You were redirected from a different version of the documentation. Click here to go back.

Backup Agent Configuration

Legacy Backup and Monitoring Agent has been removed

This Agent has been updated from your self-managed legacy Backup and Monitoring Agents to the MongoDB Agent.

This page describes possible settings for Backup Agent. These values are set after first launching Cloud Manager and not through manual editing of these files.


Do not edit these settings for a Backup Agent that is managed by an Automation Agent. If you do, the Automation Agent can overwrite any changes you make. If you are not using the Automation Agent, you must edit these settings manually.

Configuration File Location on Each Platform

The location of the Backup Agent configuration file depends on your platform:

Platform Installation Method Config File Path
RHEL, CentOS, Amazon Linux and Ubuntu package manager /etc/mongodb-mms/backup-agent.config
macOS or other Linux distributions tar /path/to/install/local.config
Windows msi C:\MMSData\Backup\local.config

Backup Agent Settings

Cloud Manager provides the values for these Backup Agent settings when Cloud Manager is initially configured.


You must set the mmsApiKey value.

Connection Settings

For the Backup Agent to communicate with the Cloud Manager servers, these connection settings are required:


Type: string

Specifies the ID of your Cloud Manager project. The project ID is displayed in the Project Settings page (Settings > Project Settings).



Type: string

Specifies the Cloud Manager agent API key of your Cloud Manager project.

You can use an Agent API key that you have already generated for the project. Otherwise, you can generate a new Agent API key. A project can have more than one Agent API key, and any of the project’s agents can use any of the keys. For more information, see Manage Agent API Keys.

To generate an Agent API key, go to the Agent API Keys tab. To navigate to the tab, from the Deployment view, click the Agents tab and then the Agent API Keys tab.


When you generate an Agent API Key, Cloud Manager displays it one time only. You must copy this key. Treat it like a password; store it in a secure place. Cloud Manager never displays the full key again.

This setting is usually set when the Backup Agent is installed and it is required.


Type: string

Specifies the URL of the Cloud Manager.


Type: integer

Specifies the length of time in seconds the Backup Agent waits to get a response from the Cloud Manager. If the agent does not get a response within the time specified with this value, it resets the connection to the Cloud Manager and tries to reconnect. Default setting is 90 seconds.


Type: boolean

Specifies whether or not communication with the Cloud Manager web server uses Secure HTTP.

Logging Settings


Type: string

Specifies the absolute path to the log file. If this is not specified, the log writes to standard error (stderr) on UNIX- and Linux-based systems and to the Event Log on Windows systems.


Type: integer

Specifies the maximum size, in bytes, of a log file before the logs are rotated. If unspecified, the Backup Agent does not rotate logs based on file size. This is optional.


Type: float

Specifies the number of hours after which the log file is rotated. This is optional and only supported on UNIX- and Linux-based systems.


You can manually rotate the Backup Agent logs. Issue a user signal 1 kill command for the Backup Agent process:

kill -SIGUSR1 <backupAgentID>

This rotates the Backup Agent log file.

HTTP Proxy Settings


Type: string

Specifies the URL of an HTTP proxy server the Backup Agent can use.


MongoDB Kerberos Settings

Specify these settings if the Backup Agent authenticates to hosts using Kerberos. See Configure the Backup Agent for Kerberos for more information.


Type: string

Specifies the Kerberos principal the Backup Agent uses.


Type: string

Specifies the absolute path to Kerberos principal’s keytab file.

Type: string

Specifies the absolute path to an non-system-standard location for the Kerberos configuration file.


Type: string

Specifies the service name with the gssapiServiceName option.

By default, MongoDB uses mongodb as its service name.


Cloud Manager creates a Kerberos Credential (Ticket) Cache for each agent automatically when Kerberos is enabled. If you want to override the location of the Kerberos Credential Cache, you must set the KRB5CCNAME environment variable to the desired file name and path before running the agent.

MongoDB TLS Settings

Specify these settings when the Backup Agent connects to MongoDB deployments using TLS. To learn more, see Configure Backup Agent for SSL.


Type: string

Specifies the path to the private key, client certificate, and optional intermediate certificates in PEM format. The Backup Agent uses the client certificate when connecting to a MongoDB deployment that uses TLS and requires client certificates (one that runs with the --tlsCAFile option).


Type: string

Specifies the password needed to decrypt the private key in the sslClientCertificate file. This setting is needed when the client certificate PEM file is encrypted.


Type: string

Specifies the certificate’s subject, which contains the Distinguished Name (DN). If not set, Cloud Manager extracts this value from the certificate.


Type: string

Specifies the path that contains the trusted CA certificates in PEM format. These certificates verify the server certificate returned from any MongoDB deployments running with TLS.


Type: boolean

Specifies if the Backup Agent should validate TLS certificates presented by the MongoDB deployments.


Setting this option to false disables certificate verification and makes connections between the Backup Agent and MongoDB deployments susceptible to man-in-the-middle attacks. Setting this option to false is only recommended for testing purposes.

Cloud Manager Server TLS Settings

Specify the settings the Backup Agent uses when communicating with Cloud Manager using TLS.


Specifies the path that contains the trusted CA certificates in PEM format. The Backup Agent uses this certificate to verify that the agent is communicating with the designated Cloud Manager instance.

By default, the Backup Agent uses the trusted root CAs installed on the system.

If the Backup Agent cannot find the trusted root CAs, configure these settings manually.