APM Server to APM Agents SSL/TLS setup, encryption and authentication

Hi All,

We are designing a SSL - solution for our APM server and I am stuck at few considerations, I have basic understanding of SSL , though I picked up some information from documentation , need the community help in putting it in to a story.

Requirement: need encryption between apm agents and apm server.
client : at present we are using java agents for apis and weblogic app sever and rum agents for UI

We ordered a certificate for which we have received a 3 resources .p7b file and intermediate and end entity certificates and we already have a csr and key file at our end.

  1. How to configure ca authorities here ?
    we used p7b and converte it to crt so we used crt an key file now we need to configure ca authorties . We received both intermediate and end entity certificates as plain text (i mean in mail in base 64/x509 standard)

  2. the moment we configure ca authorities, client authentication is automatically set to required . so rum based agents will do fine but what about java based agents authentication?

  3. for server authentication do we need to add certificates to browser?

  4. can we use httpd/ nginx - in betweeen http apm server to terminate ssl , which ssl is better apm -server or httpd layer and why ?

  5. is authenticating client using ssl good approach? or it depends on agent for rum based certificate based authentication as its UI and server based agents like java should we use api keys + ssl/tls ? why not certificate based authentication for java agents?

Appreciate your help , Thank you!

How to configure ca authorities here ?
we used p7b and converte it to crt so we used crt an key file now we need to configure ca authorties . We received both intermediate and end entity certificates as plain text (i mean in mail in base 64/x509 standard)

When you purchase a certificate, you typically do not need to specify the CA certificate; they will be verified through the "trusted roots" that come with operating systems and browsers.

Unless you know you need to configure the CA, just configure:

  • apm-server.ssl.enabled: true
  • apm-server.ssl.certificate: "/path/to/apm-server.crt"
  • apm-server.ssl.key: "/path/to/apm-server.key"

the moment we configure ca authorities, client authentication is automatically set to required . so rum based agents will do fine but what about java based agents authentication?

(Again, you probably don't want to set CA certs - nothing more to say here except that you probably don't want to enable this for RUM either; that would require end users to provide a certificate when accessing your web app.)

for server authentication do we need to add certificates to browser?

No, you should not need to. The browser will verify the server certificate through the trusted roots.

can we use httpd/ nginx - in betweeen http apm server to terminate ssl , which ssl is better apm -server or httpd layer and why ?

You can. Bear in mind that if you need APM Server's OpenTelemetry (OTLP) or Jaeger support, TLS termination will make things a lot more difficult. I don't have an expert opinion on the quality of TLS implementations in go vs. httpd vs. nginx.

is authenticating client using ssl good approach? or it depends on agent for rum based certificate based authentication as its UI and server based agents like java should we use api keys + ssl/tls ? why not certificate based authentication for java agents?

In theory client certificate authentication should be reasonable for backend agents, but it's not common and so I wouldn't recommend it above other options. For RUM you probably don't want client certificate authentication -- as mentioned above, that would require your end users to install a client certificate in their browser.

Typically we recommend the use of API Keys (API keys | APM User Guide [master] | Elastic), or the simpler but less powerful secret token method (Secret token | APM User Guide [master] | Elastic).

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.