How to secure communication between APM agent and APM server?

d.silwon · January 19, 2021, 10:53am

I want to avoid that anyone can send anything to APM server port.
Do you have any experience in this case?

I case of communication between APM server and ELK we are using ssl certificates.

Best Regads,
Dan

ylasri · January 19, 2021, 10:58am

APM server can :

Communicate with Elasticsearch using SSL/TLS
SSL/TLS can be enabled in input combined with APIkey Authentification, so any agent need to send a token and use SSL/TLS to talk to APM server

What agent are you using ? I used many time java agent to talk with APM server in SSL

d.silwon · January 19, 2021, 11:03am

Hi @ylasri,

We are using java agent. Could you show me your example configuration for agent and server with SSL between them, please? Thanks

ylasri · January 19, 2021, 12:54pm

Yes sure, i will share with you a full example

d.silwon · January 19, 2021, 12:57pm

I'll be wait. Thanks a lot.

ylasri · January 19, 2021, 2:12pm

Here is the config i'm using

At the APM server level (apm-server.yml), I'm using PEM format

 ssl:
    enabled: true

    # Path to file containing the certificate for server authentication.
    # Needs to be configured when ssl is enabled.
    certificate: '/es/apm-server/apm-server.crt'

    # Path to file containing server certificate key.
    # Needs to be configured when ssl is enabled.
    key: '/es/apm-server/apm-server.key'

    # Optional configuration options for ssl communication.

    # Passphrase for decrypting the Certificate Key.
    # It is recommended to use the provided keystore instead of entering the passphrase in plain text.
    key_passphrase: 'truststore_password'

    # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
    supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]

At the agent level, i'm converting to PKC12 format, i'm using this batch on windows to run my java app

setlocal
set APP_ARGS=-javaagent:../lib/elastic-apm-agent-1.18.1.jar
set APP_ARGS=%APP_ARGS% -Delastic.apm.service_name=my-service-name
set APP_ARGS=%APP_ARGS% -Delastic.apm.application_packages=*
set APP_ARGS=%APP_ARGS% -Delastic.apm.server_urls=https://my-apm-server:8200
set APP_ARGS=%APP_ARGS% -Delastic.apm.environment=Production
set APP_ARGS=%APP_ARGS% -Delastic.apm.enable_log_correlation=true
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStore=apm-server.p12
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStoreType=pkcs12
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStorePassword=truststore_password
set APP_ARGS=%APP_ARGS% -Delastic.apm.verify_server_cert=true
java %APP_ARGS% -jar target\car-back-end-1.1.jar

But in order that the agent trust the server, you need to add the PEM certificate into the JVM truststore as descibed in bellow doc

d.silwon · January 19, 2021, 2:53pm

@ylasri

Thanks a lot, I'll test such configuration.

system · February 9, 2021, 10:53am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.