How to secure communication between APM agent and APM server?

d.silwon · January 19, 2021, 10:53am

I want to avoid that anyone can send anything to APM server port.
Do you have any experience in this case?

I case of communication between APM server and ELK we are using ssl certificates.

Best Regads,
Dan

ylasri · January 19, 2021, 10:58am

APM server can :

Communicate with Elasticsearch using SSL/TLS
SSL/TLS can be enabled in input combined with APIkey Authentification, so any agent need to send a token and use SSL/TLS to talk to APM server

What agent are you using ? I used many time java agent to talk with APM server in SSL

d.silwon · January 19, 2021, 11:03am

Hi @ylasri,

We are using java agent. Could you show me your example configuration for agent and server with SSL between them, please? Thanks

ylasri · January 19, 2021, 12:54pm

Yes sure, i will share with you a full example

d.silwon · January 19, 2021, 12:57pm

I'll be wait. Thanks a lot.

ylasri · January 19, 2021, 2:12pm

Here is the config i'm using

At the APM server level (apm-server.yml), I'm using PEM format

 ssl:
    enabled: true

    # Path to file containing the certificate for server authentication.
    # Needs to be configured when ssl is enabled.
    certificate: '/es/apm-server/apm-server.crt'

    # Path to file containing server certificate key.
    # Needs to be configured when ssl is enabled.
    key: '/es/apm-server/apm-server.key'

    # Optional configuration options for ssl communication.

    # Passphrase for decrypting the Certificate Key.
    # It is recommended to use the provided keystore instead of entering the passphrase in plain text.
    key_passphrase: 'truststore_password'

    # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
    supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]

At the agent level, i'm converting to PKC12 format, i'm using this batch on windows to run my java app

setlocal
set APP_ARGS=-javaagent:../lib/elastic-apm-agent-1.18.1.jar
set APP_ARGS=%APP_ARGS% -Delastic.apm.service_name=my-service-name
set APP_ARGS=%APP_ARGS% -Delastic.apm.application_packages=*
set APP_ARGS=%APP_ARGS% -Delastic.apm.server_urls=https://my-apm-server:8200
set APP_ARGS=%APP_ARGS% -Delastic.apm.environment=Production
set APP_ARGS=%APP_ARGS% -Delastic.apm.enable_log_correlation=true
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStore=apm-server.p12
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStoreType=pkcs12
set APP_ARGS=%APP_ARGS% -Djavax.net.ssl.keyStorePassword=truststore_password
set APP_ARGS=%APP_ARGS% -Delastic.apm.verify_server_cert=true
java %APP_ARGS% -jar target\car-back-end-1.1.jar

But in order that the agent trust the server, you need to add the PEM certificate into the JVM truststore as descibed in bellow doc

d.silwon · January 19, 2021, 2:53pm

@ylasri

Thanks a lot, I'll test such configuration.

system · February 9, 2021, 10:53am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Java APM Agent connecting to SSL APM Server APM elastic-stack-security , java	10	736	November 25, 2021
APM Server to APM Agents SSL/TLS setup, encryption and authentication APM java , server	2	341	November 18, 2021
Automatic APM agent cannot connect to apm server APM java	6	1542	April 26, 2021
APM agent to Server Communication via https APM rum , server	5	609	January 5, 2023
Elastic Agent RUM - Cryptography Elastic Agent elastic-stack-monitoring	5	279	December 12, 2023

How to secure communication between APM agent and APM server?

Related Topics