Ops Manager Configuration Settings

Bypass Initial Configuration via the User Interface

If you would like to skip the initial setup wizard after creating the first account and either edit the conf-mms.properties file or use the API to configure Ops Manager, change the following settings. This setting can help if you are automating the deployment of Ops Manager instances.

mms.ignoreInitialUiSetup

Type: boolean

Set this to true to allow full use of Ops Manager without requiring the first user account to complete the initial setup wizard.

Warning

Ops Manager performs its regular pre-flight check to verify that it has all of the required settings. If one or more of those settings are not included in conf-mms.properties, Ops Manager refuses to start and lists which fields are missing in the log file.

Before starting Ops Manager, add the following required settings to conf-mms.properties to enable basic Ops Manager functionality:

UI Setting	conf-mms.properties Setting	Necessity
URL to Access Ops Manager	mms.centralUrl	Required
None	mongo.mongoUri	Required
Client Certificate Mode	mms.https.ClientCertificateMode	Required
"From" Email Address	mms.fromEmailAddr	Required
"Reply To" Email Address	mms.replyToEmailAddr	Required
Admin Email Address	mms.adminEmailAddr	Required
Email Delivery Method Configuration	mms.emailDaoClass	Required
Transport	mms.mail.transport	Required
SMTP Server Hostname	mms.mail.hostname	Required
SMTP Server Port	mms.mail.port	Required
User Authentication Method	mms.userSvcClass	Optional
Snapshot Interval (Hours)	brs.snapshotSchedule.interval	Optional
Base Retention of Snapshots (in Days)	brs.snapshotSchedule.retention.base	Optional
Daily Retention of Snapshots (in Days)	brs.snapshotSchedule.retention.daily	Optional
Weekly Retention of Snapshots (in Weeks)	brs.snapshotSchedule.retention.weekly	Optional
Monthly Retention of Snapshots (in Months)	brs.snapshotSchedule.retention.monthly	Optional
Versions Directory	automation.versions.directory	Optional

Note

Fields marked as Optional have default values. If you want to change them, you can provide the setting and a new value.

Example

The following values are examples. Substitute values appropriate to your Ops Manager installation. You may add any of the other settings specified in this reference.

To configure an Ops Manager installation with the minimum functionality, add the following settings to conf-mms.properties:

mms.ignoreInitialUiSetup=true
mongo.mongoUri=mongodb://db1.example.com:27017,db2.example.com:27017,db3.example.com:27017
mms.centralUrl=http://localhost:8080
mms.fromEmailAddr=example@example.com
mms.replyToEmailAddr=example@example.com
mms.adminEmailAddr=example@example.com
mms.mail.transport=smtp
mms.mail.hostname=mail.example.com
mms.mail.port=465

All Clusters View

mms.allclusters.onlyMembership

Type: boolean

Default: False

Determines whether the View All Clusters displays only the deployments to which an Ops Manager administrator belongs (set the value to true) or the deployments to which the administrator has access (set the value to false).

Application Database Connection

The following settings configure the Ops Manager connection to the Ops Manager Application Database. You must configure this setting in the conf-mms.properties file on each Ops Manager server. To encrypt authentication information, see Encrypt User Credentials.

mongo.mongoUri

Type: string

connection string used to access the Ops Manager Application Database. If applicable, the connection string must include the authentication credentials for the authentication mechanism used on the Ops Manager Application database.

How you format your connection string depends on:

• the type of cluster you deployed for your backing databases,

• the protocol you use, and

• the authentication method you use.

Replica Sets

Sharded Cluster

If you use a replica set for the database's backing instance, your connection string may include either the hostnames of all replica set members or the hostname for the DNS seedlist.

Standard

DNS Seedlist

If you choose a standard connection string, include all members of the replica set in the URI. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.

None

Challenge/Response

x.509 Certificate

LDAP

Kerberos

mongo.mongoUri=mongodb://mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000

Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@

mongo.mongoUri=mongodb://mongodbuser1:password@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000

Note

Necessary MongoDB Roles

The MongoDB user that authenticates to the backing databases must have the following roles:

• readWriteAnyDatabase

• dbAdminAnyDatabase

• clusterAdmin if the database is a sharded cluster, otherwise clusterMonitor

You should find the client certificate in the PEM file you specified in the mongodb.ssl.PEMKeyFile setting.

• Prepend the value of the subject from the client certificate as a MongoDB user to the host.

• Append authMechanism=MONGODB-X509 to the specified port.

mongo.mongoUri=mongodb://<new_mongodb_user>@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=MONGODB-X509

• Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.

• Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external

mongo.mongoUri=mongodb://mongodbuser1:password@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=PLAIN&authSource=$external

• Prepend the hostname with the Kerberos user principal.

  Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

• Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.

mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mongod1.example.com:40000,mongod2.example.com:40000,mongod3.example.com:40000/?authMechanism=GSSAPI

Note

Modify Kerberos Settings

To enable Kerberos, modify the following settings:

• jvm.java.security.krb5.conf

• jvm.java.security.krb5.kdc

• jvm.java.security.krb5.realm

• mms.kerberos.debug

• mms.kerberos.keyTab

• mms.kerberos.principal

Note

Ops Manager doesn't require the replicaSet option in the URI.

New in version Ops: Manager 4.4.0

If you choose a DNS seedlist connection string, include the DNS SRV record that describes your database's backing instance replica set. The connection string uses the mongodb+srv: protocol, not the mongodb: protocol.

None

Challenge/Response

x.509 Certificate

LDAP

Kerberos

mongo.mongoUri=mongodb+srv://db.example.com:40000

Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@

mongo.mongoUri=mongodb+srv://mongodbuser1:password@mongod.example.com:40000

Note

Necessary MongoDB Roles

The MongoDB user that authenticates to the backing databases must have the following roles:

• readWriteAnyDatabase

• dbAdminAnyDatabase

• clusterAdmin if the database is a sharded cluster, otherwise clusterMonitor

You should find the client certificate in the PEM file you specified in the mongodb.ssl.PEMKeyFile setting.

• Prepend the value of the subject from the client certificate as a MongoDB user to the host.

• Append authMechanism=MONGODB-X509 to the specified port.

mongo.mongoUri=mongodb+srv://<new_mongodb_user>@mongod.example.com:40000/?authMechanism=MONGODB-X509

• Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.

• Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external

mongo.mongoUri=mongodb+srv://mongodbuser1:password@mongod.example.com:40000/?authMechanism=PLAIN&authSource=$external

• Prepend the hostname with the Kerberos user principal.

  Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

• Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.

mongo.mongoUri=mongodb+srv://username%40REALM.EXAMPLE.COM@mongod.example.com:40000/?authMechanism=GSSAPI

Note

Modify Kerberos Settings

To enable Kerberos, modify the following settings:

• jvm.java.security.krb5.conf

• jvm.java.security.krb5.kdc

• jvm.java.security.krb5.realm

• mms.kerberos.debug

• mms.kerberos.keyTab

• mms.kerberos.principal

This option requires a DNS SRV record for the application database. The DNS entry uses the DNS seedlist string format. Make sure Ops Manager can connect to this application database.

Tip

DNS Seedlist Connection Format

If you use a sharded cluster for the database's backing instance, your connection string may include either the hostnames of all mongos routers or the hostname for the DNS seedlist.

Standard

DNS Seedlist

If you choose a standard connection string, include all shards in the URI. If you omit the port number, Ops Manager uses the default 27017 port for all hosts.

None

Challenge/Response

x.509 Certificate

LDAP

Kerberos

mongo.mongoUri=mongodb://mongos1.example.com:40000,mongos2.example.com:40000

Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@

mongo.mongoUri=mongodb://mongodbuser1:password@mongos1.example.com:40000,mongos2.example.com:40000

Note

Necessary MongoDB Roles

The MongoDB user that authenticates to the backing databases must have the following roles:

• readWriteAnyDatabase

• dbAdminAnyDatabase

• clusterAdmin if the database is a sharded cluster, otherwise clusterMonitor

You should find the client certificate in the PEM file you specified in the mongodb.ssl.PEMKeyFile setting.

• Prepend the value of the subject from the client certificate as a MongoDB user to the host.

• Append authMechanism=MONGODB-X509 to the specified port.

mongo.mongoUri=mongodb://<new_mongodb_user>@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=MONGODB-X509

• Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.

• Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external

mongo.mongoUri=mongodb://mongodbuser1:password@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=PLAIN&authSource=$external

• Prepend the hostname with the Kerberos user principal.

  Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

• Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.

mongo.mongoUri=mongodb://username%40REALM.EXAMPLE.COM@mongos1.example.com:40000,mongos2.example.com:40000/?authMechanism=GSSAPI

Note

Modify Kerberos Settings

To enable Kerberos, modify the following settings:

• jvm.java.security.krb5.conf

• jvm.java.security.krb5.kdc

• jvm.java.security.krb5.realm

• mms.kerberos.debug

• mms.kerberos.keyTab

• mms.kerberos.principal

Note

Ops Manager doesn't require the replicaSet option in the URI.

New in version Ops: Manager 4.4.0

If you choose a DNS seedlist connection string, include the DNS SRV record that describes your database's backing instance sharded cluster. The connection string uses the mongodb+srv: protocol, not the mongodb: protocol.

None

Challenge/Response

x.509 Certificate

LDAP

Kerberos

mongo.mongoUri=mongodb+srv://db.example.com:40000

Prepend the MongoDB username and password to the hostname. Write the username and password in this format: <username>:<password>@

mongo.mongoUri=mongodb+srv://mongodbuser1:password@mongos.example.com:40000

Note

Necessary MongoDB Roles

The MongoDB user that authenticates to the backing databases must have the following roles:

• readWriteAnyDatabase

• dbAdminAnyDatabase

• clusterAdmin if the database is a sharded cluster, otherwise clusterMonitor

You should find the client certificate in the PEM file you specified in the mongodb.ssl.PEMKeyFile setting.

• Prepend the value of the subject from the client certificate as a MongoDB user to the host.

• Append authMechanism=MONGODB-X509 to the specified port.

mongo.mongoUri=mongodb+srv://<new_mongodb_user>@mongos.example.com:40000/?authMechanism=MONGODB-X509

• Prepend the MongoDB username and password to the hostname in this format: <username>:<password>@.

• Append the authentication mechanism to the port in this format: authMechanism=PLAIN&authSource=$external

mongo.mongoUri=mongodb+srv://mongodbuser1:password@mongos.example.com:40000/?authMechanism=PLAIN&authSource=$external

• Prepend the hostname with the Kerberos user principal.

  Write Kerberos UPNs as <username>@<KERBEROS REALM>. Escape the UPN using the URL encoded representation. A Kerberos user principal of username@REALM.EXAMPLE.COM would therefore become username%40REALM.EXAMPLE.COM.

• Append the authentication mechanism to the port in this format: authMechanism=GSSAPI.

mongo.mongoUri=mongodb+srv://username%40REALM.EXAMPLE.COM@mongos.example.com:40000/?authMechanism=GSSAPI

Note

Modify Kerberos Settings

To enable Kerberos, modify the following settings:

• jvm.java.security.krb5.conf

• jvm.java.security.krb5.kdc

• jvm.java.security.krb5.realm

• mms.kerberos.debug

• mms.kerberos.keyTab

• mms.kerberos.principal

This option requires a DNS SRV record for the application database. The DNS entry uses the DNS seedlist string format. Make sure Ops Manager can connect to this application database.

Tip

DNS Seedlist Connection Format

mongo.encryptedCredentials

Type: boolean

To use encrypted credentials in mongo.mongoUri, encrypt the credentials using the Ops Manager credentialstool, enter them in the mongo.mongoUri setting, and set this to true:

mongo.encryptedCredentials=true

Automation Default Paths

automation.default.backupAgentLogFile

Type: string

Default: /var/log/mongodb-mms-automation/backup-agent.log

Default path for the Backup logs on Linux/macOS.

automation.default.certificateAuthorityFile

Type: string

Default path for the Certificate Authority file on Linux/macOS.

automation.default.dataRoot

Type: string

Default: /data

Default data path for the MongoDB databases that Automation manages.

automation.default.downloadBase

Type: string

Default: /var/lib/mongodb-mms-automation

Default path for the Monitoring, Backup, and MongoDB binaries for the deployments managed by Automation on Linux/macOS.

automation.default.monitoringAgentLogFile

Type: string

Default: /var/log/mongodb-mms-automation/monitoring-agent.log

Default path for the Monitoring logs on Linux/macOS.

mms.agentCentralUrl

Type: string

FQDN of the Ops Manager Application to which the legacy Monitoring Agents or MongoDB Agents use to push monitoring data.

Uses the value of mms.centralUrl if not set.

Important

If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets ([ ]) to separate it from its port number.

For example:

http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080

Backup

mms.alerts.BackupAgentConfCallFailure.maximumFailedConfCalls

Type: integer

Default: 10

If the Backup experiences more than this number of consecutive failed conf calls, Ops Manager triggers the following global alert: Backup has too many conf call failures.

mms.alerts.OutsideSpaceUsedThreshold.maximumSpaceUsedPercent

Type: integer

Default: 85

If the blockstore uses at least this percentage of its total disk capacity, Ops Manager triggers the following system alert: Blockstore space used exceeds threshold.

mms.backupCentralUrl

Type: string

FQDN of the Ops Manager Application to which the legacy Backup Agents or MongoDB Agents use to send backup data.

Uses the value of mms.centralUrl if not set.

Important

If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets ([ ]) to separate it from its port number.

For example:

http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080

mms.backup.journal.heads

Type: boolean

Default: False

This sets whether the HEAD database should use journaling. See Manage Backup Jobs to enable or disable journaling for the head database of a single backup job.

FCV 4.2 and later use backup cursors instead of head databases for backups.

mms.backup.minimumOplogWindowHours

Type: float

Default: 3

This sets the minimum number of hours of database operations that the oplog should record.

Your deployment's oplog needs to be large enough to hold recovery data since the last snapshot. Increase this value to have Ops Manager monitor the oplog capacity. You should set this value to meet or exceed the value in brs.snapshotSchedule.interval.

If you set the value to less than brs.snapshotSchedule.interval, you may have a gap between the last snapshot and the end of the oplog. This makes the backup unusuable for restores. Stale backup jobs must be resynchronized before it can be used for restores.

Diagnostic Archive

mms.admin.diagnostics.archiveDocCountLimit

Type: integer

Default: 10000

Maximum number of entries that Ops Manager should retrieve from the activity feed.

mms.admin.diagnostics.archiveDocSizeLimit

Type: integer

Default: 7

Maximum number of days of data that Ops Manager should retrieve from the activity feed.

mms.admin.diagnostics.archiveDocAgeLimit

Type: integer

Default: 7

Maximum number of days of data that Ops Manager should retrieve from the activity feed.

mms.automation.diagnostics.lastAgentStatusDocAgeLimit

Type: integer

Default: 7

Add the last specified days of the automationLastAgentStatus in diagnostic archive.

mms.automation.diagnostics.includeEmptyProcessConfigs

Type: boolean

Default: False

Flag that indicates whether to add automationConfigs for groups with non-empty processes array in diagnostic archive.

Email

mms.fromEmailAddr

Type: string

Email address used for sending the general emails, such as Ops Manager alerts. You can include an alias with the email address.

mms.fromEmailAddr=mms-alerts@example.com

Corresponds to From Email Address.

mms.replyToEmailAddr

Type: string

Email address from which to send replies to general emails.

Corresponds to Reply To Email Address.

mms.adminEmailAddr

Type: string

Email address of the Ops Manager admin. This address receives emails related to problems with Ops Manager.

Corresponds to Admin Email Address.

mms.emailDaoClass

Type: string

Default: SIMPLE_MAILER

Email interface to use.

This setting is labeled in different ways for the user interface and the configuration file.

Delivery Method	Configuration Setting (mms.emailDaoClass)
AWS SES	AWS_MAILER
SMTP	SIMPLE_MAILER

If you set this to SMTP Email Server, you must set:

• mms.mail.transport

• mms.mail.hostname

• mms.mail.port

• mms.mail.username

• mms.mail.password

• mms.mail.tls

If you set this to AWS Simple Email Service, you must set:

• aws.ses.endpoint

• aws.accesskey

• aws.secretkey

Corresponds to Email Delivery Method Configuration.

HTTP Proxy

http.proxy.host

Type: string

Specify the hostname of the HTTP or HTTPS proxy to which you wish to connect.

http.proxy.host=proxy.example.com

Corresponds to Proxy Host.

http.proxy.port

Type: integer

Specify the port on which you wish to connect to the host. You must specify both the Proxy Port and Proxy Host to use a proxy.

Corresponds to Proxy Port.

http.proxy.username

Type: string

If the proxy requires authentication, use this setting to specify the username with which to connect to the proxy.

Corresponds to Proxy Username.

http.proxy.password

Type: string

If the proxy requires authentication, use this setting to specify the password with which to connect to the proxy.

Corresponds to Proxy Password.

http.proxy.nonProxyHosts

Type: string

Specify a pipe-separated (|) list of internal hosts to bypass the outgoing proxy that you configured.

*.foo.com|localhost

Corresponds to Non Proxy Hosts.

MongoDB Version Management

automation.versions.source

Type: string

Default: remote

Indicates the source of MongoDB installer binaries.

Accepted values for automation.versions.source and the conditions that must exist to set the value are:

Value	Condition
remote	Ops Manager and Agents have internet access.
hybrid	Ops Manager has internet access, but Agents do not. Ops Manager downloads MongoDB binaries from the internet; Agents download the binaries from Ops Manager.
local	Neither Ops Manager nor the Agents have internet access. An Ops Manager administrator must upload the version manifest and the MongoDB binaries to the Ops Manager host, as described in Configure Deployment to Have Limited Internet Access.

Corresponds to Installer Download Source.

automation.versions.download.baseUrl

Type: string

Default: mongodb.com, fastdl.mongodb.org

HTTP(S) endpoint to fetch MongoDB binaries from. If the endpoint is an HTTPS endpoint, the Certificate Authority file specified by httpsCAFile will be used to validate the certificate. If automation.versions.download.baseUrl is unset, the remote URLs for mongodb binaries are mongodb.com and fastdl.mongodb.org.

Corresponds to Base URL.

automation.versions.download.baseUrl.allowOnlyAvailableBuilds

Type: boolean

Default: True

When set to true, Ops Manager limits the MongoDB versions you can specify to those available for your deployment.

This setting is applied only when automation.versions.download.baseUrl is set with a custom value.

automation.versions.directory

Type: string

Default: /opt/mongodb/mms/mongodb-releases/

Specify the directory on the Ops Manager Application server where Ops Manager stores the MongoDB binaries. The Automation accesses the binaries when installing or changing versions of MongoDB on your deployments. If you set Version Manifest Source to run in Local mode, the Backup Daemons also access the MongoDB binaries from this directory. See Configure Deployment to Have Limited Internet Access for more information.

Corresponds to Versions Directory.

mongodb.release.autoDownload

Type: boolean

Default: True

Flag indicating whether the Backup Daemons automatically install the versions of MongoDB that the Backup Daemons need.

true	The daemons retrieve the binaries from MongoDB Inc. over the internet.
false	Backup Daemons do not have internet access and require that an Ops Manager administrator manually download and extract every archived version of a MongoDB release that the backup daemons need. The administrator must place the extracted binaries into the Versions Directory on the Ops Manager hosts.

Warning

Set to false when Ops Manager is running in Local Mode.

Corresponds to Backup Versions Auto Download.

mongodb.release.autoDownload.enterprise

Type: boolean

Flag indicating whether the Backup Daemons automatically install the Enterprise editions of the versions of MongoDB that the Backup Daemons need. Requires mongodb.release.autoDownload be set to true.

Warning

If you plan on running MongoDB Enterprise on Linux hosts, then you must manually install a set of dependencies to each host before installing MongoDB. The MongoDB manual provides the appropriate command to install the dependencies.

See Configure Deployment to Have Limited Internet Access.

Corresponds to Backup Versions Auto Download Enterprise Builds

mongodb.release.modulePreference

Type: string

Specifies whether to use MongoDB Community or Enterprise binaries for backup.

Accepted values are:

• enterprisePreferred

• enterpriseRequired

• communityRequired

When enterpriseRequired or communityRequired is selected, Ops Manager only uses those binaries for backup. When enterprisePreferred is selected, Ops Manager uses Enterprise binaries if available and Community binaries if they are not.

Note

When enterpriseRequired is selected, you must either set mongodb.release.autoDownload.enterprise to true or manually place Enterprise binaries in the automation.versions.directory in Local Mode.

Warning

Backup fails when either enterpriseRequired or communityRequired is selected, but the automation.versions.directory does not contain the required binary.

Corresponds to Required Module For Backup.

MongoDB Usage

mms.mongoDbUsage.defaultUsageType

Type: string

Default: Production Server

Default MongoDB Enterprise server type for all Enterprise processes that this Ops Manager instance manages.

The following table shows the accepted Server Type values and the corresponding number of licenses required for each:

Server Intention	Environment Purpose	License Requirement
Production Server	Hosts your application to your internal or external end users. If an end user might use an environment, it functions as a Production environment. This applies whether the environment also provides testing, quality assurance, evaluation, or development capabilities.	One license per server
Test/QA Server	This type of environment can be used to: Test Exercises your application to verify that it works as designed and expected. The platform configuration might be a less performant version of Production in compute, network, and storage capability. Assure system quality Validates your application against a combination of data, hardware, and software configured to simulate Production. The platform configuration should be a smaller scale of Production in compute, network, and storage capability. Stage Simulates the Production environment including performance testing and release candidate approval. The platform configuration should mirror Production in compute, network, and storage capability.	One license per server
Development Server	Hosts in progress design, code, debugging or some combination thereof for your application. Used to evaluate if the current state of your application can be promoted to another environment.	None
RAM Pool	Provides any combination of servers for any environment purpose.	One license for any number of servers up to the maximum of the total GB of RAM you purchased across these servers.

Backing Database	Hosts your Ops Manager backing database. Enable Application Database Monitoring to enable this option.	None

Corresponds to Default Ops Manager MongoDB Server Type.

mms.mongoDbUsage.ui.enabled

Type: boolean

Enables the MongoDB Usage UI in the Ops Manager Admin if set to true.

Corresponds to MongoDB Usage UI.

mms.mongoDbUsage.collectData

Type: boolean

Default: False

Enables the daily collection of MongoDB Usage Data if set to true.

Corresponds to MongoDB Usage Data Collection.

Monitoring

mms.agentCentralUrl

Type: string

FQDN of the Ops Manager Application to which the legacy Monitoring Agents or MongoDB Agents use to push monitoring data.

Uses the value of mms.centralUrl if not set.

Important

If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets ([ ]) to separate it from its port number.

For example:

http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080

Ops Manager Administration API

mms.publicApi.whitelistEnabled

Type: boolean

Certain API calls require that requests originate from a IP address in the access list. To turn off this requirement, add this setting and set its value to false.

Prometheus

You must configure the following settings to enable the metrics that are available for ingestion through Prometheus. You can also configure these settings in the Custom tab of the Ops Manager Config page in the Administration Console : General Tab.

After configuring these settings, you must restart Ops Manager on each instance. After restarting, the new Prometheus endpoint can be accessed at a URL in the following format:

http(s)://<opsManagerUri>:<port>/metrics

After enabling, you must configure a new scrape config similar to the following in Prometheus for each Ops Manager server that you would like to gather statistics from.

scrape_configs:
- job_name: 'opsmanager'
   static_configs:
      - targets: [<opsManagerHostname>:<port>]

Note that each server's endpoint only provides metrics for the same server.

prom.listening.enabled

Type: boolean

Flag that specifies whether to enable access for Prometheus. To enable Ops Manager Prometheus endpoint, set value to true. If omitted, defaults to false.

prom.listening.port

Type: number

The port over which Ops Manager listens for requests to the Prometheus endpoint. The port must be different than the port Ops Manager is already listening on, 8080 for HTTP or 8443 for HTTPS. Every server will listen on the specified port. So, ensure that the port is available as an open port on every server. If you want to specify different port for each server, use conf-mms.properties instead to specify the ports.

Push Live Migrations

mms.pushLiveMigrations.mmsUi.centralUrl

Type: string

Base URL for Live Migration from Ops Manager to Atlas, such as https://cloud.mongodb.com.

mms.pushLiveMigrations.syncJobs.enabled

Type: boolean

If set to true, allows Ops Manager to request information about Live Migration processes, such as:

• The list of available projects and deployments that can be used as sources for Live Migrations.

• The list of available configured migration hosts that can facilitate Live Migrations in their respective deployments and projects.

• The current status of running Live Migrations in Atlas.

Ops Manager uses this information to facilitate Live Migration processes. The default is true.

mms.pushLiveMigrations.updateJob.intervalSeconds

Type: boolean

The repeat interval, in seconds, between sync refreshes. The syncs of the organization's project information between Ops Manager and Atlas occur periodically. The default interval between syncs is 60. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between sync refreshes is longer than 43200 seconds or if the actual interval between sync refreshes is longer than 1800 seconds (30 minutes) during the validation phase, the Live Migration to Atlas might stall, time out, or fail.

Note

After updating this setting, restart the Web Server for the change to take effect.

mms.pushLiveMigrations.updateJob.cooldownSeconds

Type: boolean

The interval, in seconds, between information sync refreshes for an organization's project. The default interval between sync refreshes is 10. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between consecutive syncs is longer than 43200 seconds, the Live Migration to Atlas might stall, time out, or fail.

Note

After updating this setting, restart the Web Server for the change to take effect.

mms.pushLiveMigrations.fetchJob.intervalSeconds

Type: boolean

The repeat interval, in seconds, for syncing the Live Migration plan updates from Atlas.The plan lists the steps in the Atlas migration process. Ops Manager periodically retrieves the current plan from Atlas to check progress. Without this information, Ops Manager does not move the Live Migration process to the next stage.

The default interval between syncs is 60. Ops Manager expects sync refreshes to occur within an interval from 10 to 43200 seconds (12 hours). If the actual interval between consecutive syncs is longer than 43200 seconds, the Live Migration to Atlas might stall, time out, or fail.

Note

After updating this setting, restart the Web Server for the change to take effect.

mms.automation.agentFeatures.migrationHosts.canManageDeployments

Type: boolean

Indicates whether to show Live Migration hosts as available agents in the Add new deployment view under Projects in the user interface. The default is false.

Security

mms.security.disableBrowserCaching

Type: boolean

Default: False

When true, Ops Manager makes all HTTP responses not cacheable.

mms.security.hstsMaxAgeSeconds

Type: integer

Default: 0 (Can use HTTP or HTTPS.)

How long (in seconds) Ops Manager limits browser connections to use HTTPS. This value must be a positive integer. A value of 0 means that it can use HTTP or HTTPS.

Tip

To learn how to deploy HSTS, see HTTP Strict Transport Security, RFC 6797 and hstspreload.org.

mms.security.show.om.version

Type: boolean

Default: True

When false, Ops Manager doesn't display the version number in the login page.

Third-Party Integrations

User Authentication

mms.email.validation

Type: string

Default: false

Determines if Ops Manager requires usernames to be email addresses.

Value	Description
false	(Default) Username is not required to be an email address.
loose	Username must contain an @ symbol followed by a period.
strict	Username must adhere to a strict email address validation regular expression.

If set to strict, Ops Manager uses the following regular expression to validate that an email address adheres to the requirements described in Section 3 of RFC-3696:

^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$

Example

jane.smith@example.com is valid. jane.smith@ex@mple.com is not.

Corresponds to Username Validation.

mms.userSvcClass

Type: string

Default: UserSvcDb

Select whether to store authentication credentials in the Ops Manager Application Database or in an LDAP directory.

Accepted values are:

Auth Method	Accepted Value
Application Database	UserSvcDb IMPORTANT: In Ops Manager 6.0, the accepted value is com.xgen.svc.mms.svc.user.UserSvcDb. If you use this old accepted value, your Ops Manager instance will not start during preflight checks.
LDAP	UserSvcLdap
SAML	UserSvcSaml

Corresponds to User Authentication Method.

Web Server

mms.centralUrl

Type: string

FQDN and port number of the Ops Manager Application.

To use a port other than 8080, see Manage Ops Manager Hostname and Ports.

mms.centralUrl=http://mms.example.com:8080

Corresponds to URL to Access Ops Manager.

Important

If you plan on accessing your Ops Manager Application using its IPv6 address, you must enclose the IPv6 address in square brackets ([ ]) to separate it from its port number.

For example:

http://[2600:1f16:777:8700:93c2:b99c:a875:2b10]:8080

mms.https.PEMKeyFile

Type: string

Absolute path to the PEM file that contains the Ops Manager Application's valid certificate and private key. The PEM file is required if the Ops Manager Application uses HTTPS to encrypt connections between the Ops Manager Application, the agents, and the web interface.

The default port for HTTPS access to the Ops Manager Application is 8443, as set in <install_dir>/conf/mms.conf file. If you change this default, you must also change the port specified in the mms.centralUrl setting.

Corresponds to HTTPS PEM Key File.

mms.https.PEMKeyFilePassword

Type: string

Password for the HTTPS PEM key file. You must include this setting if the PEM key file contains an encrypted private key.

Corresponds to HTTPS PEM Key File Password.

mms.https.ClientCertificateMode

Type: string

Specifies if Ops Manager requires clients to present valid TLS/SSL client certificates when connecting to it. Accepted values are:

• none

• agents_only

• required

Corresponds to Client Certificate Mode.

mms.https.CAFile

Type: string

Required if:

• You are using a private certificate authority.

• You set mms.https.ClientCertificateMode to agents_only or required.

• You run Ops Manager in hybrid mode with TLS enabled.

Specifies the filesystem location of a private certificate authority file containing the list of acceptable client certificates. The Ops Manager Application authenticates HTTPS requests from clients bearing a certificate described in this file.

mms.https.CAFile=/path/to/ca_file.pem

Corresponds to CA File.

mms.https.dualConnectors

Type: boolean

Default: False

Enables connections to Ops Manager using HTTP and HTTPS concurrently.

You can use this setting temporarily while you upgrade Ops Manager and the MongoDB Agents to use TLS. To ensure zero downtime, set to true and provide a value for mms.http.bindhostname. After you configure Ops Manager and the MongoDB Agents, set to false.

Important

Ops Manager is accessible using insecure connections while mms.https.dualConnectors is true.

Set mms.https.dualConnectors to false to allow secure connections only after you have updated the MongoDB Agents to use TLS connections.

mms.http.bindhostname

Type: string

Default: 127.0.0.1

The hostname or IP at which MongoDB Agents can connect to Ops Manager using HTTP.

You can use this setting temporarily while you upgrade Ops Manager and the MongoDB Agents to use TLS. To ensure zero downtime, set a value and set mms.https.dualConnectors to true. After you configure Ops Manager and the MongoDB Agents, remove the value.

mms.remoteIp.header

Type: string

If you use a load balancer with the Ops Manager Application, set this to the HTTP header field the load balancer uses to identify the originating client's IP address to the Ops Manager host. When you specify Load Balancer Remote IP Header, do not allow clients to connect directly to any Ops Manager host. A load balancer placed in front of the Ops Manager hosts must not return cached content.

Once Load Balancer Remote IP Header is set, Ops Manager enables the following HTTP headers:

HTTP Header	Forwards to Ops Manager
X-Forwarded-Host	Original host that the client requested in the Host HTTP request header.
X-Forwarded-Proto	Protocol used to make the HTTP request.
X-Forwarded-Server	Hostname of the proxy server.
X-Proxied-Https	HTTPS status of a request.

To learn more, see Configure a Highly Available Ops Manager Application.

Corresponds to Load Balancer Remote IP Header.

mms.minimumTLSVersion

Type: string

Default: TLSv1.2

Specifies the TLS version required for clients to connect to Ops Manager. This property affects all clients, such as browsers used to connect to the Ops Manager Admin interface and command-line tools, such as curl, used to connect to the REST API.

Ops Manager versions between 4.0.9 and 4.0.18 and earlier than 4.2.13 and 4.4.0

Ops Manager supports TLSv1.2 only. If you change this value to anything other than TLSv1.2, including a blank value, you can't connect to this Ops Manager.

Ops Manager versions 4.0.0 to 4.0.8, 4.0.18 or later, 4.2.13 or later, 4.4.0 or later

Ops Manager supports TLSv1.0, TLSv1.1 and TLSv1.2.

Note

TLSv1.2 requires connecting clients to meet the following minimum requirements:

• Browser supports TLS version 1.2

• curl version 7.34.0+

• OpenSSL version 1.0.1+

To set minimum.TLSVersion, follow the Modify a Custom Setting procedure with the following values:

Key	minimum.TLSVersion
Value	<tls-versions>

mms.disableCiphers

Type: string

Default: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Specifies a list of TLS cipher suites which your instance of Ops Manager can't accept when clients connect to the Ops Manager Application and API. Specify TLS cipher suite names as a comma-separated list, as in the following example.

Important

Cipher suite names used in Ops Manager must follow RFC 5246 naming conventions. Do not use the OpenSSL naming convention. For convenience, Ops Manager logs a list of all supported cipher suite names during startup. If Ops Manager does not recognize a TLS cipher suite name, it logs the following warning:

Your config lists the following as ciphers which should be disabled as the JDK does not recognize them. Please check the format of the entries and list of enabled ciphers. [unrecognized_cipher_name]

To change mms.disableCiphers, follow the Modify a Custom Setting procedure with the following values:

Key	mms.disableCiphers
Value	<ciphers> For example: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Warning

Setting mms.disableCiphers to a custom value could re-enable one or more of these disabled ciphers.

Webhook

mms.alerts.webhook.adminEndpoint

Type: string

Corresponds to Webhook URL.

mms.alerts.webhook.adminSecret

Type: string

Corresponds to Webhook Secret.