Docs Menu

Docs HomeMongoDB Ops Manager

MongoDB Agent Settings

On this page

  • Configuration File & Settings Locations
  • MongoDB Agent Settings
  • Logging Settings
  • Connection Settings
  • HTTP Proxy Settings
  • Configuration Backup Settings
  • Ops Manager TLS Settings
  • Push Live Migration Settings
  • Externally Sourced Configuration Settings
  • Automation Settings
  • MongoDB Kerberos Settings
  • Monitoring Settings
  • Log Settings
  • Custom Settings
  • Backup Settings
  • Log Settings
  • Custom Settings

This page describes possible settings for the MongoDB Agent. These values are set after first launching Ops Manager and not through manual editing of these files.

To learn about the Ops Manager settings and their values, see Ops Manager Configuration Settings.

Warning

If you edit authentication or TLS settings through Settings or Deployments in the Ops Manager interface, those changes overwrite any manual changes in this configuration file.

You can configure additional Monitoring settings and Backup settings through the Ops Manager Console.

mmsGroupId

Type: string

Specifies the ID of your Ops Manager project. Find the project ID on the Project Settings page (Settings > Project Settings).

Ops Manager configures this setting when you install the MongoDB Agent. If you need to configure Monitoring separately, include this setting to bind the server to a project.

mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey

Type: string

Specifies the MongoDB Agent API key of your Ops Manager project.

You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.

To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab, from the Deployment view, click the Agents tab and then the Agent API Keys tab.

Important

When you generate an Agent API Key, Ops Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Ops Manager never displays the full key again.

Ops Manager configures this setting when you install the MongoDB Agent. If you need to configure Monitoring separately, include this setting.

mmsApiKey=rgdte4w7wwbnds9nceuodx9mcte2zqem
mmsBaseUrl

Type: string

Specifies the URL of the Ops Manager Application.

mmsBaseUrl=http://example.com:8080
logFile

Type: string

Specifies the path to which Ops Manager should write the MongoDB Agent's log.

The default path depends on your platform. The MongoDB Agent uses the default filename automation-agent.log whether or not the deployment uses Automation.

Important

Automatic rotation of your MongoDB Agent logs only occurs when an update to the log file is made. To manually rotate your MongoDB Agent logs, see Manually Rotate the MongoDB Agent Logs for more information.

Platform
Default Path
Linux
/var/log/mongodb-mms-automation/automation-agent.log
Windows
C:\MMSAutomation\log\mongodb-mms-automation\automation-agent.log
logFile=/path/to/mongodb-mms-automation/automation-agent.log
logLevel

Type: string

Specifies the level of logging granularity.

Warning

The Admin Project Settings for Monitoring Agent Log Level and Automation Agent Log Level override this parameter.

Choose from the following severity levels, from most to least amount of information:

  • DEBUG

  • INFO

  • WARN

  • ERROR

  • FATAL

By default, logLevel is INFO.

logLevel=ROUTINE

Each level includes the log items included in the succeeding levels.

Example

  • If you choose DEBUG, the MongoDB Agent logs all messages, including INFO, WARN, ERROR and FATAL.

  • If you choose FATAL, the MongoDB Agent only logs FATAL messages.

maxLogFiles

Type: integer

Specifies the maximum number of rotated log files to retain.

By default, the value of maxLogFiles is set to 10. You can change the value to retain a different number of rotated log files.

maxLogFiles=15
maxLogFileDurationHrs

Type: float

Specifies the number of hours after which the logs are rotated.

Note

Manually Rotate the MongoDB Agent Logs

On UNIX- and Linux-based systems you can manually rotate the MongoDB Agent logs. Issue a kill command with the SIGUSR1 signal for the Agent process:

kill -SIGUSR1 <AgentID>

On Windows-based systems, you can manually restart the MongoDB Agent with a Service restart:

  1. Click the Start menu.

  2. Search for services.

  3. Find the MongoDB Agent.

  4. Right-click on the Agent and click Restart.

This rotates the MongoDB Agent logs.

maxLogFileSize

Type: integer

Specifies the maximum size, in bytes, of a log file before the logs are rotated. If unspecified, the MongoDB Agent does not rotate logs based on file size.

maxLogFileSize=536870912
maxUncompressedLogFiles

Type: integer

Specifies the maximum number of rotated log files to keep uncompressed. MongoDB Agent automatically compresses any additional retained log files up to the maxLogFiles value.

By default, the value of maxUncompressedLogFiles is set to 2. You can change the value to compress a different number of rotated log files.

maxUncompressedLogFiles=10
dialTimeoutSeconds

Type: integer

Specifies the number of seconds to wait before a connection times out. By default, connections time out after 40 seconds. However, The MongoDB Agent may frequently time out of connections for one or more of the following reasons:

  • High network latency

  • High server load

  • Large TLS keys

  • Lack of TLS accelerator

  • Insufficient CPU speed

MongoDB recommends gradually increasing the value of the dialTimeoutSeconds MongoDB Agent configuration setting to prevent frequent premature connection timeouts.

dialTimeoutSeconds=40

Note

Increasing this value also increases the time required to deploy configuration changes to the MongoDB Agent. Experiment with small, incremental increases until you determine the optimum value for your deployment.

serverSelectionTimeoutSeconds

Type: integer

Specifies the number of seconds the MongoDB Agent waits before it stops trying to establish a connection to a MongoDB process. By default, the MongoDB Agent abandons attempts to establish a connection after 10 seconds.

serverSelectionTimeoutSeconds=10
httpProxy

Type: string

Specifies the URL of an HTTP proxy server the MongoDB Agent can use.

httpProxy=http://proxy.example.com:8080
mmsConfigBackup

Type: string

Specifies the path to the Ops Manager configuration backup file. This file describes the desired state of the deployment.

If you don't specify the mmsConfigBackup setting, the MongoDB Agent writes the mongodb-mms-automation-cluster-backup.json file to a temporary folder on the operating system.

If you set enableLocalConfigurationServer to true, the MongoDB Agent doesn't write the mmsConfigBackup file.

mmsConfigBackup=/path/to/mms-cluster-config-backup.json

Note

When Ops Manager is installed, it stores the configuration backup file is stored in one of the following places, depending on your platform:

Platform
Configuration Backup File Path
Linux
/var/lib/mongodb-mms-automation/
Windows
%SystemDrive%\MMSAutomation

Specify the settings that the MongoDB Agent uses when communicating with Ops Manager using TLS.

httpsCAFile

Type: string

Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. This certificate verifies that the MongoDB Agent is talking to the designated Ops Manager instance.

httpsCAFile=/path/to/ca.pem

Note

Add the Certificate Authority for the downloads.mongodb.com certificate to this .pem file if you:

  1. Need your MongoDB Agents to download their MongoDB installers from the Internet,

  2. Use TLS to encrypt connections, and

  3. Signed your certificates with a private Certificate Authority. (You set the httpsCAFile option.)

To learn how to download TLS certificates from another web site, see the OpenSSL Cookbook entry.

Important

When Ops Manager starts, it caches the Certificate Authority you provided. If you change your Certificate Authority certificate, restart Ops Manager.

sslRequireValidMMSServerCertificates

Type: boolean

Important

Deprecated. Use tlsRequireValidMMSServerCertificates instead.

tlsRequireValidMMSServerCertificates

Type: boolean

Specifies if the MongoDB Agent should validate TLS certificates presented by Ops Manager.

Warning

Setting this option to false disables certificate verification and makes connections between the MongoDB Agent and Ops Manager susceptible to man-in-the-middle attacks. Setting this option to false is only recommended for testing purposes.

tlsRequireValidMMSServerCertificates=true
sslMMSServerClientCertificate

Type: string

Important

Deprecated. Use tlsMMSServerClientCertificate instead.

tlsMMSServerClientCertificate

Type: string

Specifies the path to the file containing the client's private key, certificate, and optional intermediate certificates in PEM format. The MongoDB Agent uses the client certificate when connecting to Ops Manager over TLS if Ops Manager requires client certificates, such as when Ops Manager runs with Client Certificate Mode set to Required for Agents Only or Required for All Requests.

Tip

Note

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

tlsMMSServerClientCertificate=/path/to/client.pem
sslMMSServerClientCertificatePassword

Type: string

Important

Deprecated. Use tlsMMSServerClientCertificatePassword instead.

tlsMMSServerClientCertificatePassword

Type: string

Specifies the password needed to decrypt the private key in the tlsMMSServerClientCertificate file. This setting is required when the client certificate PEM file is encrypted.

Note

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

Note

Use the tlsMMSServerClientCertificatePasswordExec option instead of tlsMMSServerClientCertificatePassword to specify the password from a shell command.

tlsMMSServerClientCertificatePassword=password
sslServerClientCertificate

Type: string

Specifies the path to the file containing the client's private key, certificate, and optional intermediate certificates in PEM format. The MongoDB Agent uses the client certificate when connecting to Ops Manager over TLS if Ops Manager requires client certificates, such as when Ops Manager runs with Client Certificate Mode set to Required for Agents Only or Required for All Requests.

Tip

See also:

sslServerClientCertificate=/path/to/client.pem
sslServerClientCertificatePassword

Specifies the password needed to decrypt the private key in the sslServerClientCertificate file. This setting is required when the client certificate PEM file is encrypted.

sslServerClientCertificatePassword=password
sslRequireValidMMSBackupServerCertificate

Specifies if the MongoDB Agent should validate TLS certificates from Ops Manager.

Warning

Setting this option to false disables certificate verification and makes connections between the MongoDB Agent and Ops Manager susceptible to man-in-the-middle attacks. Setting this option to false is only recommended for testing purposes.

sslRequireValidMMSBackupServerCertificate=true
agentFeatureCloudMigrationEnabled

Type: boolean

Optional.

Specifies whether the MongoDB Agent on the migration host is configured to run the Live Migration process from a source Ops Manager deployment to a target cluster in Atlas.

This option defaults to false, which prevents using the MongoDB Agent on this host for Live Migration to Atlas.

To enable the Live Migration process, provision a migration host and set agentFeatureCloudMigrationEnabled to true.

cloudMigrationOplogPath

Type: string

Optional.

Path to the oplog files. If specified, this setting buffers the initial sync oplog window to disk. Provision enough storage in the specified directory for the oplog buffering.

enableLocalConfigurationServer

Type: boolean

Specifies whether the MongoDB Agent stores MongoDB process configuration files on disk or cached in memory.

This option defaults to false, which stores the configuration files on disk. Setting this option to true caches the configuration in memory.

If you set this option to true, the MongoDB Agent doesn't write the mmsConfigBackup file.

Don't set this option to true if your MongoDB databases are running FCV 4.2 or earlier.

Warning

Setting this option to true impacts the availability of your deployment.

When this feature is enabled, the MongoDB Agent doesn't store the MongoDB process configuration on disk. If the Ops Manager app server is unavailable and the MongoDB Agent attempts to restart, then the MongoDB Agent stops running because it doesn't have the necessary configuration information. If a MongoDB process crashes while the MongoDB Agent isn't running, then the MongoDB Agent can't restart the process.

enableLocalConfigurationServer=false
keepUnusedMongodbVersions

Type: boolean

Flag that indicates whether the MongoDB Agent retains unused MongoDB version binaries that it downloads. By default, keepUnusedMongodbVersions is false.

keepUnusedMongodbVersions=false
localConfigurationServerPort

Type: integer

Specifies the port to serve the MongoDB process configuration to when using the local configuration server. To set this option, enableLocalConfigurationServer must be true.

If unspecified, the MongoDB Agent chooses an available port automatically.

localConfigurationServerPort=20128
mmsApiKeyExec

Type: string

Specifies a shell command to call the Ops Manager agent API key of your Ops Manager project.

mmsApiKeyExec=echo $myKey
sslMMSServerClientCertificatePasswordExec

Type: string

Important

tlsMMSServerClientCertificatePasswordExec

Type: string

Specifies a shell command to call the password needed to decrypt the private key in the MMSServerClientCertificate file. Either this setting or tlsMMSServerClientCertificatePassword is required when the client certificate PEM file is encrypted.

tlsMMSServerClientCertificatePasswordExec=python /path/to/PEMPassword.py

The following configuration settings are used for authentication in automated clusters.

Specify these settings if Automation authenticates to hosts using Kerberos. To configure Kerberos, see Configure the MongoDB Agent for Kerberos.

krb5ConfigLocation

Type: string

Specifies an absolute path to an non-system-standard location for the Kerberos configuration file.

krb5ConfigLocation=/path/to/krb_custom.conf

Note

Ops Manager creates a Kerberos Credential (Ticket) Cache for each agent automatically when Kerberos is enabled. If you want to override the location of the Kerberos Credential Cache, you must set the KRB5CCNAME environment variable to the desired file name and path before running the agent.

backupAgentKrb5CCName

Type string

Specifies the KRB5CC environment variable that the MongoDB Agent sets for the Backup process. Used only to authenticate the Backup to your MongoDB deployment when the MongoDB Agent starts the Backup function.

backupAgentKrb5CCName=/path/to/credentials_cache_file
monitoringAgentKrb5CCName

Type string

Specifies the KRB5CC environment variable that the MongoDB Agent sets for the Monitoring function. Used only to authenticate Monitoring to your MongoDB deployment when the MongoDB Agent starts the Monitoring function.

monitoringAgentKrb5CCName=/path/to/credentials_cache_file

Use the Ops Manager interface to configure Monitoring settings.

  1. In the navigation, click Deployment.

  2. Click the Agents tab.

  3. Click Downloads & Settings.

  4. In the Agent Log Settings section, click next to Monitoring Log Settings.

  5. Edit the Monitoring log settings:

    Setting
    Default Value
    Console Suggested Value
    Linux Log File Path
    /var/log/mongodb-mms-automation/monitoring-agent.log
    Windows Log File Path
    %SystemDrive%\MMSAutomation\log\mongodb-mms-automation\monitoring-agent.log
    Rotate Logs
    YES
    Size Threshold (MB)
    1000
    Time Threshold (Hours)
    24
    Max Uncompressed Files
    5
    Max Percent of Disk
    2
    Total Number of Log Files
    0
  6. Click Save.

  1. In the navigation, click Deployment.

  2. Click the Agents tab.

  3. Click Downloads & Settings.

  4. In the Custom Configuration section, next to Edit Custom Configurations, click .

  5. Enter the Monitoring configuration setting and value.

  6. Click Save and Close.

You can configure the following Monitoring settings:

mmsGroupId

Type: string

Specifies the ID of your Ops Manager project. Find the project ID on the Project Settings page (Settings > Project Settings).

Ops Manager configures this setting when you install the MongoDB Agent. If you need to configure Monitoring separately, include this setting to bind the server to a project.

mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey

Type: string

Specifies the MongoDB Agent API key of your Ops Manager project.

You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.

To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab, from the Deployment view, click the Agents tab and then the Agent API Keys tab.

Important

When you generate an Agent API Key, Ops Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Ops Manager never displays the full key again.

Ops Manager configures this setting when you install the MongoDB Agent. If you need to configure Monitoring separately, include this setting.

mmsApiKey=rgdte4w7wwbnds9nceuodx9mcte2zqem
mmsBaseUrl

Type: string

Specifies the URL of the Ops Manager Application.

mmsBaseUrl=http://example.com:8080
httpProxy

Type: string

Specifies the URL of an HTTP proxy server that Monitoring can use.

httpProxy=http://proxy.example.com:8080

Specify these settings if Monitoring authenticates to hosts using Kerberos.

To configure Kerberos, see Configure the MongoDB Agent for Kerberos. The same procedures and requirements apply, only use a different UPN for Monitoring.

Note

Ops Manager creates a Kerberos Credential (Ticket) Cache for each agent automatically when Kerberos is enabled. If you want to override the location of the Kerberos Credential Cache, you must set the KRB5CCNAME environment variable to the desired file name and path before running the agent.

krb5Principal

Type: string

Specifies the Kerberos principal that Monitoring uses.

krb5Principal=monitoring/myhost@EXAMPLE.COM
krb5Keytab

Type: string

Specifies the absolute path to Kerberos principal's keytab file.

krb5Keytab=/path/to/mms-monitoring.keytab
krb5ConfigLocation

Type: string

Specifies the absolute path to an non-system-standard location for the Kerberos configuration file.

krb5ConfigLocation=/path/to/krb_custom.conf
gssapiServiceName

Type: string

Specifies the service name with the gssapiServiceName setting.

By default, MongoDB uses mongodb as its service name.

Specify these settings when Monitoring connects to MongoDB deployments using TLS.

To learn more, see Configure MongoDB Agent to Use TLS.

useSslForAllConnections

Type: boolean

Specifies whether or not to encrypt all connections to MongoDB deployments using TLS.

Important

Setting this to true overrides any per-host TLS settings configured in the Ops Manager interface.

sslClientCertificate

Type: string

Specifies the absolute path to the private key, client certificate, and optional intermediate certificates in PEM format. Monitoring uses the client certificate to connect to any configured MongoDB deployment that uses TLS and requires client certificates. (The deployment runs with the --tlsCAFile setting.)

Example

If you want to connect to a MongoDB deployment that uses both TLS and certificate validation using mongosh:

mongosh --tls --tlsCertificateKeyFile /path/to/client.pem --tlsCAFile /path/to/ca.pem example.net:27017

You must set these settings in your Custom Settings:

sslTrustedServerCertificates=/path/to/ca.pem
sslClientCertificate=/path/to/client.pem
sslClientCertificatePassword

Type: string

Specifies the password needed to decrypt the private key in the sslClientCertificate file. Include this setting if you encrypted the client certificate PEM file.

sslClientCertificatePassword=password
sslTrustedServerCertificates

Type: string

Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. These certificates verify the server certificate returned from any MongoDB deployments running with TLS.

sslTrustedServerCertificates=/path/to/ca.pem
sslRequireValidServerCertificates

Type: boolean

Specifies whether Monitoring should validate the TLS certificates that the MongoDB databases present.

sslRequireValidServerCertificates=true

By default, Ops Manager sets sslRequireValidServerCertificates to true. You need a valid trusted certificate to connect to MongoDB instances using TLS.

Warning

Changing this setting to false disables certificate verification and makes connections between Monitoring and MongoDB deployments susceptible to man-in-the-middle attacks. Change this setting to false only for testing purposes.

Specify the settings Monitoring use when communicating with Ops Manager using TLS.

httpsCAFile

Type: string

Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. Monitoring uses this certificate to verify that the agent can communicate with the designated Ops Manager instance.

By default, Monitoring uses the trusted root Certificate Authoritys installed on the host.

If the agent cannot find the trusted root Certificate Authoritys, configure these settings manually.

If the Ops Manager instance uses a self-signed TLS certificate, you must specify a httpsCAFile value.

httpsCAFile=/path/to/mms-certs.pem
sslRequireValidMMSServerCertificates

Type: boolean

Specifies if Monitoring should validate TLS certificates from Ops Manager.

Warning

Changing this setting to false disables certificate verification and makes connections between Monitoring and Ops Manager susceptible to man-in-the-middle attacks. Change this setting to false only for testing purposes.

sslServerClientCertificate

Type: string

Specifies the path to the file containing the client's private key, certificate, and optional intermediate certificates in PEM format. Monitoring uses the client certificate when connecting to Ops Manager over TLS if Ops Manager requires client certificates, such as when Ops Manager runs with Client Certificate Mode set to Required for Agents Only or Required for All Requests.

Tip

See also:

To learn how to specify this setting in the Ops Manager Application, see Client Certificate Mode in Ops Manager Configuration Settings.

sslServerClientCertificate=/path/to/client.pem
sslServerClientCertificatePassword

Specifies the password needed to decrypt the private key in the sslServerClientCertificate file. Include this setting if you encrypted the client certificate PEM file.

sslServerClientCertificatePassword=password

Use the Ops Manager interface to configure Backup settings.

  1. In the navigation, click Deployment.

  2. Click the Agents tab.

  3. Click Downloads & Settings.

  4. In the Agent Log Settings section, click next to Backup Log Settings.

  5. Edit the Backup log settings:

    Setting
    Default Value
    Console Suggested Value
    Linux Log File Path
    /var/log/mongodb-mms-automation/backup-agent.log
    Windows Log File Path
    %SystemDrive%\MMSAutomation\log\mongodb-mms-automation\backup-agent.log
    Rotate Logs
    YES
    Size Threshold (MB)
    1000
    Time Threshold (Hours)
    24
    Max Uncompressed Files
    5
    Max Percent of Disk
    2
    Total Number of Log Files
    0
  6. Click Save.

  1. In the navigation, click Deployment.

  2. Click the Agents tab.

  3. Click Downloads & Settings.

  4. In the Custom Configuration section, next to Edit Custom Configurations, click .

  5. Enter a Backup configuration setting and value.

  6. Click Save and Close.

You can configure the following Backup settings:

mmsGroupId

Type: string

Specifies the ID of your Ops Manager project. Find the project ID on the Project Settings page (Settings > Project Settings).

mmsGroupId=8zvbo2s2asigxvmpnkq5yexf
mmsApiKey

Type: string

Specifies the MongoDB Agent API key of your Ops Manager project.

You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project's agents can use any of the keys. For more information, see Manage Agent API Keys.

To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab, from the Deployment view, click the Agents tab and then the Agent API Keys tab.

Important

When you generate an Agent API Key, Ops Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Ops Manager never displays the full key again.

Ops Manager configures this setting when you install the MongoDB Agent. If you need to configure Backup separately, include this setting.

mmsApiKey=rgdte4w7wwbnds9nceuodx9mcte2zqem
mothership

Type: string

Specifies the hostname and port of the Ops Manager Application.

Note

Don't include the protocol (http:// or https://) in the mothership setting.

mothership=example.com:8080
mothershipResponseHeaderTimeout

Type: integer

Specifies the length of time in seconds Backup waits for the Ops Manager Application to respond. If the MongoDB Agent doesn't get a response, it resets and retries the connection to the Ops Manager Application. This value defaults to 90 seconds.

backupSocketTimeoutMs

Type: integer

Specifies the length of time, in milliseconds, that a socket between Backup and Ops Manager can remain idle before Ops Manager breaks the connection. If omitted, defaults to 180000 milliseconds (3 minutes).

https

Type: boolean

Specifies whether or not communication with the Ops Manager web server uses Secure HTTP.

httpProxy

Type: string

Specifies the URL of an HTTP proxy that Backup can use.

httpProxy=http://proxy.example.com:8080

To configure Kerberos, see Configure the MongoDB Agent for Kerberos. The same procedures and requirements apply, only use a different UPN for Backup

Note

Ops Manager creates a Kerberos Credential (Ticket) Cache for each agent automatically when Kerberos is enabled. If you want to override the location of the Kerberos Credential Cache, you must set the KRB5CCNAME environment variable to the desired file name and path before running the agent.

krb5Principal

Type: string

Specifies the Kerberos principal that Backup uses.

krb5Principal=backup/myhost@EXAMPLE.COM
krb5Keytab

Type: string

Specifies the absolute path to Kerberos principal's keytab file.

krb5Keytab=/path/to/mms-backup.keytab
krb5ConfigLocation

Type: string

Specifies the absolute path to an non-system-standard location for the Kerberos configuration file.

krb5ConfigLocation=/path/to/krb_custom.conf
gsapiServiceName

Type: string

Specifies the service name with the gsapiServiceName setting.

By default, MongoDB uses mongodb as its service name.

Specify these settings when Backup connects to MongoDB deployments using TLS.

To learn more, see Configure MongoDB Agent to Use TLS.

sslClientCertificate

Type: string

Specifies the path to the private key, client certificate, and optional intermediate certificates in PEM format. Backup uses the client certificate when connecting to a MongoDB deployment that uses TLS and requires client certificates. (The deployment runs with the --tlsCAFile setting.)

sslClientCertificatePassword

Type: string

Specifies the password needed to decrypt the private key in the sslClientCertificate file. Include this setting if you encrypted the client certificate PEM file.

sslTrustedServerCertificates

Type: string

Specifies the path that contains the trusted CA certificates in PEM format. These certificates verify the server certificate returned from any MongoDB deployments running with TLS.

sslTrustedServerCertificates=/path/to/mongodb-certs.pem
sslRequireValidServerCertificates

Type: boolean

Specifies if Backup should validate TLS certificates presented by the MongoDB deployments.

Warning

Changing this setting to false disables certificate verification and makes connections between Backup and MongoDB deployments susceptible to man-in-the-middle attacks. Set this setting to false only for testing purposes.

Specify the settings Backup use when communicating with Ops Manager using TLS.

sslTrustedMMSBackupServerCertificate

Specifies the absolute path that contains the trusted Certificate Authority certificates in PEM format. Backup uses this certificate to verify that the MongoDB Agent can communicate with the designated Ops Manager instance.

By default, Backup uses the trusted root Certificate Authoritys installed on the system.

If Backup cannot find the trusted root Certificate Authoritys, configure these settings manually.

If Ops Manager use a self-signed TLS certificate, provide a value for this setting.

sslTrustedMMSBackupServerCertificate=/path/to/mms-certs.pem
sslRequireValidMMSBackupServerCertificate

Specifies if Backup should validate TLS certificates from Ops Manager.

Warning

Changing this setting to false disables certificate verification and makes connections between Backup Agent and Ops Manager susceptible to man-in-the-middle attacks. Change this setting to false only for testing purposes.

sslRequireValidMMSBackupServerCertificate=true
sslServerClientCertificate

Type: string

Specifies the path to the file containing the client's private key, certificate, and optional intermediate certificates in PEM format. Backup uses the client certificate when connecting to Ops Manager over TLS if Ops Manager requires client certificates, such as when Ops Manager runs with Client Certificate Mode set to Required for Agents Only or Required for All Requests.

Tip

See also:

To learn how to specify this setting in the Ops Manager Application, see Client Certificate Mode in Ops Manager Configuration Settings.

sslServerClientCertificate=/path/to/client.pem
sslServerClientCertificatePassword

Type: string

Specifies the password needed to decrypt the private key in the sslServerClientCertificate file. Include this setting if you encrypted the client certificate PEM file.

sslServerClientCertificatePassword=password
←  Manage the MongoDB Agent FunctionsRequired Access for MongoDB Agent →