settings¶
-
mongodb.disable.
numa
¶ Type: boolean
To disable NUMA for the head databases:
- Click the Admin link.
- Click the General tab.
- Click the Ops Manager Config page.
- Click the Custom section.
- Add
mongodb.disable.numa
as a Key and set its Value totrue
. - Click Save.
See MongoDB and NUMA Hardware in the MongoDB Production Notes to learn more about NUMA.
Important
Each Ops Manager instance with Backup Daemons enabled must have the
numactl
service installed. Ifnumactl
is not installed and this setting is set totrue
, backup jobs fail.
Twilio Integration Settings¶
To receive alert notifications via SMS or 2FA code, you must have a Twilio account.
-
twilio.account.
sid
¶ Type: string
Twilio account ID.
Corresponds to
Account SID
-
twilio.auth.
token
¶ Type: string
Twilio API token.
Corresponds to
Twilio Auth Token
-
twilio.from.
num
¶ Type: string
Twilio phone number.
Corresponds to
Twilio From Number
User Authentication¶
-
mms.
userSvcClass
¶ Type: string
Default:
com.xgen.svc.mms.svc.user.UserSvcDb
Select whether to store authentication credentials in the Ops Manager Application Database or in an LDAP directory.
Accepted values are:
Auth Method Accepted Value Application Database com.xgen.svc.mms.svc.user.UserSvcDb
LDAP com.xgen.svc.mms.svc.user.UserSvcLdap
Corresponds to
User Authentication Method
Authentication through Ops Manager Application Database¶
-
mms.password.
maxDaysBeforeChangeRequired
¶ Type: number
Number of days a password is valid before the password expires.
Corresponds to
Days Before Password Change Required
-
mms.password.
maxDaysInactiveBeforeAccountLock
¶ Type: number
Maximum number of days with no visits to the Ops Manager website before Ops Manager locks an account.
Corresponds to
Days Inactive Before Account Lock
-
mms.password.
maxFailedAttemptsBeforeAccountLock
¶ Type: number
Number of failed login attempts before an account becomes locked. Only an an Ops Manager Administrator can unlock a locked account.
Corresponds to
Failed Login Attempts Before Account Lock
-
mms.password.
minChangesBeforeReuse
¶ Type: number
Number of previous passwords to remember. You cannot reuse a remembered password as a new password.
Corresponds to
Password Changes Before Reuse
-
mms.user.
invitationOnly
¶ Type: boolean
If true, new users can register by invitation only. The invitation provides a URL that displays the registration link. If false, new users can register if they have the Ops Manager URL.
Corresponds to
Invitation Only Mode
-
mms.user.
bypassInviteForExistingUsers
¶ Type: boolean
Default: False
This checkbox appears when you set mms.userSvcClass to
com.xgen.svc.mms.svc.user.UserSvcDb
.Value Results true
- You can add existing users to any organization or project without an invitation.
- Ops Manager deletes and invalidates any unaccepted invitations.
- New users continue to receive and must accept invitations.
false
- All users continue to receive and must accept invitations.
Corresponds to
Bypass Invitation Mode
Authentication through LDAP¶
These settings configure Ops Manager to use an LDAP server for authentication. If you use LDAP authentication, users must belong to an LDAP group to log into Ops Manager. You must create LDAP groups for each Ops Manager user role.
Settings that begin with mms.ldap.global.role
assign Ops Manager
global roles to the members of the specified LDAP
groups. Specify groups using the format used by the LDAP attribute
specified in the LDAP User Group
setting. You can specify
multiple groups using the ;;
delimiter. To change the default
delimiter, use the mms.ldap.group.separator
setting. Each
Ops Manager global role provides its level of access to all the Ops Manager
projects in the deployment. To
provide access to specific groups, use
group-level roles.
-
mms.ldap.
bindDn
¶ Type: string
LDAP user used to execute searches for other users.
Corresponds to
LDAP Bind Dn
-
mms.ldap.
bindPassword
¶ Type: string
Password for the search user.
Corresponds to
LDAP Bind Password
-
mms.ldap.global.role.
automationAdmin
¶ Type: string
LDAP group whose members have the global automation admin role in Ops Manager. Specify projects using the format used by the LDAP attribute specified in the
LDAP User Group
setting. You can specify multiple projects using the;;
delimiter. To change the default delimiter, use themms.ldap.project.separator
setting.Each Ops Manager global role provides its level of access to all the Ops Manager projects in the deployment. To provide access to specific projects, use group-level roles.
Corresponds to
LDAP Global Role Automation Admin
-
mms.ldap.global.role.
backupAdmin
¶ Type: string
LDAP group whose members have the global backup admin role in Ops Manager.
Corresponds to
LDAP Global Role Backup Admin
-
mms.ldap.global.role.
monitoringAdmin
¶ Type: string
LDAP group whose members have the global monitoring admin role in Ops Manager.
Corresponds to
LDAP Global Role Monitoring Admin
-
mms.ldap.global.role.
owner
¶ Type: string
LDAP group that has full privileges for the Ops Manager deployment, including full access to all Ops Manager projects and all administrative permissions. Users in the specified LDAP group receive the global owner role in Ops Manager. Specify the project using the format that is used by the LDAP attribute specified in the
LDAP User Group
setting.Corresponds to
LDAP Global Role Owner
-
mms.ldap.global.role.
readOnly
¶ Type: string
LDAP group whose members have the global read-only role in Ops Manager.
Corresponds to
LDAP Global Role Read Only
-
mms.ldap.global.role.
userAdmin
¶ Type: string
LDAP group whose members have the global user admin role in Ops Manager.
Corresponds to
LDAP Global Role User Admin
-
mms.ldap.group.
baseDn
¶ Type: string
Base Distinguished Name (DN) that Ops Manager uses to search for groups. If not specified, it will default to the value specified in
LDAP User Base Dn
Corresponds to
LDAP Group Base Dn
-
mms.ldap.group.
member
¶ Type: string
Field on the group entry containing user Distinguished Names (DN). The groupOfNames or groupOfUniqueNames object classes are commonly used.
Corresponds to
LDAP Group Member Attribute
-
mms.ldap.group.
separator
¶ Type: string
To set this, click Config and then click the Custom tab.
Each of the global role values takes a delimited list of projects:
If a group value contains the delimiter, the delimiter must be set to another value.
Example
If you have the group value
"CN\=foo,DN\=bar"
and the delimiter is,
then Ops Manager parses"CN\=foo,DN\=bar"
as two elements rather than as the description for a single group.Change the delimiter by adding the
mms.ldap.group.separator
setting to the configuration file and specifying a different delimiter.The default delimiter is
;;
.
-
mms.ldap.
referral
¶ Type: string
LDAP field used to set how to handle referrals. Accepts two values:
ignore
: Ignore referrals.follow
: Automatically follow any referrals.
Corresponds to
LDAP Referral
-
mms.ldap.ssl.
CAFile
¶ Type: string
A file containing one or more trusted certificates in PEM format. Use this setting if you are using LDAPS and the server is using a certificate that is not from a well-known Certificate Authority.
Corresponds to
LDAP SSL CA File
-
mms.ldap.ssl.
PEMKeyFile
¶ Type: string
A file containing a client certificate and private key. Use this setting when your TLS/SSL LDAP server requires client certificates.
Corresponds to
LDAP SSL PEM Key File
-
mms.ldap.ssl.
PEMKeyFilePassword
¶ Type: string
Password for
LDAP SSL PEM Key File
. Use this setting if thePEMKeyFile
is encrypted.Corresponds to
LDAP SSL PEM Key File Password
-
mms.ldap.user.
baseDn
¶ Type: string
Base Distinguished Name (DN) that Ops Manager uses to search for users.
Escape the
=
sign with\
.Corresponds to
LDAP User Base Dn
-
mms.ldap.user.
email
¶ Type: string
LDAP user attribute that contains the user’s email address. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the email address from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
mail
.Corresponds to
LDAP User Email
-
mms.ldap.user.
firstName
¶ Type: string
LDAP user attribute that contains the user’s first name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the first name from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
givenName
.Corresponds to
LDAP User First Name
-
mms.ldap.user.
group
¶ Type: string
LDAP user attribute that contains the list of LDAP groups the user belongs to. The LDAP attribute can use any format to list the projects, including Common Name (
cn
) or Distinguished Name (dn
). All Ops Manager settings in this configuration file that specify projects must match the chosen format.Corresponds to
LDAP User Group
-
mms.ldap.user.
lastName
¶ Type: string
LDAP user attribute that contains the user’s last name. After successful LDAP authentication, Ops Manager synchronizes the specified LDAP attribute with the last name from the Ops Manager user record.
Per RFC2256, the default LDAP attribute is
sn
for surname.Corresponds to
LDAP User Last Name
-
mms.ldap.user.
searchAttribute
¶ Type: string
LDAP field used for the LDAP search. This is typically a username or an email address. The value of this field is also used as the Ops Manager username.
Corresponds to
LDAP User Search Attribute
-
mms.login.newDeviceNotification.
enabled
¶ Type: boolean
Flag that indicates the user should be notified that they have logged in from a new device.
Corresponds to
New Device Login Notification
Multi-Factor Authentication (MFA) Setttings¶
-
mms.multiFactorAuth.
level
¶ Type: string
Default: OFF
Configures the two-factor authentication “level”:
Setting Description OFF
Disables two-factor authentication. Ops Manager does not use two-factor authentication. OPTIONAL
Users can choose to set up two-factor authentication for their Ops Manager account. REQUIRED_FOR_GLOBAL_ROLES
Users who possess a global role must set up two-factor authentication. Two factor authentication is optional for all other users. REQUIRED
All users must set up two-factor authentication for their Ops Manager account. Two-factor authentication is recommended for the security of your Ops Manager deployment.
Warning
If enabling
mms.multiFactorAuth.level
through the configuration file, you must create a user account first before updating the configuration file. Otherwise, you cannot login to Ops Manager.Note
If you enable Twilio integration (optional), ensure that Ops Manager servers can access the
twilio.com
domain.Corresponds to
Multi-factor Auth Level
-
mms.multiFactorAuth.
allowReset
¶ Type: boolean
Default: False
When
true
, Ops Manager allows users to reset their two-factor authentication settings via email in an analogous fashion to resetting their passwords.To reset two-factor authentication, a user must:
- be able to receive email at the address associated with the user account.
- know the user account’s password.
- know the agent API key for each Ops Manager project the user belongs to.
Corresponds to
Multi-factor Auth Allow Reset
-
mms.multiFactorAuth.
issuer
¶ Type: string
If Google Authenticator provides two-factor authentication, this string is the
issuer
in the Google Authenticator app. If left blank, theissuer
is the domain name of the Ops Manager installation.Corresponds to
Multi-factor Auth Issuer
-
mms.multiFactorAuth.
require
¶ Type: boolean
Default: False
When
true
, Ops Manager will require two-factor authentication for users to log in or to perform certain destructive operations within the application.If you configure Twilio integration, users may obtain their second factor tokens via Google Authenticator, SMS, or voice calls. Otherwise, the only mechanism to provide two-factor authentication is Google Authenticator.
Other Authentication Settings¶
-
reCaptcha.enabled.
registration
¶ Type: boolean
Default: false
Flag that indicates you want a new user to validate themselves using reCaptcha validation when they register to use Ops Manager.
Set to
true
to require reCaptcha validation when a new user registers.This setting requires a reCaptcha account.
Corresponds to
ReCaptcha Enabled on Registration
-
reCaptcha.
enabled
¶ Type: boolean
Default: false
Flag that indicates you want a user to validate themselves using reCaptcha validation when they log into Ops Manager.
Set to
true
to require reCaptcha validation when a user logs in.This setting requires a reCaptcha account.
Corresponds to
ReCaptcha Enabled
-
reCaptcha.private.
key
¶ Type: string
ReCaptcha private key associated with your account.
Corresponds to
ReCaptcha Private Key
-
reCaptcha.public.
key
¶ Type: string
ReCaptcha public key associated with your account.
Corresponds to
ReCaptcha Public Key
-
mms.session.
maxHours
¶ Type: number
Number of hours before a session on the Ops Manager website expires.
Set this value to
0
to use browser session cookies only.Corresponds to
Session Max Hours
Web Server¶
-
mms.
centralUrl
¶ Type: string
FQDN and port number of the Ops Manager Application.
To use a port other than
8080
, see Manage Ops Manager Ports.Corresponds to
URL to Access Ops Manager
-
mms.https.
PEMKeyFile
¶ Type: string
Absolute path to the PEM file that contains the Ops Manager Application’s valid certificate and private key. The PEM file is required if the Ops Manager Application uses HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.
The default port for HTTPS access to the Ops Manager Application is
8443
, as set in<install_dir>/conf/mms.conf
file. If you change this default, you must also change the port specified in themms.centralUrl
setting.Corresponds to
HTTPS PEM Key File
-
mms.https.
PEMKeyFilePassword
¶ Type: string
Password for the HTTPS PEM key file. This is required if the PEM file contains an encrypted private key. If storing this in the conf-mms.properties file, you can encrypt the password using the Ops Manager credentialstool.
Corresponds to
HTTPS PEM Key File Password
-
mms.https.
ClientCertificateMode
¶ Type: string
Specifies if Ops Manager requires clients to present valid TLS/SSL client certificates when connecting to it. Accepted values are:
none
agents_only
required
Corresponds to
Client Certificate Mode
-
mms.https.
CAFile
¶ Type: string
Specifies the filesystem location of a certificate authority file containing the list of acceptable client certificates.
If you want to use a private certificate authority, you must also include the
mms.https.CAFile
setting.Corresponds to
CA File
-
mms.remoteIp.
header
¶ Type: string
If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client’s IP address to the Ops Manager host. When you specify
Load Balancer Remote IP Header
, do not allow clients to connect directly to any Ops Manager host. A load balancer placed in front of the Ops Manager hosts must not return cached content.Once
Load Balancer Remote IP Header
is set, Ops Manager enables the following HTTP headers:HTTP Header Forwards to Ops Manager X-Forwarded-Host Original host that the client requested in the Host HTTP request header. X-Forwarded-Proto Protocol used to make the HTTP request. X-Forwarded-Server Hostname of the proxy server. X-Proxied-Https HTTPS status of a request. To learn more, see Configure a Highly Available Ops Manager Application.
Corresponds to
Load Balancer Remote IP Header
-
mms.
minimumTLSVersion
¶ Type: string
Specifies the TLS version required for clients to connect to Ops Manager. This property affects all clients, such as browsers used to connect to the Ops Manager Admin interface and command-line tools, such as
curl
, used to connect to the REST API. The following values are accepted:- TLSv1
- TLSv1.1
- TLSv1.2 (default)
Note
TLSv1.2 requires connecting clients to meet the following minimum requirements:
- Browser supports TLS version 1.2
curl
version 7.34.0+- OpenSSL version 1.0.1+
To set
minimum.TLSVersion
, click Config and then click the Custom tab.
-
mms.
disableCiphers
¶ Type: string
Specifies a list of TLS cipher suites which your instance of Ops Manager will not accept when clients connect to the Ops Manager Application and API. Specify TLS cipher suite names as a comma-separated list, as in the following example.
Important
Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention. For convenience, Ops Manager logs a list of all supported cipher suite names during startup. If Ops Manager does not recognize a TLS cipher suite name, it logs the following warning:
Your config lists the following as ciphers which should be disabled as the JDK does not recognize them. Please check the format of the entries and list of enabled ciphers. [unrecognized_cipher_name]
To set
mms.disableCiphers
, click Config and then click the Custom tab.
Webhook¶
-
mms.alerts.webhook.
adminEndpoint
¶ Type: string
Corresponds to
Webhook URL
-
mms.alerts.webhook.
adminSecret
¶ Type: string
Corresponds to
Webhook Secret